• 4.1 ºC  / 39.5 ºF   
  • City Gdańsk
  • PL / EN / DE / SE / RU / NO

Security Policy

A
A

Personal data processing at the Gdansk Tourism Organization Association is an important process related to the functioning of the Association, affecting the services offered and the Association’s organization.

This privacy policy related to personal data, together with the established security standards, fulfils the obligation arising from the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), imposed on the Data Controller.

Our chief aim is to preserve the confidentiality, integrity and availability of personal data, to process them in accordance with applicable principles and law, and in particular to ensure the highest security standards related to the processes implemented and IT systems used for personal data processing and in such a way as to prevent the violation of fundamental rights and freedoms of data subjects.

  1. The Personal Data Controller is the Gdansk Tourism Organization Association based in Gdansk (80-830) at ul. Uczniowska 22, entered into the register of associations, other social and professional organisations, foundations and independent public healthcare institutions of the National Court Register held by the District Court Gdansk-North in Gdansk under KRS no. 0000139108, holder of NIP Tax Identification No. 5832887298, telephone no.: 58 305 70 80, email address: got@visitgdansk.com
  2. Contact information of the Gdansk Tourism Organisation Data Protection Officer: iod@jestemzgdanska.pl
  3. The Gdansk Tourism Organisation collects personal data for the following purposes:
    1. provision of services related to the ‘Gdansk Resident Card’ by the Gdansk Tourism Organization and the system’s partners (Article 6(1)(a) – consent of the data subject, and Article 6(1)(b) – contract, of the General Data Protection Regulation of 27 April 2016);
    2. provision of services related to the ‘Gdansk Tourist Card’ by the Gdansk Tourism Organization and the system’s partners (Article 6(1)(a) – consent of the data subject, and Article 6(1)(b) – contract, of the General Data Protection Regulation of 27 April 2016);
    3. newsletter sent by the Gdansk Tourism Organisation using electronic forms of communication, pursuant to the Act of 18 July 2002 on providing services by electronic means (Journal of Laws of 2013, item 1422 as amended) (Article 6(1)(a) of the General Data Protection Regulation of 27 April 2016 – consent);
    4. recruiting employees, volunteers and beneficiaries by the Gdansk Tourism Organization (Article 6(1)(a) of the General Data Protection Regulation of 27 April 2016 – consent of the data subject and Article 6(c) – legal obligation to which the Data Controller is subject);
    5. processing related to maintaining employee, donor, association member, volunteer and beneficiary documentation (Article 6(1)(a) – contract, Article 6(1)(b) – contract, Article 6(1)(c) – legal obligation to which the Data Controller is subject, Article 6(1)(f) – legitimate interest of the Data Controller and Article 9(2)(b) – rights and responsibilities of the Data Controller, of the General Data Protection Regulation of 27 April 2016);
    6. settlements with the Grant-giving organisation as part of projects conducted (Article 6(1)(f) – legitimate interests of the Data Controller, of the General Data Protection Regulation of 27 April 2016);
    7. settlements, accounting and reporting (Article 6 (1)(c) – legal obligations of the Data Controller, of the General Data Protection Regulation of 27 April 2016);
    8. compiling statistics (Article 6(1)(f) – legitimate interests of the Data Controller, of the General Data Protection Regulation of 27 April 2016);
    9. monitoring (Article 6(1)(f) – legitimate interests of the Data Controller, of the General Data Protection Regulation of 27 April 2016);
    10. processing cookie files (Article 6(1)(f) – legitimate interests of the Data Controller, of the General Data Protection Regulation of 27 April 2016).
  4. Your data shall be made available to:
    1. entities working in partnership with the Data Controller for the purpose of performing the contract, including entities offering professional legal and HR/payroll services;
    2. third-party IT support providers;
    3. postal service providers or delivery companies for the purpose of performing the contract;
    4. entities entitled to receive your data under applicable law.
  5. Rights you are entitled to in relation to the processing of your personal data:
    1. to access your personal data, including to obtain confirmation regarding their processing, receive a copy of your data and access information about their processing (Article 15 of the GDPR);
    2. to correct inaccurate or incomplete data (Article 16 of the GDPR);
    3. to erase your data, provided that the Data Controller does not have a legal basis for their processing or the data is no longer necessary for processing purposes (Article 17 of the GDPR);
    4. to restrict the processing of your data (Article 18 of the GDPR);
    5. to move your data, which includes receiving them in a structured, machine-readable format, or to demand that they be transmitted to another Data Controller (Article 20 of the GDPR);
    6. to object to the processing of your data for purposes arising from legitimate interests of the Data Controller, in particular for direct marketing purposes, including profiling to the extent that it is related to such marketing (Article 21 of the GDPR);
    7. to withdraw your consent to the processing of your personal data in situations where this consent is the legal basis for data processing, which shall not impact the lawfulness of the processing based on your consent before its withdrawal (Article 7(3) of the GDPR);
    8. submit a complaint to the supervisory authority –President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.
  1.   Providing your personal data is voluntary, but necessary for the purpose of concluding contracts, settlements and fulfilling legal obligations.
  1. Your personal data shall not be processed in an automated fashion and shall not be profiled, with the exception of data processed in the Gdansk Resident Card, where personal data shall be processed in an automated fashion, including in the form of automated profiling. This automated decision-making serves the purpose of adapting the functions of the system to the user, as well as generating a representative group for public consultation purposes in matters important from the perspective of the City of Gdansk. The reasoning shall take into consideration the user’s profile and the manner in which they use the features of the Gdansk Resident Card, including the type of packages in their possession.
  2. The Controller does not intend to transfer the personal data to a third country or an international organisation.
  3. Depending on the purpose, your data shall be processed until:
    1. Article 6(1)(a) of the GDPR – consent of the data subject – until the consent is withdrawn or the related project is completed;
    2. Article 6(1)(b) – performance of a contract – until the expiry of the period of prescription for any claims arising from the contract under applicable law;
    3. Article 6(1)(c) – legal obligation to which the controller is subject – pursuant to applicable law;
    4. Article 6(1)(f) – legitimate interests of the controller – until an objection is raised against the processing of the data.

The Service may contain links to other websites. Such websites operate independently of the Service and are not in any way supervised by the Gdansk Tourism Organization. Such websites may have their own privacy policies or terms and conditions with which we recommend that you familiarise yourself.