Privacy Policy

Privacy Policy

§ 1. INTRODUCTION

This Privacy Policy sets forth the rules for the processing and protection of personal data within the PGNUM.PL Online Store operated by Podlaski Gabinet Numizmatyczny Marek Melcer, entered in the business register by the Mayor of Białystok under registration number 54670, Tax ID (NIP) 542-237-50-67, National Business Registry Number (REGON) 050676900,
headquarters: 16 Marii Skłodowskiej-Curie St., 15-097 Białystok, Poland, (hereinafter: the Controller).

Any questions or concerns regarding the processing of personal data may be directed:

  • by regular mail – to the Administrator’s registered office address;
  • by email to: sklep@pgnum.pl, poczta@pgnum.pl;
  • by phone at (+48) 857454681, (+48) 602731654 (Monday–Friday, 10 a.m.–5 p.m.);
  • via the contact form available on the Website.

The Controller ensures that the personal data entrusted to it by individuals using the Website—the Users—is processed in accordance with generally applicable law, in particular in accordance with Regulation (EU) (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ EU L 2016.119.1)—hereinafter referred to as the GDPR.

The Controller’s objective is to ensure that Users’ privacy is protected at a level that at least meets the requirements of applicable law, in particular the GDPR.

Any person using the Website accepts all the rules contained in this Privacy Policy.

The Controller reserves the right to make changes to the Privacy Policy if required by law or changes in the Website’s functionality. Information about changes and their effective date will be made available via a notice published on the Website.


§ 2.  DEFINITIONS

User – a natural person whose personal data is processed by the Controller in connection with the use of the Website;

Personal Data – any information relating to an identified or identifiable natural person, including, , first name, last name, identification number, contact details, device IP address, location data, online identifier, and information collected through cookies or similar technologies;

Website – an ICT system operated at the web address www.sklep@pgnum.pl, as well as within applications and other tools, comprising an integrated set of computer programs, databases, and accompanying elements (e.g., graphical), enabling the provision of services electronically;

Processing of personal data – any operations performed on personal data, such as collecting, recording, organizing, storing, reviewing, modifying, disclosing, deleting, or destroying it—regardless of whether this is done automatically or manually;

Personal data breach – an incident leading to the accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access to personal data transmitted, stored, or otherwise processed.

§ 3.  PURPOSES, LEGAL BASIS, AND SCOPE OF PERSONAL DATA PROCESSING

The Controller processes personal data to the extent necessary to achieve a specific purpose and for no longer than the period permitted by applicable regulations, and only when at least one of the following conditions applies: to carry out activities with the User’s consent, including marketing activities (Article 6(1)(a) of the GDPR); processing is necessary for the performance of a contract concluded with the User (Article 6(1)(b) of the GDPR); processing is necessary to handle a complaint, which constitutes the performance of a contract concluded with the User (Article 6(1)(b) of the GDPR); processing is based on a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR); processing serves the Controller’s legitimate interests, such as pursuing or defending against claims (Article 6(1)(f) of the GDPR).
The User independently decides on the scope of personal data provided, with the proviso that failure to provide such data may prevent the performance of certain services or functions available on the Website.


§ 4.  SECURITY OF PERSONAL DATA


The Controller regularly conducts risk assessments and implements appropriate technical and organizational measures to ensure the security of personal data processing.

The Controller grants and documents access to personal data on an individual basis only to persons authorized by the Controller and only to the extent necessary for the performance of their assigned tasks. Additionally, the Controller maintains a record of persons authorized to process personal data, who are obligated to keep both the data itself and the methods used to secure it strictly confidential. User personal data stored on our website complies with GIODO requirements and is encrypted using the SSL (Secure Socket Layer) protocol. This measure is designed to secure access to transactions and users' personal data.
To protect personal data against unauthorized access, modification, loss, or destruction, the following measures are applied, among others: data transmission encryption, server security, monitoring of the Controller’s IT systems (security checks, regular updates, tests), procedures for restricting and controlling access, and auditing of data operations. Trusted, licensed third-party providers perform professional processing of personal data exclusively under contracts ensuring compliance with applicable laws, including the GDPR, and using appropriate security and access control mechanisms.

In the event of a personal data breach, the Controller implements procedures to quickly assess the scale of the incident and, if necessary, notifies the relevant supervisory authorities and the data subjects in accordance with applicable law.


§ 5.  RECIPIENTS OF PERSONAL DATA

Recipients of Users’ personal data may include entities cooperating with the Controller that have been commissioned to perform activities requiring data processing, in particular regarding email services, hosting, courier services, telecommunications and IT services, and payment operators, as well as technical, administrative, legal, and consulting services. External entities process personal data exclusively on the basis of concluded agreements and at the Controller’s instruction. In justified cases and pursuant to generally applicable laws, Users’ personal data may be disclosed to authorized entities or public authorities, which concerns e.g., requests from public authorities, court orders, or regulatory agencies.


§ 6.  RECEIPT OF MARKETING INFORMATION

Receiving marketing information electronically requires the User’s voluntary consent, which may be withdrawn at any time without providing a reason by sending a request to the Controller’s email address.   


§ 7.  USER RIGHTS

Every User of the Podlaski Gabinet Numizmatyczny Marek Melcer (PGNUM.PL) Online Store whose personal data is processed has the following rights:    
        the right of access to personal data and to information regarding its processing (Article 15 of the GDPR); 
        the right to obtain a copy of personal data (Article 15(3) of the GDPR), provided that this does not infringe upon the rights of third parties and is technically feasible;
        the right to rectify, correct, supplement, or update personal data if it is incomplete or has changed (Article 16 of the GDPR);
        the right to erasure of personal data (“the right to be forgotten”) (Article 17 of the GDPR);
        the right to restrict the processing of personal data (Article 18 of the GDPR);
        the right to data portability, to have personal data transmitted to another controller (Article 20 of the GDPR);
        the right to object to the processing of personal data for purposes other than marketing (Article 21 of the GDPR);
        the right to object to the processing of personal data for marketing purposes (Article 21(2) of the GDPR);
        the right to withdraw consent to the processing of personal data (Article 7(3) of the GDPR);
        the right to lodge a complaint regarding the processing of personal data (Article 77 of the GDPR) – if the data subject believes that the processing of personal data violates the provisions of the GDPR or other regulations regarding the protection of personal data, they may file a complaint with the supervisory authority—the President of the Personal Data Protection Office (https://uodo.gov.pl/pl/p/kontakt).
  

The User has the right to submit a request regarding the protection and processing of personal data in writing to the Controller’s registered office or electronically to the Controller’s email address. A response will be provided within one month of receiving the request; if it is necessary to extend this period, the Controller will inform the User of the reasons for such an extension. The response will be sent to the email address from which the request was sent, and in the case of requests sent by mail, by registered mail to the address provided by the requester.


§ 8. COOKIES AND SIMILAR TECHNOLOGIES

The Podlaski Gabinet Numizmatyczny Marek Melcer Online Store website primarily uses cookies and, to a significantly lesser extent, other similar technologies (e.g., local storage) to ensure the proper functioning of the website, analyze traffic, and tailor content to the User’s preferences.

Cookies are pieces of data stored on the User’s device and used exclusively with the User’s consent, in particular to maintain the session after logging in, remember settings and preferences, collect statistical data, and conduct analytical and marketing activities.

Storing cookies on the User’s device is typically permitted by web browsers, whose settings the User can manage independently at any time, including disabling or completely blocking cookies; however, such restrictions may affect the functionality of the Website.

The Controller works with external internet service providers, the list of which may change, and these entities may use cookies for various purposes, such as monitoring traffic on the Website, compiling aggregate and anonymous statistics, controlling the frequency of content or ad displays, analyzing the effectiveness of newsletter subscriptions, and others.

You can find detailed information about the cookies used and how to manage them in your browser settings and in the Cookie Policy.

The Controller may use Google Analytics to analyze Website statistics. In such cases, User data may be transferred to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). You can block access to your data by installing the following plugin: https://tools.google.com/dlpage/gaoptout. Details regarding data processing by Google Analytics are available at: https://policies.google.com/privacy?hl=pl.

§ 9. SOCIAL MEDIA

The Controller processes the personal data of Users who visit its social media profiles (e.g., Facebook, Instagram), in particular to provide information about current activities, offer services, and communicate with Users. The Controller promotes its own brand and the services it offers, and builds and maintains a community associated with the Podlaski Gabinet Numizmatyczny Marek Melcer Online Store in accordance with the legal basis for the processing of personal data (Article 6(1)(f) of the GDPR).
 The Controller is not responsible for the content of websites linked to from the Website, as they are not owned by the Controller and the Controller cannot control the personal data processing policies applied on those sites.   

Displaying a page containing a social media plugin causes the User’s browser to establish a direct connection with the external service provider’s server. The plugin’s content is loaded directly from the service provider’s server and integrated into the Website. As a result of this integration, the service provider may receive information that the User has visited the Controller’s website, even if the User does not have a profile on the social media platform in question or is not logged in. This information (including the IP address) may be transmitted to the service provider’s server, which may be located outside the European Economic Area, including in the U.S.

The Controller encourages you to carefully read the details regarding the scope of data collected, the rules for processing such data, and privacy management practices, which are set forth in the privacy policies of individual service providers. It is recommended that you log out of your social media profile before visiting the Controller’s website to minimize the automatic collection of data during your visit to the Site. You can completely block the loading of social media plugins by using appropriate browser extensions (e.g., script blockers).


§ 10. SERVER LOGS

Using the website of the Podlaski Gabinet Numizmatyczny Marek Melcer Online Store involves sending requests to the server on which it is hosted, followed by their automatic recording in the server logs. The data contained in the logs, e.g., the User’s IP address, the date and time of the request, information about the web browser and operating system used, are stored exclusively on the server and are not associated with specific individuals, nor are they used by the Controller to identify the User.
To ensure the security of the Website and to implement appropriate remedial measures when necessary, persons authorized to manage the server infrastructure use server logs solely as supporting material. This data, which is useful for managing and maintaining the Website, also serves as an important analytical tool, e.g., in the event of suspected activities that compromise the Website’s security, including unauthorized access attempts. Additionally, in the event of a justified need and suspicion of unlawful activity, such data may be made available to law enforcement agencies or institutions authorized under applicable law. 


§ 11. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

As a general rule, the Controller does not transfer personal data outside the European Economic Area (EEA). However, if such a transfer occurs, it is made exclusively to third countries or entities for which the European Commission has issued a decision confirming an adequate level of personal data protection (Article 45 of the GDPR).

You can view the current list of third countries recognized by the European Commission as providing an adequate level of data protection, which is available at
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

In the absence of a decision by the European Commission, the Controller may transfer personal data outside the EEA only on the basis of appropriate safeguards as set forth in Article 46 of the GDPR. The most important safeguards include, among others, Binding Corporate Rules (BCR), Standard Contractual Clauses (SCC) adopted by the European Commission, approved codes of conduct, or certification mechanisms.
In the absence of both a decision by the European Commission and the appropriate safeguards specified in Article 46 of the GDPR, the Controller may transfer data outside the EEA solely on the basis of the User’s explicit consent, granted after the User has been informed of the risks associated with such a transfer—in accordance with Article 49(1)(a) of the GDPR.


§ 12. AUTOMATED DECISION-MAKING AND PROFILING

The Controller uses the Website to process the User’s personal data in an automated manner in order to tailor the content displayed—including informational messages and advertisements—to the User’s preferences and interests. Automated profiling is part of this process and involves the automatic analysis of the User’s personal data, such as activity on the Website, to verify and analyze their interest in the Controller’s services.   

The profiling used by the Controller is intended solely for informational and marketing purposes, consisting of tailoring content to the User’s anticipated interests. It does not lead to automated decisions that could result in legal consequences for the User or significantly affect their personal, professional, or financial situation—within the meaning of Article 22 of the GDPR.
The User has the right to object at any time to the processing of their personal data for profiling purposes, in particular for marketing purposes, in accordance with Article 21(1) of the GDPR.  in writing to the Controller’s registered office or by email to the Controller’s email address. Additionally, if the relevant features are technically available, the User may also object by changing their account settings or using the tools for managing marketing consents available on the Website.   


§ 13. CHANGES TO THE PRIVACY POLICY

The Controller reserves the right to make changes to this Privacy Policy, which may be influenced by developments in internet technology, the need to implement new services, potential changes in data protection laws,  the need to align the document’s content with regulatory guidelines, and the development of our Website: Podlaski Gabinet Numizmatyczny Marek Melcer Online Store. We will notify Users of any changes in a clear and understandable manner on the Website, along with the effective date of such changes. Users will be informed of significant changes to the Policy through an appropriate notice posted on the Website or sent directly—if we have their contact information and when required by law.

Use of the Website after the changes take effect constitutes acceptance of the updated Privacy Policy.


§ 14. FINAL PROVISIONS

In matters not covered by this Privacy Policy, generally applicable laws shall apply, in particular:
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR),
The Act of May 10, 2018, on the Protection of Personal Data,
The Act of July 18, 2002, on the Provision of Electronic Services,
The Act of July 12, 2024—Electronic Communications Law.

Any questions, comments, or requests regarding the processing of personal data should be directed to the Controller using the contact information provided in the “Introduction” section or on the Website.