0
Your Cart
0
Your Cart

Privacy Policy

Privacy Policy

I.INTRODUCTION

  1. This Privacy Policy informs about the methods of processing and protecting personal data within the Service registered at the electronic address www.epicentrumgallery.com.
  2. The administrator of personal data is Art Collector with its registered office in Opole, address: ul. Wielkanocna 2, 45-844 Opole, entered in Central Registration And Information On Business, NIP 7543371520, REGON 529400632 (hereinafter: the Administrator).
  3. Users may direct any questions or concerns, particularly those related to the processing of personal data:
    a) via postal mail – to the Administrator’s registered address;
    b) via email to the address: contact@epicentrumgallery.com;
    c) through the website www.epicentrumgallery.com.
  4. The Administrator ensures that the entrusted personal data is processed in compliance with the requirements of applicable law, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ EU L 2016.119.1) – hereinafter referred to as GDPR.
  5. The primary goal of the Administrator is to ensure the privacy protection of Users using the Service at a level at least corresponding to the requirements imposed by applicable legal provisions, particularly GDPR regulations.
  6. Any person using the Service in any way accepts all the principles contained in this Privacy Policy.
  7. The Administrator reserves the right to make changes to the Privacy Policy if required by law or changes introduced to the functionality of the Service.
  8. The Administrator will notify all Users of the relevant changes and their effective date, particularly by publishing an appropriate notice within the Service.

II.KEY TERMS

User – any natural person whose personal data is processed by the Administrator.
Personal Data – any information about an identified or identifiable natural person through one or more specific factors determining physical, physiological, genetic, mental, economic, cultural, or social identity, as well as the device’s IP address, location data, online identifier, and information collected via cookies or similar technologies.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Service – an organized IT solution located at the internet address www.epicentrumgallery.com and potentially other internet addresses, as well as within applications and other IT tools, comprising a set of cooperating computer programs, databases, and accompanying elements (e.g., graphic elements), combined into a single IT system.
Processing of Personal Data – any operation performed on personal data, such as collecting, recording, storing, processing, altering, sharing, and deleting, especially those carried out in IT systems.
Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored, or otherwise processed.

III. PURPOSES, LEGAL BASIS, SCOPE OF DATA PROCESSING, AND INFORMATION ABOUT FORMS

  1. The Administrator processes personal data only when at least one of the following conditions is met:
    a) when the User of the Service gives consent via forms available on the Service to take actions related to the purposes of those forms (Article 6(1)(a) GDPR);
    b) when the processing is necessary for the performance of a contract to which the User of   the Service is a party (Article 6(1)(b) GDPR);
    c) for handling complaints – the legal basis for processing is the necessity to perform the contract (Article 6(1)(b) GDPR);
    d) to fulfill a legal obligation imposed on the Administrator (Article 6(1)(c) GDPR);
    e) for the possible establishment, exercise, or defense of legal claims – the legal basis for processing is the legitimate interest of the Administrator in protecting its rights (Article 6(1)(f) GDPR);
    f) for the Administrator’s marketing purposes, including informing the User about the current offer and new functionalities of the Service – the legal basis for processing is consent (Article 6(1)(a) GDPR).
  2. The Administrator processes the personal data of Service Users to the extent necessary for the purposes specified in point 1 above for the period necessary to achieve those purposes or until the User of the Service withdraws their consent. Failure to provide data by the User may, in some cases, result in the inability to achieve the purposes for which the provision of data is necessary.
  3. Data provided in the forms available on the Service are processed for purposes arising from the specific function of the form. Additionally, they may be used by the Administrator for archival and statistical purposes. Consent of the data subject is given by checking the appropriate box in the form.

IV.DATA SECURITY

  1. The Administrator continuously conducts risk analysis to identify threats to the secure processing of data and implements appropriate technical and organizational measures to ensure the protection of processed personal data.
  2. The Administrator ensures that access to personal data is granted only to authorized individuals and solely to the extent necessary for the performance of their assigned tasks.
  3. The Administrator maintains a record of individuals authorized to process personal data. These individuals are obligated to maintain strict confidentiality regarding personal data and the methods used to secure it.

V.RECIPIENTS OF DATA

  1. Recipients of Users’ personal data may include entities to whom the Administrator outsources tasks requiring the processing of such data, particularly in the areas of email services, IT services, hosting, administrative support, legal services, or advisory services.
  2. A third party with access to personal data processes it solely based on a data processing agreement and only upon the Administrator’s instructions.
  3. Recipients of Users’ personal data may also include entities and authorities authorized to receive such data – but only in justified cases and in accordance with applicable legal provisions.

VI.RECEIVING COMMERCIAL INFORMATION

  1. A User of the Service, where provided by the Service, may consent to receiving commercial information via electronic means of communication.
  2. If the User of the Service has consented to receiving commercial information via electronic means of communication, they have the right to withdraw such consent at any time.
  3. The right to withdraw consent to receive commercial information can be exercised by sending an appropriate request to the Administrator’s email address, including the User’s name and surname.

VII. USERS’ RIGHTS

  1. Every individual whose data is processed has the following rights:
    a) Right of access to data and information about data processing (Article 15 GDPR) – Upon request, the Administrator provides access to the User’s data and information regarding the processing of personal data, purposes, legal bases, scope of data, entities to whom the data is disclosed, and the planned date of its deletion.
    b) Right to obtain a copy of the data (Article 15(3) GDPR) – The Administrator provides a copy of the processed data concerning the requester, provided this is possible and does not violate the rights of third parties.
    c) Right to rectification (Article 16 GDPR) – The User has the right to request the correction of inaccuracies or errors in their personal data, as well as to supplement or update them if they are incomplete or have changed.
    d) Right to erasure of data (Article 17 GDPR) – The User may request the deletion of data that is no longer necessary for any purpose for which it was collected.
    e) Right to restriction of processing (Article 18 GDPR) – Under this right, the Administrator may cease operations on personal data, except for operations consented to by the data subject, as well as store the data according to established retention rules until the reasons for restriction cease to exist (e.g., a decision by a supervisory authority allowing further processing).
    f) Right to data portability (Article 20 GDPR) – To the extent that data is processed under a contract or consent, the Administrator may provide the data supplied by the data subject.
    g) Right to object to other purposes of data processing (Article 21 GDPR) – The data subject may object at any time to the processing of personal data. Such an objection should include justification and is subject to evaluation by the Administrator.
    h) Right to object to data processing for marketing purposes (Article 21(2) GDPR) – The data subject may object at any time to the processing of personal data for marketing purposes without the need for justification.
    i) Right to withdraw consent (Article 7(3) GDPR) – If data is processed based on consent, the data subject has the right to withdraw it at any time. Withdrawal does not affect the legality of processing performed before the withdrawal.
    j) Right to lodge a complaint (Article 77 GDPR) – If the data subject believes that the processing of personal data violates GDPR or other data protection regulations, they may file a complaint with the supervisory authority – the President of the Personal Data Protection Office (https://uodo.gov.pl/pl/p/kontakt).
  2. A request regarding the exercise of data subject rights can be submitted:
    a) In writing to the Administrator’s registered address;
    b) By email to: contact@epicentrumgallery.com.
  3. A response to the request will be provided within one month of its receipt. If an extension of this period is necessary, the Administrator will inform the requester about the reasons for the extension.
  4. The response will be sent to the email address from which the request was submitted. For requests submitted by post, the reply will be sent via registered mail to the address provided by the requester unless the content of the letter indicates a preference to receive the response via email (in such cases, an email address must be provided).

VIII. COOKIES AND SIMILAR TECHNOLOGY

  1. The Service uses cookies.
  2. Cookies (“small text files”) are IT data, particularly text files, stored on the User’s end device and intended for use with the Service’s web pages. Cookies typically contain the name of the website they originate from, their storage duration on the end device, and a unique number.
  3. The entity placing cookies on the User’s end device and accessing them is the Administrator.
  4. Cookies are used, among others, for the following purposes:
    a) to create statistics that help understand how Users utilize the Service’s web pages;
    b) to maintain the User’s session (after logging in), so the User does not have to re-enter login credentials on every subpage;
    c) to define the User’s profile to display tailored materials in advertising networks, particularly the Google network.
  5. The Service uses two primary types of cookies: session cookies and persistent cookies. Session cookies are temporary files stored on the User’s end device until they log out, leave the website, or close the browser. Persistent cookies are stored on the User’s end device for a time defined in the cookie parameters or until deleted by the User.
  6. Web browsing software (internet browsers) typically allows cookies to be stored on the User’s end device by default. Users can modify these settings. Internet browsers also allow cookies to be deleted and offer the option to block cookies automatically. Detailed information can be found in the browser’s help section or documentation.
  7. The Administrator uses third-party services, which may use cookies for the following purposes (the list is subject to change):
    monitoring traffic on the Administrator’s websites;
    • collecting anonymous, aggregated statistics to understand how Users interact with the Administrator’s website;
    • controlling how often selected content is shown to Users;
    • tracking how frequently Users select specific services;
    • analyzing newsletter subscriptions;
    • using communication tools;
    • integrating with social media platforms.
  8. Users can manage cookies used by the Administrator or any external providers by modifying their browser settings. Further details can be found in the COOKIE POLICY document available on the Service’s website.
  9. Restrictions on the use of cookies may impact some functionalities available on the Service’s web pages.
  10. The Administrator may use Google Analytics to gather statistics. In this case, the User’s data visiting the Service is received by Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Users can block Google Analytics access to their data by installing the plugin available at: https://tools.google.com/dlpage/gaoptout/.
  11. The Administrator encourages Users to review detailed explanations regarding data processing under Google Analytics, provided by Google at: https://policies.google.com/privacy?hl=en.
  12. The Administrator may also use marketing tools available on the Facebook social network operated by Meta Platforms. Through these tools, advertisements may be displayed on Facebook. These actions are performed based on the Administrator’s legitimate interest in marketing its products or services (Article 6(1)(f) GDPR).
  13. To display personalized advertisements based on User behavior, Meta Pixel may be implemented on the Service’s website. This tool automatically collects information about User activity on the Service. The information collected may be transferred to Facebook servers in the United States and stored there.
  14. The information gathered via Meta Pixel is anonymous and does not allow the User to be identified. The Administrator is only informed about actions taken by the User on the website. However, Meta Platforms may combine this information with other data collected about the User through Facebook and use it for its own purposes, including marketing. Such activities by Facebook are beyond the Administrator’s control and are described in Facebook’s privacy policy: https://www.facebook.com/privacy/explanation. Users can manage their privacy settings directly from their Facebook accounts. Meta Platforms is headquartered in the United States and utilizes technical infrastructure located, among other places, in the United States.

IX.SOCIAL MEDIA

  1. The Administrator processes the personal data of Users who visit the Administrator’s profiles on social media platforms (e.g., Facebook, Instagram, YouTube).
  2. These data are processed to inform Users about the Administrator’s activities, offer services, and communicate with Users using tools available on social media platforms. The legal basis for processing personal data for this purpose is the Administrator’s legitimate interest (Article 6(1)(f) GDPR) in promoting its brand and services and building and maintaining a community around the brand. Further details on this topic can be found in the FACEBOOK FANPAGE INFORMATION CLAUSE.
  3. The Service contains links to the Administrator’s profiles on social media platforms, each of which has its own privacy policies. These can be reviewed by visiting the relevant page through a link marked with the appropriate icon.
  4. For any external websites linked in the Service that are not owned or controlled by the Administrator, the Administrator is not responsible for their content or the data confidentiality policies applicable to Users. When displaying a webpage containing such a link, the User’s browser establishes a direct connection with the servers of the respective social media providers. The content of the plugin is transmitted by the provider directly to the User’s browser and integrated with the page. Through this integration, the providers receive information that the User’s browser has displayed the Administrator’s page, even if the User does not have a profile with that provider or is not logged in. This information (including the IP address) is sent directly from the User’s browser to the provider’s server (some servers are located in the USA) and stored there. If the User is logged into one of the social media platforms, the provider can directly assign the visit to the Administrator’s page to the User’s profile on that platform. If the User uses a plugin, such as by clicking the “Like” or “Share” button, the corresponding information is also transmitted directly to the provider’s server and stored there. Furthermore, this information will be published on the User’s social media profile and shown to their contacts.
  5. The purpose, scope of data collection, further processing, and use of data by providers, as well as User rights and settings options to protect privacy, are described in the privacy policies of the respective providers. The Administrator encourages Users to review these policies.
  6. If the User does not want social media platforms to assign data collected during visits to the Administrator’s website directly to their social media profile, they should log out of the platform before visiting the site.
  7. Users can also prevent the plugins from loading altogether by using appropriate browser extensions, such as script blockers.

X.SERVER LOGS

  1. Using the Service’s website involves sending requests to the server on which it is hosted. Each request made to the server is recorded in the server logs.
  2. The logs include, among other things, the User’s IP address, the server date and time, and information about the browser and operating system used. The logs are stored and recorded on the server.
  3. The data stored in server logs are not associated with specific individuals using the website and are not used by the Administrator to identify the User.
  4. Server logs are solely auxiliary materials used to manage the Service’s website, and their content is not disclosed to anyone except those authorized to administer the server.

XI.TRANSFER OF DATA OUTSIDE THE EEA

  1. The Administrator may transfer Users’ personal data to third countries, i.e., countries outside the European Economic Area (EEA). Personal data may only be transferred to third countries or entities for which the European Commission has determined an adequate level of data protection.
  2. The list of countries for which the European Commission has issued a decision confirming that a third country provides an adequate level of protection can be found at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#relatedlinks.
  3. In the absence of a European Commission decision determining an adequate level of protection under Article 45(3) of the GDPR, Users’ personal data may be transferred to a third country only based on: binding corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by the Polish supervisory authority and approved by the Commission, an approved code of conduct, or an approved certification mechanism (Article 46 GDPR).
  4. If no European Commission decision exists under Article 45(3) of the GDPR or no appropriate safeguards as specified in Article 46 GDPR are in place, including binding corporate rules, the Administrator will request explicit consent from the User for such transfer to a third country or international organization, informing the User in advance of the risks associated with such transfer, as provided under Article 49(1)(a) GDPR.
  5. In connection with the transfer of data outside the EEA, Users may request information from the Administrator regarding the applicable safeguards, obtain a copy of these safeguards, or receive information on where they are made available.

XII. INFORMATION ABOUT AUTOMATED DECISION-MAKING

  1. Within the Service, the Administrator may automatically tailor certain content to the User’s needs, i.e., perform profiling using the User’s personal data. Profiling primarily involves the automated assessment of which products the User may be interested in based on their previous online activities, including actions taken on the Administrator’s websites, and displaying advertisements for products tailored in this way.
  2. Profiling conducted by the Administrator does not result in decisions that produce negative legal effects for the User or otherwise significantly impact them.

The current version of the Privacy Policy is effective as of 01.03.2025.