Privacy Policy
.avif)
1. Definitions
1.1 Controller
Fundacja Auschwitz-Birkenau with its registered office in Warsaw (00-533), at ul. Mokotowska 65/3, entered in the Register of Associations, Other Social and Professional Organisations, Foundations, and Independent Public Healthcare Facilities of the National Court Register under KRS No. 0000328383, Tax ID (NIP): 5252456943, REGON: 141817074.
1.2 Data Subject
A natural person to whom the personal data processed by the Controller relates.
1.3 GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.4 Personal Data
Information about a natural person who is identified or identifiable by one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity, including the device’s IP address, location data, internet identifier, and information collected through cookies and other similar technologies.
1.5 Policy
This Privacy Policy.
1.6 User
Any natural person visiting the Website or using one or more services or functionalities described in the Policy.
1.7 Website
The website operated by the Controller at www.foundation.auschwitz.org
2. Data processing by the Controller
2.1
In connection with its activities related to the preservation of the memorial site – the grounds and remnants of the former Auschwitz and Auschwitz II-Birkenau concentration camps under the care of the Państwowe Muzeum Auschwitz-Birkenau in Oświęcim, and supporting the mission of that museum – the Controller collects and processes Personal Data in accordance with applicable laws, including in particular the GDPR, and the data processing principles set forth therein.
2.2
The Controller ensures transparency in the processing of Personal Data, in particular by always informing individuals about the processing of data at the time of collection, including the purpose and legal basis for processing (for example, when providing an electronic contact form). The Controller ensures that data is collected only to the extent necessary to achieve the specified purpose and processed only for as long as necessary.
2.3
When processing Personal Data, the Controller ensures its security and confidentiality, as well as access to information about the processing for the individuals to whom the personal data relates. If, despite the security measures in place, a breach of the protection of Personal Data occurs (for example, a data leak or loss), the Controller will notify the Data Subjects of such an incident in accordance with the regulations.
2.4
In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide the individual services offered, as well as information about the User’s activity on the Website. The detailed rules and purposes of processing Personal Data collected during the User’s use of the Website are described below.
3. Purposes and legal bases for the processing of data by the Controller
Use of the Website
3.1
The Personal Data of all persons using the Website (including internet identifiers and information collected via cookies or other similar technologies) is processed by the Controller for the purpose of:
3.1.1
Providing electronic services in the scope of making the content collected on the Website available to Users – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR);
3.1.2
Analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in analysing the activity of Users to improve the functionality and content of the Website;
3.1.3
Establishing or pursuing claims or defending against such claims by the Controller – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the defence of its rights.
3.2
User activity on the Website, including their Personal Data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and actions related to the IT system used by the Controller to provide services). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes it for technical and administrative purposes, to ensure the security of the IT system and to manage that system, as well as for analytical and statistical purposes – in this regard, the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in providing and improving the functionalities offered to Users.
Contact form
3.3
The Controller provides the functionality of contacting it via an electronic contact form. Using the form requires providing the Personal Data necessary to contact the User and respond to the enquiry. Providing data marked as mandatory is required to receive and handle the enquiry, and failure to provide such data results in the inability to handle the enquiry. Providing other data is voluntary.
3.4
Personal Data is processed:
3.4.1
to identify the sender and handle their enquiry submitted via the contact form – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR); for data provided voluntarily, the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
3.4.2
for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in maintaining statistics and analysing enquiries submitted by Users via the Website for the purpose of improving the Website’s functionalities;
3.4.3
to establish or pursue claims or defend against such claims by the Controller – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in the defence of its rights.
4. Cookies and similar technologies
4.1
Cookies are small text files installed on the User’s device. Cookies collect information that facilitates the use of a website – for example, by remembering information about the User, such as language preferences. The controller of data processed in connection with the use of cookies is Fundacja Auschwitz-Birkenau, with its registered office in Warsaw (00-533), at ul. Mokotowska 65/3. On the Website, the Controller uses its own cookies, which are installed directly by the Website. Third-party cookies are also used – these are cookies from a domain other than the domain of the visited website – primarily for the Controller’s analytical purposes.
4.2
The Website uses cookies primarily to ensure the proper functioning of the website and to remember the User’s choices on the site – and, if the User provides the appropriate consent, also to analyse and track traffic on the Website.
4.3
Detailed information regarding the cookies that the Controller uses on the Website is set out below. The Controller regularly uses tools to scan the Website to determine which cookies are stored on the User’s device, so that the list of cookies used is as accurate as possible. The Controller uses the following categories of cookies: essential, functional, and analytical.
Essential cookies
4.4
4.5
The legal basis for processing data in connection with the use of essential cookies is that the processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR).
Essential cookies are necessary for the proper functioning of the Website. These cookies are installed, in particular, to remember login sessions or filling in forms, as well as for purposes related to setting privacy options.
4.6
For more information on specific cookies, such as their names, what they do, how long they last, and where they come from, please click the “Manage cookies” button located in section 6.3 of the Policy, or the button with the same name available at the bottom of every page on the Website. When the cookie banner appears, select the “Manage cookies” button, then expand the list “Essential cookies”, and click the “Show cookies” button located below.
Functional and analytical cookies
4.7
Functional cookies are used to remember and adapt the Website to the User’s choices, including language preferences. Functional cookies may be installed by the Controller and its partners through the Website.
4.8
Analytical cookies enable the collection of information such as the number of visits and traffic sources on the Website. They are used to determine which pages are more or less popular and to understand how Users navigate the site by tracking statistics on Website traffic. Data processing is carried out to improve the Website’s performance. The information collected by these cookies is aggregated and is therefore not intended to identify the User. Analytical cookies may be installed by the Controller and its partners through the Website.
4.9
The legal basis for data processing in connection with the use of functional and analytical cookies is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in ensuring the highest quality of services provided on the Website, in connection with the User’s consent to their storage (separate consent for analytical cookies, separate consent for functional cookies).
4.10
Data processing in connection with the use of functional and analytical cookies is subject to the User’s consent to the use (separately) of functional and analytical cookies through the cookie consent management platform. This consent may be withdrawn at any time through this platform.
4.11
For more information on specific cookies, such as their names, what they do, how long they last, and where they come from, please click the "Manage cookies" button located in section 6.3 of the Policy, or the button with the same name available at the bottom of every page on the Website. When the cookie banner appears, select the “Manage cookies” button, then expand the list “Analytical Cookies” or the list “Functional Cookies”, and click the “Show cookies” button located below each of the lists.
5. Analytical tools used by the Controller and the Controller’s partners
5.1
The Controller and its partners use various solutions and tools for analytical purposes. Below is basic information about these tools. Detailed information on these tools can be found in the privacy policy of the respective partner.
Google Analytics
5.2
Google Analytics cookies are files used by Google to analyse how the User uses the Website, to create statistics and reports regarding the Website’s performance. Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information about the scope and principles of data collection in connection with this service can be found at the following link: https://policies.google.com/technologies/partner-sites.
6. Managing cookie settings
6.1
The use of cookies to collect data, including access to data stored on the User’s device, requires the User’s consent. On the Website, the Controller obtains consent from the User via a cookie consent management platform. This consent may be withdrawn at any time in accordance with the rules described in section 6.4 below.
6.2
Consent is not required for cookies whose use is necessary to provide a telecommunications service (data transmission for the purpose of displaying content). The User cannot opt out of these cookies if they wish to use the Website.
6.3
Withdrawal of consent to the collection of cookies on the Website is possible via the cookie consent management platform. The User may return to the cookie banner by clicking the “Manage cookies” button or a button with the same name available at the bottom of every subpage of the Website.
6.4
After the banner appears, the User may withdraw consent by clicking the “MANAGE COOKIES” button, moving the slider next to the selected cookie category and clicking the “SAVE SETTINGS” button.
6.5
The User may also withdraw consent by changing their browser settings. Detailed information on this topic can be found at the following links:
6.5.1
Microsoft Edge: https://support.microsoft.com/en-us/windows/manage-cookies-in-microsoft-edge-view-allow-block-delete-and-use-168dab11-0753-043d-7c16-ede5947fc64d;
6.5.2
Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer;
6.5.3
Google Chrome: https://support.google.com/chrome/answer/95647?hl=en;
6.5.4
Opera: https://help.opera.com/en/latest/web-preferences/#cookies;
6.5.5
Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac.
6.6
The User can verify their current privacy settings for their browser at any time using the tools available at the following links:
6.6.1
https://www.youronlinechoices.com/uk/your-ad-choices;
6.6.2
https://optout.aboutads.info/?locale=en-US.
6.7
To exercise the rights to access, rectification, erasure, restriction of processing, data portability, as well as the right to object, and the right to file a complaint, or to ask any other question regarding cookies, please send an enquiry to the email address: foundation@fab.org.pl, or use other contact information for the Controller provided in the Policy.
7. Period of Personal Data processing
7.1
The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service provision, until consent is withdrawn or an effective objection to data processing is lodged in cases where the legal basis for data processing is the legitimate interest of the Controller.
7.2
The data processing period may be extended if processing is necessary for the Controller to establish and pursue claims or defend against such claims, and after that time only to the extent required by law. Upon expiry of the processing period, the data is permanently deleted or anonymised.
8. Rights related to the processing of Personal Data
Rights of Data Subjects
8.1
Data Subjects have the following rights:
8.1.1 The right to information regarding the processing of Personal Data
On this basis, the Controller provides the Data Subject making the request with information regarding the processing of Personal Data, including, in particular, the purposes and legal grounds for processing, the scope of the data held, the entities to whom it is disclosed, and the planned date of data deletion;
8.1.2 The right to obtain a copy of the data
On this basis, the Controller provides a copy of the processed Personal Data concerning the Data Subject making the request;
8.1.3 The right to rectification
On this basis, the Controller is obliged to correct any inaccuracies or errors in the processed Personal Data and to complete it if it is incomplete;
8.1.4 The right to erasure
On this basis, the Data Subject may request the erasure of Personal Data whose processing is no longer necessary for any of the purposes for which it was collected;
8.1.5 The right to restriction of processing
Upon receiving such a request, the Controller shall cease processing the Personal Data – except for operations to which the Data Subject has consented – and shall store it in accordance with established retention policies or until the grounds for restricting data processing cease to exist (for example, a decision is issued by a supervisory authority authorising further data processing);
8.1.6 The right to data portability
On this basis – to the extent that Personal Data is processed by automated means in connection with a concluded contract or expressed consent – the Controller shall provide the data supplied by the Data Subject in a machine-readable format; it is also possible to request that this data be sent to another entity, provided that the technical capabilities exist for this purpose on the part of both the Controller and the designated entity;
8.1.7 The right to object to other purposes of data processing
The Data Subject may at any time object – for reasons related to their specific situation – to the processing of Personal Data that is carried out on the basis of the Controller’s legitimate interest (for example, considerations related to the protection of property); such an objection must be accompanied by a justification;
8.1.8 The right to withdraw consent
If Personal Data is processed on the basis of consent, the Data Subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out prior to its withdrawal;
8.1.9 The right to lodge a complaint
If the Data Subject considers that the processing of Personal Data violates the provisions of the GDPR or other regulations regarding the protection of Personal Data, the Data Subject may lodge a complaint with the supervisory authority overseeing the processing of Personal Data, competent based on the Data Subject’s habitual residence, place of work, or the place where the alleged violation occurred. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
9. Submitting requests related to the exercise of rights
9.1
Requests regarding the exercise of Data Subjects' rights may be submitted:
9.1.1
in writing to the Controller’s address;
9.1.2
by email to: foundation@fab.org.pl.
9.2
The request should, as far as possible, specify precisely what the request concerns, in particular:
9.2.1
which right the person submitting the request wishes to exercise (for example, the right to receive a copy of the data, the right to have the data erased, etc.);
9.2.2
which processing operation the request concerns (for example, use of a specific service);
9.2.3
what processing purposes the request concerns (for example, purposes related to the provision of services, etc.).
9.3
If the Controller is unable to identify the individual based on the submitted request, it will ask the applicant for additional information. Providing such information is not mandatory; however, failure to do so will result in the request being denied.
9.4
The request may be submitted in person or through a representative (for example, a family member). For data security reasons, the Controller encourages the use of a power of attorney certified by a notary public or an authorised legal adviser or attorney, which will significantly expedite the verification of the request’s authenticity.
9.5
A response to the request should be provided within one month of its receipt. If it is necessary to extend this period, the Controller will inform the requester of the reasons for doing so.
9.6
If the request was submitted to the Controller electronically, the response shall be provided in the same form, unless the requester has requested a response in a different form. In other cases, the response shall be provided in writing. If the timeframe for fulfilling the request prevents a written response, and the scope of the applicant’s data processed by the Controller allows for electronic contact, the response shall be provided electronically.
10. Recipients of data
10.1
In certain cases, to the extent necessary to achieve the purposes described above, Personal Data will be disclosed to third parties providing services to the Controller (for example, IT service providers, providers of cookie consent management services and tools, and providers of donation payment processing services, such as PayPal).
10.2
If the User’s consent is obtained, their data may also be shared with other entities for their own purposes, including analytical purposes. The Controller informs about each instance of such sharing in the Policy.
10.3
The Controller reserves the right to disclose certain information regarding the User to competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with applicable law.
11. Transfer of data outside the EEA
11.1
The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, primarily through:
11.1.1
cooperation with entities processing Personal Data in countries for which the European Commission has issued a decision confirming an adequate level of protection for Personal Data;
11.1.2
the use of standard contractual clauses issued by the European Commission;
11.1.3
the use of binding corporate rules approved by the competent supervisory authority.
11.2
The Controller always informs Users of its intention to transfer Personal Data outside the EEA at the time of collection.
12. Contact information
12.1
The Controller may be contacted by email: foundation@fab.org.pl, or by post to the following postal address: Fundacja Auschwitz-Birkenau, ul. Mokotowska 65/3, 00-533 Warsaw.
13. Changes to the Privacy Policy
13.1
This Policy is reviewed on an ongoing basis and updated as necessary. Information regarding any changes to the Policy is published on the Website. The Controller may additionally notify the User of such changes via the Website.
13.2
The current version of the Policy was adopted and is effective as of 31 March 2026.
