Privacy Policy

PRIVACY POLICY

 

1. Definitions and General Information

 

When you visit or use our Website, we collect and process your Personal Data. DESA uses Personal Data for the purposes specified in this Privacy Policy as well as for other purposes, which are always clearly identified in the Information Clauses provided to Users. This Privacy Policy describes the principles and purposes governing the processing of such data and contains information regarding cookies and similar technologies used within the Website. By using the Website, You acknowledge that You have read and understood this Privacy Policy.


Personal Data collected through the Website are processed by DESA Unicum S.A. in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), the Polish Personal Data Protection Act of 10th May 2018, and the Polish Electronic Communications Law Act of 12th July 2024.

 

The following terms shall have the meanings set out below:

 

TERM

DEFINITION

Controller / We / DESA

The Controller is the entity that determines the purposes and means of the processing of Personal Data and is responsible, among other things, for ensuring an appropriate level of protection of such data and for facilitating the exercise of data subjects' rights.

 

The Controller of Personal Data collected in connection with the use of the Website is:

 

DESA Unicum S.A.

Registered office: str. Piękna 1A, 00-477 Warsaw, Poland, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS No. 0000718495, REGON No. 142733824, NIP No. 5272644731, share capital PLN 13,314,000 fully paid up. For matters concerning Personal Data protection, you may contact us at: rodo@desa.pl. The Controller has appointed a Data Protection Officer, as described further in this Privacy Policy.

 

Personal Data

Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity.

Information Clause

Any information provided by the Controller pursuant to Articles 13 or 14 of GDPR.

Privacy Policy

This document.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Website

The website available at https://www.desa.pl and its subpages, enabling Users to access services provided electronically.

You / User

Any natural person who visits Website, or any other person who is a client of DESA, a prospective client, a person associated with a client (e.g. attorney-in-fact, representative, authorised person, beneficial owner), or any other stakeholder.

AML Act

The Polish Act of 1st March 2018 on Counteracting Money Laundering and Terrorist Financing, as amended.

 

 

 

 

2. Purposes and Legal Bases for the Processing of Personal Data

 

AREA OF PROCESSING

PURPOSE AND LEGAL BASIS FOR PROCESSING

USE OF THE WEBSITE

Within the Website, we use cookies and similar technologies. Consequently, as the Controller, we process information that may constitute Personal Data (such as IP addresses, online identifiers, device data, and information relating to your activity within the Website). We process such information for the following purposes:

 

· Provision of the Website to Users – the legal basis for processing is the necessity of processing for the performance of a contract or provision of a service (Article 6(1)(b) GDPR);

 

· Analytics and statistical purposes – the legal basis for processing is your consent to the use of analytical and statistical cookies or similar technologies (Article 6(1)(a) GDPR).

 

Further information regarding cookies is provided in a later section of this Privacy Policy.

 

We also record your activity within the Website in system logs (specialised software used to maintain a chronological record of events and actions relating to our IT systems and Website). Information collected in system logs may include Personal Data, such as your IP address and device information.

 

Such information is processed primarily for technical and administrative purposes (including error detection), ensuring the security of our IT systems and Website (including the detection of cyberattacks), administration of such systems, and for analytical and statistical purposes.

 

The legal basis for such processing is our legitimate interest (Article 6(1)(f) GDPR), consisting of ensuring the proper operation and continuous improvement of the Website, as well as protecting our business interests.

 

CONTACT FORM,

HELPLINE, E-MAIL

We provide various communication channels through which You may contact us, including an electronic contact form available on the Website, telephone contact via our helpline, e-mail correspondence sent to a dedicated contact address, and our social media channels (Facebook, Instagram, LinkedIn, and YouTube). When You contact us, we may process Your Personal Data.

 

When using our contact form available on the Website, You will be requested to provide certain Personal Data (e.g., Your full name and e-mail address). Providing such data is necessary for us to receive and process Your enquiry and enables us to contact You. The provision of

Personal Data is voluntary; however, it is not possible to submit an enquiry without providing the required information.

 

When You contact us through any of the communication channels made available by us, we process Your Personal Data for the purpose of identifying the sender and handling the enquiry. The legal basis for such processing is our legitimate interest pursuant to Article 6(1)(f) GDPR, consisting of responding to enquiries and providing support to Users.

 

If You contact us by electronic means or by post regarding matters unrelated to the conclusion or performance of a contract or the provision of services, the information contained in such correspondence, including Personal Data, will be processed for the purposes of responding to Your enquiry, conducting communication, and handling the matter raised, pursuant to Article 6(1)(f) GDPR, i.e., our legitimate interest in ensuring efficient correspondence management and communication in connection with our business activities. The Controller limits the scope of processed data to that which is necessary for handling a particular enquiry. Correspondence is stored in a manner ensuring an appropriate level of security and confidentiality, and access thereto is restricted to authorised personnel only.

 

Where telephone contact is made with the Controller in matters unrelated directly to the performance of a contract or the provision of services, the Controller may process Personal Data solely to the extent necessary to handle the enquiry or respond to the matter raised, pursuant to Article 6(1)(f) GDPR, i.e., the Controller's legitimate interest in ensuring efficient communication and handling requests related to DESA's business operations.

 

 

Telephone calls may be recorded. Call recordings are used in particular for quality assurance purposes and to verify the proper

handling of enquiries. Personal Data contained in call recordings may be processed:

 

  1. for the purpose of handling telephone communications and enquiries submitted via the helpline, pursuant to Article 6(1)(b) GDPR where processing is necessary to take steps prior to entering into a contract or for the performance of a service; and
  2. for the purpose of responding to the matter presented, ensuring appropriate service quality, and safeguarding the Controller's interests, pursuant to Article 6(1)(f) GDPR, i.e., the Controller's legitimate interest.

 

Access to call recordings is restricted to persons authorised by the Controller and entities providing technical or organisational support services for the helpline under appropriate contractual arrangements.

 

In certain circumstances (e.g., where you submit a complaint), we may also process your Personal Data for the purposes of establishing, pursuing, or defending legal claims. The legal basis for such processing is our legitimate interest pursuant to Article 6(1)(f) GDPR, consisting of protecting our rights and financial interests, resolving potential disputes, and responding to complaints.

REGISTRATION FOR

ONLINE AUCTIONS (VIA

THE DESA UNICUM

PLATFORM/APPLICATION)

You may register for online auctions through the DESA Unicum auction management platform/application (Auction Mobility). To use this option, after selecting the relevant interactive button on the Website ("Register"), you will be redirected to the platform (or, where applicable, the application) available at: https://bid.desa.pl/

 

In order to register, you will be required either to log into your account maintained within that platform/application or to provide the Personal Data necessary for registration (e.g., first name, surname, and e-mail address).

 

 

For the purposes of auction management carried out through the platform/application, the controller of your personal data is the owner of the bid.desa.pl platform/application:

Auction Mobility LLC

192 South Street, Suite 600

Boston, MA 02111, USA

 

Detailed information regarding the processing of personal data is available in the privacy notice published at: https://bid.desa.pl/privacy-policy/.

 

In connection with auction administration and compliance with the AML Act, DESA may receive information provided directly by the User (including by telephone, on paper forms, or via e-mail). Such information may include, among other things:

 

· identification data (e.g., name, date of birth, pseudonym or business name);

 

· contact details (e.g., telephone number, e-mail address, residential address);

 

· transaction-related information;

 

· information regarding a User's collection acquired through auctions organised by DESA;

 

· financial information (e.g., payment details, wire transfer instructions, bank account details);

 

· user and device identifiers;

 

· identification documents (e.g., photo identification and proof of address);

 

· other information provided as part of anti-money laundering and counter-terrorist financing procedures (KYC/AML).

 

We rely on information provided by the User or obtained through the User's interactions with us, including where the User participates in a live event, sells an item, or takes part in an auction. In connection with the organisation and administration of auctions, DESA may:

 

· record auctions, gallery events, and live events;

 

· broadcast auctions and events;

 

· operate CCTV systems;

 

· record telephone calls related to auctions.

 

The provision of data required for auction registration is voluntary; however, failure to provide such data will prevent participation in the auction. The Personal Data provided will be processed for the following purposes:

 

· conclusion and performance of a contract – the legal basis for processing is the necessity of processing for the performance of a contract or for taking steps at your request prior to entering into a contract (Article 6(1)(b) GDPR);

 

· communication via e-mail in connection with the provision of services, including coordination of auction participation (e.g., auction reminders, confirmation of participation, notification of organisational changes affecting service delivery) – the legal basis for processing is our legitimate interest pursuant to Article 6(1)(f) GDPR, consisting of ensuring the efficient administration of auction participants;

 

· compliance with legal obligations incumbent upon DESA, including verification of individuals as part of anti-money laundering and counter-terrorist financing procedures (KYC/AML) under the AML Act, receipt of payments, and issuing invoices or accounting documents – the legal basis for processing is compliance with a legal obligation pursuant to Article 6(1)(c) GDPR in conjunction with applicable tax and accounting regulations;

 

· establishment, exercise, or defence of legal claims – the legal basis for processing is our legitimate interest pursuant to Article 6(1)(f) GDPR, consisting of handling claims, seeking resolution of disputes, and protecting our business interests

 

CORPORATE SOCIAL

MEDIA PROFILES

If You visit our profile (corporate account/business page) on a social media platform such as Facebook, Instagram, LinkedIn, or YouTube and interact with us (e.g., by following our profile, posting comments, or leaving reactions), we process Your Personal Data.

 

 

The scope of Personal Data processed by us includes both the Personal Data that You provide directly and the Personal Data obtained from the operator of the relevant platform, including, for example, Your social media identifier (name, surname, or profile name), profile picture/avatar, and similar information. The provision of Personal Data is voluntary; however, without providing such data, certain functionalities of the social media platform may not be available (e.g., posting comments or sending messages to us). The Controller processes only such Personal Data as have been made available through social media platforms and are necessary for communication purposes or for operating DESA's corporate profile.

 

Independently of our activities, the operator of the relevant platform processes Your Personal Data in order to provide You with the services available through that platform, in accordance with it's terms and conditions of use. You should review the applicable terms of use and privacy policy or data processing information of the social media platform You use.

 

While browsing our Website, You may find links directing You to our social media profiles (corporate accounts/business pages). By clicking on such a link, You will be redirected to our profile maintained on the selected platform. Following such redirection, the operator of the relevant platform also acts as a controller of Your Personal Data and may use the information collected for its own purposes (for example, information indicating that You have navigated from our Website to a social media platform may be used for advertising, market research, or profiling purposes). We have no control over the processing of Personal Data carried out independently by the platform operator in its capacity as a separate controller.

 

Detailed information regarding the processing of Personal Data by social media platforms can be found in their respective privacy policies.

 

Facebook, Instagram, LinkedIn and YouTube

 

If You use our profile (business page) on these platforms or engage with content associated with it, we process Your Personal Data. The data we process may include:

 

· Your username;

 

· comments posted on our business page;

 

· messages sent to us;

 

· activity on our business page (through the "Audience Insights" service used by us), including visits to our page, posts, average video viewing duration, information regarding visitors' countries and locations, and visitor statistics;

 

· other information necessary to fulfil requests or to clearly identify visitors.

 

The operator of the Facebook and Instagram platforms is Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland ("Meta"). Meta processes Your Personal Data in accordance with its Privacy Policy.

 

 Joint Controllership with Meta

 

We use anonymised statistical information concerning the use of our Facebook and Instagram business pages, which is made available to us by Meta, including through the "Audience Insights" service. This service does not enable us to identify individual users or access their personal profiles.

 

We act as joint controllers with Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland, with respect to the processing of Personal Data for page insights and statistical purposes. Such joint controllership covers the aggregated analysis of data in order to generate statistics regarding user activity on our profiles.

 

Meta's responsibilities under the joint controllership arrangement include:

 

 

· ensuring an appropriate legal basis for processing data for page insights purposes;

 

· facilitating the exercise of data subjects' rights;

 

 

· reporting personal data breaches to the competent supervisory authority and notifying affected data subjects where required; · implementing appropriate technical and organisational measures to ensure the security of Personal Data.

 

Our responsibilities under the joint controllership arrangement include:

 

· ensuring an appropriate legal basis for processing data for statistical purposes; and

 

· fulfilling our information obligations in relation to the processing activities carried out by us.

 

The lead supervisory authority for the joint processing arrangement is the Irish Data Protection Commission.

 

Further information regarding the arrangement between the joint controllers is available in Meta's Page Controller Addendum.

 

In connection with operating our social media profiles (business pages), we may process your Personal Data for purposes based on our legitimate interests pursuant to Article 6(1)(f) GDPR, including:

 

· operating and maintaining our profile on the social media platform in accordance with the platform operator's rules;

 

· conducting marketing campaigns through the platform;

 

· informing users about our activities through our profile;

 

· building and maintaining relationships with existing and prospective clients through communication on social media platforms;

 

· carrying out analyses and statistics regarding the operation, popularity, and use

 

· establishing, pursuing, or defending legal claims related to the use of our profile.

 

NEWSLETTER

If You wish to receive information regarding our auctions, You may subscribe to our free newsletter service. To do so, You must provide a valid e-mail address. Providing an e-mail address is voluntary but necessary in order to subscribe to the newsletter.

 

By providing Your e-mail address and confirming Your subscription, You consent to receiving commercial communications, including information regarding auctions and other marketing content relating to DESA. Your consent also covers the use of automated systems for sending newsletter communications.

 

The legal basis for processing Personal Data for newsletter purposes is Your consent pursuant to Article 6(1)(a) GDPR.

 

You may unsubscribe from the newsletter at any time (i.e., withdraw Your consent). To do so, simply click the dedicated unsubscribe link included at the end of each newsletter message or send us an e-mail requesting removal from the mailing list.

 

Withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of consent before it's withdrawal.

BUSINESS PARTNERS

The provisions concerning the processing of Personal Data also apply to individuals representing contractors, associates, business partners, and persons contacting the Controller in connection with a proposed contract, the establishment of a business relationship, or the conduct of commercial negotiations. The scope of Personal Data processed depends on the nature of the business relationship and the type of cooperation involved. Such data may include, in particular, identification and contact details, as well as information necessary for the conclusion and performance of a contract or for accounting and settlement purposes, including, but not limited to:

 

· first name and surname;

 

 

· position, title, or function held;

 

· registered and correspondence addresses;

 

· e-mail address;

 

· telephone number;

 

· business registration details (e.g., KRS, NIP, REGON or equivalent registration identifiers);

 

· payment-related information; and

 

· where justified by applicable law or the nature of the cooperation, additional identification data required for compliance purposes.

 

Personal Data are processed for the purposes of taking steps prior to entering into a contract, concluding and performing contractual cooperation, maintaining ongoing communication between the parties, carrying out settlements and accounting activities, and securing potential legal claims.

 

The legal basis for such processing is:

 

· Article 6(1)(b) GDPR, insofar as processing is necessary for the conclusion or performance of a contract; and

 

· Article 6(1)(f) GDPR, namely the Controller's legitimate interest in maintaining business relationships and protecting its legal rights and commercial interests.

 

CCTV MONITORING

The Controller operates CCTV monitoring systems within it's gallery premises and registered offices. As a result, images of visitors, clients, contractors, participants in business meetings, job applicants, and other individuals present within monitored areas may be recorded. Personal Data in the form of image recordings are collected directly through CCTV systems and processed for the purposes of:

 

· ensuring the safety and security of individuals present on the Controller's premises;

 

· protecting property and assets;

 

· safeguarding confidential information and documentation.

 

 

The legal basis for such processing is Article 6(1)(f) GDPR, namely the Controller's legitimate interest in maintaining security and protecting it's organisational rights and interests.

 

CCTV recordings are retained for a period not exceeding 90 days from the date of recording, unless the recordings constitute evidence in proceedings conducted under applicable law or the Controller becomes aware that they may constitute evidence in such proceedings. In such cases, the retention period may be extended until the final and legally binding conclusion of the relevant proceedings.

 

Access to CCTV data is restricted exclusively to persons authorised by the Controller and entities providing services relating to the operation, maintenance, or security of the premises under appropriate contractual arrangements. Such data may also be disclosed to public authorities authorised to receive them pursuant to applicable law. CCTV monitoring does not cover areas where it could result in an excessive intrusion into privacy or infringement of personal dignity, in particular sanitary facilities, changing rooms, staff welfare facilities, and similar areas.

 

Detailed information concerning the operation of CCTV monitoring and the related processing of Personal Data is provided in a separate privacy notice made available at the Controller's premises.

 

RECRUITMENT PROCESS

As part of our recruitment processes, the Controller requests that candidates provide Personal Data only to the extent required by applicable employment laws, in particular the provisions of the Polish Labour Code. The provision of information beyond the scope required by law is not necessary in order to participate in the recruitment process.

 

The Personal Data of job applicants are processed:

 

  1. for the purpose of fulfilling legal obligations arising from recruitment and employment regulations, in particular labour law requirements, pursuant to Article 6(1)(c) GDPR in conjunction with the applicable legal provisions, including the Polish Labour Code;

 

  1. with respect to data voluntarily provided by the applicant, which are not required by law, as well as where the applicant has consented to participation in future recruitment processes, pursuant to Article 6(1)(a) GDPR, i.e., the data subject's consent;

 

 

  1. for the protection of the Controller's rights, including the establishment, exercise, or defence of legal claims arising in connection with the recruitment process, pursuant to Article 6(1)(f) GDPR, namely the Controller's legitimate interest.

 

The provision of Personal Data required by law is necessary in order to participate in the recruitment process. The provision of any additional data remains entirely voluntary.

 

Detailed information regarding the recruitment process and the related processing of Personal Data is made available by the Controller, for example, in a separate privacy notice provided alongside the application form for the relevant position.

 

MARKETING AND

INFORMATION ABOUT

OUR ACTIVITIES

We conduct marketing activities in compliance with applicable legal requirements, including any restrictions or prohibitions concerning advertising and promotional activities.

 

Marketing Communications

 

You may optionally consent to receiving our offers, auction-related information, and similar marketing communications concerning DESA and its activities through your preferred communication channel (e.g., e-mail, SMS/MMS, or other electronic means of communication).

 

The legal basis for such processing is your consent pursuant to Article 6(1)(a) GDPR.

 

 

Online Marketing

 

To the extent permitted by applicable law, we may also promote our activities through online marketing tools (e.g., advertising banners displayed on third-party websites).

 

For this purpose, we may use information collected in connection with your use of the Website. For example, information indicating that you are a customer or that you have visited the Website may be used to optimise our online marketing campaigns.

 

The legal basis for such processing is our legitimate interest pursuant to Article 6(1)(f) GDPR, consisting of promoting our activities and services.

 

We also use the services of marketing partners, including Meta (Facebook), to display advertising campaigns tailored to information collected during your use of the Website, including information obtained through cookies, provided that you have consented to the use of such cookies. The legal basis for such processing is your consent pursuant to Article 6(1)(a) GDPR.

 

Further information regarding such processing is provided in the section of this Privacy Policy relating to cookies.

 

OTHER PROCESSING

ACTIVITIES

Any other Personal Data may be processed by the Controller in connection with additional legal activities or other specifically identified and legitimate purposes.

 

In each case, the relevant information concerning such processing shall be provided to the data subject by means of a separate privacy notice, in accordance with the requirements of Articles 13 and 14 GDPR.

 

3. Cookies and Similar Technologies 

 

Our Website uses cookies and similar technologies and tools that are stored on the User's device. These technologies enable us, as well as third parties with whom we cooperate, to collect information (e.g., tracking pixels, tags, and similar technologies), which for the purposes of this Privacy Policy are collectively referred to as "cookies".

 

Cookies are small text files that are stored on a User's terminal device (e.g., a computer, smartphone, or tablet). They enable, among other things, the recognition of a device, the proper display of a website (including adapting it to the User's preferences), and the collection of various types of information relating to the User's interaction with the Website. Cookies typically contain the name of the website (domain) from which they originate, the period for which they are stored on the device, and a unique identifier.

 

Cookies perform a variety of functions. Some are strictly necessary for the proper operation of the Website, while others collect information regarding the User's use of the Website, including information about visits and activities performed during such visits.

 

We use cookies and similar technologies primarily for the following purposes:

1. Ensuring the proper functioning of the Website;

2. Analytics and statistical purposes – enabling us to better understand how Users interact with the Website so that we can improve its functionality and performance;

3. Functional purposes – remembering User preferences and adapting the Website to the User's choices and settings;

4. Marketing purposes – including the collection of information used in connection with online advertising and marketing campaigns.

 

Information collected through cookies generally does not allow us to directly identify your identity. From our perspective, the information obtained through cookies is generally anonymous. However, in certain circumstances, particularly when combined with other information, cookies may potentially enable the identification of an individual. For example, an IP address combined with a cookie identifier and information held by third-party service providers may allow a specific individual to be identified.

 

Cookies have different retention periods, after which they are automatically deleted or expire unless they are removed earlier by the User.

 

Some cookies are temporary in nature (session cookies) and are stored only for the duration of a User's session on the Website, or for a short period thereafter (e.g., several minutes). Such cookies are automatically deleted once the browser is closed.

 

Other cookies (persistent cookies), such as those used by Google Analytics or for storing information relating to cookie preferences, may remain on the User's device for longer periods (e.g., several months or even years) and may be deleted manually, for example through browser settings.

 

Certain cookies originate directly from our domain (first-party cookies), while others originate from external servers and are placed by third parties, such as service providers whose services we use (third-party cookies).

 

3.1. Strictly Necessary Cookies

Certain cookies are essential for the proper and secure operation of the Website. Accordingly, pursuant to applicable law (including Article 398 of the Electronic Communications Law Act), the use of such cookies does not require the User's consent.

 

3.2. Analytics and Statistical Cookies

We use cookies that enable us to monitor how the Website is used and which pages are viewed for analytical and statistical purposes. These cookies allow us to analyse Website traffic data, including IP and MAC addresses, general geographic information, browser type, device information, Internet service provider details, and activities performed by Users within the Website.

 

These cookies enable the preparation of aggregated reports and statistics, which assist us in improving the Website and identifying and correcting potential errors.

 

3.3. Marketing Cookies

Marketing cookies enable the display of marketing content (e.g., information regarding our activities) tailored to Users on the basis of information relating to visits to the Website, pages viewed, and links clicked.

 

Such cookies are used, among other things, to:

· personalise online marketing content;

· display advertisements outside the Website;

· measure and analyse the effectiveness of marketing activities; and

· compile marketing-related statistics.

 

Information collected through marketing cookies may be shared with third parties operating advertising networks and related marketing services. All marketing activities are conducted in compliance with applicable laws and any restrictions or prohibitions concerning advertising and promotional activities applicable to our business.

 

3.4. Third-Party Tools and Services

Within the Website, we use various third-party services and tools that utilise cookies and similar technologies. This applies in particular to analytical and marketing activities. Further information regarding the providers and tools used by us is set out below.

 

Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building, Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland. Google Analytics uses cookies to measure, compile, and report statistics regarding Users' interactions with the Website. The information collected through Google Analytics is used exclusively to generate aggregated analyses and statistical reports. The Controller does not use information obtained through Google Analytics to directly identify individual Users. Google Analytics uses online identifiers and information relating to activity within the Website. Analysis of such information enables us to assess the performance and usability of DESA's websites and their individual components, thereby supporting the development of new services and functionalities. In addition to the requirement to obtain consent for analytics and statistical cookies, Users may independently disable Google Analytics cookies through their browser settings. Users may also prevent Google Analytics from collecting and processing information by downloading and installing the browser add-on available from Google. Further information regarding Google Analytics is available in Google's documentation and Privacy Policy.

 

Google Marketing Tools

We use Google's marketing tools for advertising and promotional purposes. Google marketing services (including Google Ads) enable us to display our campaigns within Google Search and across websites participating in Google's advertising network. We also analyse the effectiveness of our campaigns in order to better tailor them to Users' interests and expectations. Google provides us primarily with aggregated statistical reports. However, when advertising tools are used, online identifiers may also be processed. These services are provided by Google Ireland Limited, Google Building, Gordon House, 4

Barrow Street, Dublin D04 E5W5, Ireland. Where applicable, Users may manage personalised advertising settings through their Google account preferences.

In certain cases, Google acts as a processor on our behalf (for example, in connection with Google Marketing Platform and certain Google Ads functionalities). In other circumstances, Google acts as an independent controller of Personal Data. Further information regarding Google's GDPR compliance framework and data processing practices is available from Google.

Meta

Within the Website, we use tools provided by Meta Platforms Ireland Limited, including the Meta Pixel and event measurement tools. For example, when You visit the Website, the Meta Pixel transmits information concerning User activity to Meta. This enables us to better tailor advertising campaigns displayed on Facebook and Instagram and to assess their effectiveness. It also enables us to obtain analytics and measurement information concerning our products and services.

 

The collection and processing of certain Personal Data are carried out jointly with Meta Platforms Ireland Limited under a joint controllership arrangement.

 

The purposes of such joint processing include:

· creating and optimising personalised or relevant advertisements;

· delivering commercial and transaction-related communications (including through Messenger and similar services).

 

The joint controllership arrangement does not extend to:

· processing activities carried out by Meta after the data have been collected and transmitted to Meta, for which Meta acts as an independent controller; and

· the preparation of aggregated and anonymised reports and analyses performed by Meta as our processor.

 

Where you have consented to the use of marketing cookies, Meta tools may collect information relating to Your activity on the Website, including in particular:

· online identifiers;

· browser and device information;

· IP address;

· information regarding visited pages and subpages; and

· activity-related events occurring within the Website.

Such information may be used by Meta to:

· personalise advertising content;

· measure the effectiveness of advertising campaigns; and

· create advertising audiences and audience segments.

 

We have entered into a Joint Controller Addendum with Meta, which sets out the respective responsibilities of the parties for compliance with GDPR obligations in relation to the joint processing activities. Further information regarding the processing of Personal Data in connection with Meta Business Tools is available in Meta's Business Tools Terms and Privacy Policy. Information regarding the legal basis for Meta's processing activities and the exercise of data subject rights vis-à-vis Meta can also be found in Meta's Privacy Policy.

 

HotJar

We use Hotjar Ltd., a company registered at Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville, St Julian's STJ 3141, Malta, which provides analytics tools enabling us to better understand how Users interact with the Website. Hotjar allows us to analyse User activity through the anonymous collection of information regarding, among other things, clicks on links, navigation patterns, and the amount of time spent on particular pages of the Website.

 

To provide these services, Hotjar uses cookies and similar technologies to collect information relating to Users and their devices. Such information may include:

· the device's IP address (processed during the session and stored in an anonymised form);

· screen size and display resolution;

· device type and unique device identifiers;

· browser-related information;

· geographic location data (limited to country-level information); and

· the preferred language used to access and display the Website.

 

Hotjar is not used for the purpose of directly identifying individual Users. The information collected through Hotjar is used exclusively for analytical purposes and to improve the functionality, usability, and performance of the Website. Further information regarding the processing of Personal Data by Hotjar and the categories of information collected through its services is available in Hotjar's Privacy Policy.

 

User.com Messenger

The Website enables remote customer support services through the User.com messaging platform. This solution allows Users to communicate with DESA via an online chat application that does not require installation on the User's device and can be accessed by clicking the designated contact button available on the Website. DESA representatives use a dedicated application equipped with tools that provide contextual information regarding the User engaging in the conversation (e.g., pages visited within the Website). This facilitates efficient communication and enables us to provide the most appropriate assistance.

 

In connection with the use of the User.com messenger service, the following categories of Personal Data may be processed:

· IP address;

· User identifier;

· communication and chat history;

· information voluntarily provided by the User during the conversation;

· information relating to the User's activity within the Website.

 

The legal bases for processing are:

· Article 6(1)(a) GDPR – with respect to information voluntarily provided by the User through the messenger service;

· Article 6(1)(b) GDPR – where processing is necessary to handle an enquiry, take steps at the User's request prior to entering into a contract, or provide requested services;

· Article 6(1)(f) GDPR – namely the Controller's legitimate interest in ensuring efficient communication with Users and providing effective customer support.

 

Further information regarding the processing of Personal Data by User.com is available in the User.com Privacy Policy.

 

3.5. Consent to the Use of Cookies

The use of cookies generally requires the User's consent, except for cookies that are strictly necessary for the operation of the Website.

 

Our Website displays a cookie notice informing Users about the use of cookies. Through this notice, you may consent to the use of cookies for specific purposes or refuse consent in relation to particular categories of cookies. Where consent is not granted, we will only use cookies that are strictly necessary

for the operation of the Website. Such cookies do not require consent because the Website cannot function properly without them.

 

With respect to strictly necessary cookies, the legal basis for processing is Article 6(1)(f) GDPR, namely the Controller's legitimate interest in ensuring the proper operation and security of the Website. Where the use of cookies requiring consent (such as analytics or marketing cookies) involves the processing of Personal Data, the sole legal basis for such processing is the User's consent pursuant to Article 6(1)(a) GDPR, in conjunction with Article 398 of the Electronic Communications Law Act. Consent to the use of cookies is obtained in accordance with Article 398 of the Electronic Communications Law Act. Analytics cookies, marketing cookies, and associated tracking technologies are activated only after the User has provided valid consent. Until such consent is obtained, any scripts, technologies, or tools relying on those cookies remain inactive.

 

Where third-party cookies are used, consent to their deployment also constitutes consent to the transfer of Personal Data collected through such cookies to the relevant third-party provider. You may withdraw your consent to the use of cookies at any time, including by adjusting your cookie preferences through the cookie settings panel available on the Website or through your browser settings. The current list of cookies used on the Website is made available through Cookiebot, a consent management platform used to administer preferences relating to cookies and similar technologies.

 

Cookiebot enables Users to review, at any time:

· the categories of cookies in use;

· the retention periods applicable to each cookie;

· the providers responsible for the respective technologies; and

· the scope of consents granted by the User.

 

Information regarding consents provided by Users is retained for the period specified in the Cookiebot configuration settings or until consent is withdrawn, unless a longer retention period is required by applicable law.

The Website (www.desa.pl) uses the Cookiebot platform to provide a transparent mechanism for managing privacy and cookie preferences. Through this solution, Users may, in particular:

· consent to the use of specific categories of cookies or refuse their use;

· manage preferences relating to individual categories of cookies, including strictly necessary, functional, statistical, and marketing cookies; and

· obtain information regarding cookies that are essential for the proper functioning of the Website, including their purpose and scope of use.

 

A detailed and up-to-date list of cookies currently used, their retention periods, and their respective providers is available within the Cookiebot preferences panel. Users may also configure their browser settings to automatically block all or selected categories of cookies. Similarly, Users may choose to accept all cookies, refuse all non-essential cookies, or manage their preferences in a more granular manner. Detailed information regarding cookie management functions is available in the documentation of the relevant browser. Instructions for managing cookie settings in commonly used browsers are available from the respective browser providers. Please note that disabling or blocking strictly necessary cookies may result in the Website not functioning properly for technical reasons.

 

4. Retention Period for Personal Data

The Controller retains Personal Data for no longer than is necessary to fulfil the purposes for which the data were collected, taking into account the nature of the services provided, applicable legal requirements, and the need to establish, exercise, or defend potential legal claims.

 

Upon expiry of the applicable retention period, Personal Data shall be deleted or irreversibly anonymised, unless their continued retention is required by applicable law or is necessary for the establishment, exercise, or defence of legal claims. The retention period applicable to Personal Data depends on the purpose and legal basis of the processing activity.

 

Data Processed on the Basis of Consent

Where Personal Data are processed on the basis of consent pursuant to Article 6 (1) (a) GDPR, such data shall be retained until the consent is withdrawn or until the data are no longer necessary for the purpose for which they were collected, whichever occurs first.

 

Data Processed in Connection with the Conclusion or Performance of a Contract

Personal Data processed for the purpose of entering into or performing a contract pursuant to Article 6(1)(b) GDPR shall be retained for the duration of the contractual relationship and thereafter until the expiry of the applicable statutory limitation period for claims arising under applicable law.

 

Data Processed for Compliance with Legal Obligations

Personal Data processed in order to comply with legal obligations imposed on the Controller pursuant to Article 6(1)(c) GDPR, including obligations arising under tax laws, accounting regulations,

employment laws, and anti-money laundering legislation (AML), shall be retained for the periods prescribed by the relevant legal provisions.

 

Data Processed on the Basis of Legitimate Interests

Personal Data processed on the basis of the Controller's legitimate interests pursuant to Article 6(1)(f) GDPR shall be retained until a valid objection to the processing is raised or until the relevant processing purpose has been fulfilled, unless continued processing is justified by overriding legitimate grounds or is necessary for the establishment, exercise, or defence of legal claims.

 

Illustrative Data Retention Periods

For transparency purposes, the Controller provides below examples of retention periods applicable to selected processing activities:

Type of Data / Processing Activity

Retention Period

Contact form submissions and correspondence data

Up to 12 months following the conclusion of the communication, unless a longer retention period is justified by the nature of the matter or is necessary for the establishment, exercise, or defence of legal claims.

Telephone call recordings

Up to 3 months from the date of recording, unless the recording constitutes evidence in legal proceedings or is required for the establishment, exercise, or defence of legal claims.

Data relating to participation in auctions and transaction performance

For the duration of the business relationship and thereafter for the periods required under tax regulations (i.e., 5 years from the end of the calendar year in which the tax payment deadline expired), accounting regulations (i.e., 5 years calculated from the beginning of the year following the relevant financial year), and the AML Act.

AML/KYC-related data

For 5 years from the first day of the year following the year in which the business relationship ended or an occasional transaction was completed, in accordance with the AML Act.

Marketing data

Until consent is withdrawn or a valid objection to processing is raised.

Newsletter subscription data

Until the User unsubscribes from the newsletter (i.e., withdraws consent).

Analytics and statistical data

For the period resulting from the settings of the relevant analytics tools or the validity period of the applicable cookies. Details concerning cookie retention periods are available through Cookiebot.

System logs

Up to 12 months, unless a longer retention period is required to ensure the security of IT systems or for the establishment, exercise, or defence of legal claims.

CCTV monitoring data

Up to 90 days from the date of recording, unless the recording constitutes evidence in legal proceedings.

Job applicant data

Until completion of the recruitment process (not exceeding 6 months from the commencement of the recruitment process). Where consent has been provided for future recruitment opportunities, data will be retained for no longer than 24 months or until consent is withdrawn, whichever occurs first.

Data processed through the User.com

messenger service

Up to 12 months following the conclusion of the communication, unless a longer retention period is justified by the nature of the matter or required by law.

 

The retention period for Personal Data may be extended where processing is necessary for the establishment, exercise, or defence of legal claims (for example, claims relating to statutory warranties or legal disputes, in which case relevant documentation may be retained for up to 6 years) or where continued retention is required to comply with legal obligations imposed on the Controller (including obligations arising under the AML Act).

 

Upon expiry of the applicable retention period, Personal Data shall be securely deleted or irreversibly anonymised. Personal Data contained in comments posted on our social media profiles shall be retained until removed by the author of the comment. The retention period applicable to any other data associated with the use of our social media profiles is determined by the respective social media platform operators in accordance with their own policies.

 

The Controller periodically reviews the necessity of retaining Personal Data and deletes or anonymises data where their continued processing is no longer necessary for the purposes for which they were collected or otherwise lawfully processed.

 

 

5. Rights of Data Subjects

Pursuant to Articles 15–22 GDPR, each User is entitled to exercise the following rights:

 

 

1) Right of Access (Article 15 GDPR)

The data subject has the right to obtain confirmation from the Controller as to whether Personal Data concerning them are being processed and, where that is the case, to obtain access to such Personal Data. In accordance with Article 15 GDPR, the Controller shall provide the data subject with a copy of the Personal Data undergoing processing;

 

2) Right to Rectification (Article 16 GDPR)

The data subject has the right to obtain from the Controller, without undue delay, the rectification of inaccurate Personal Data concerning them.

 

3) Right to Erasure ("Right to be Forgotten") (Article 17 GDPR)

The data subject has the right to obtain from the Controller the erasure of Personal Data concerning them without undue delay, and the Controller shall erase such Personal Data without undue delay where one of the following grounds applies:

a. the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b. the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

c. the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing.

 

4) Right to Restriction of Processing (Article 18 GDPR)

 

The data subject has the right to obtain from the Controller restriction of processing in the following circumstances:

a. where the accuracy of the Personal Data is contested, for a period enabling the Controller to verify the accuracy of the data;

b. where the data subject has objected to processing pursuant to Article 21(1) GDPR, pending verification of whether the Controller's legitimate grounds override those of the data subject;

c. where the processing is unlawful and the data subject opposes the erasure of the Personal Data and requests the restriction of their use instead.

 

5) Right to Data Portability (Article 20 GDPR)

The data subject has the right to receive Personal Data concerning them in a structured, commonly used, and machine-readable format and, where applicable, to transmit those data to another controller, in accordance with Article 20 GDPR.

 

6) Right to Object (Article 21 GDPR)

Where Personal Data are processed for direct marketing purposes, the data subject has the right, at any time, to object to the processing of Personal Data concerning them for such marketing purposes, including profiling to the extent that it is related to such direct marketing. Upon receipt of such an objection, the Personal Data shall no longer be processed for direct marketing purposes.

 

7) Right to Lodge a Complaint with a Supervisory Authority

If You believe that the processing of your Personal Data infringes applicable data protection laws, You have the right to lodge a complaint with the competent supervisory authority responsible for data protection. In Poland, the competent supervisory authority is the President of the Personal Data Protection Office. To exercise any of the rights described above, please contact the Controller using the registered office address or the e-mail address specified in Section 10 of this Privacy Policy.

 

6. Data Recipients

 

In connection with the operation of the Website and the provision of our services, we engage third-party service providers (subcontractors and suppliers). Consequently, recipients of Personal Data may include:

· IT service providers (including hosting providers);

· transport and logistics companies;

· marketing service providers;

· banks and payment service providers;

· accounting and bookkeeping service providers (including for invoicing and accounting purposes);

· auction partners and co-organisers;

· event organisers;

· providers of auction management platforms or applications, to the extent that they act as processors on our behalf;

· providers of AML, KYC, identity verification, and compliance services required under applicable anti-money laundering legislation.

 

Where Personal Data of Users (including auction participants) are processed through auction management systems, such processing is carried out solely on the documented instructions of the Controller and exclusively for the purpose of facilitating the auction and sales process.

Such processing is governed by a data processing agreement concluded in accordance with Article 28 GDPR, and the relevant Personal Data are not used by the processor for any purpose other than those specified by the Controller.

 

Recipients of Personal Data may therefore include:

i. processors acting on our behalf pursuant to Article 28 GDPR; and

ii. independent controllers (such as Meta or Google) to the extent that they independently determine the purposes and means of processing.

 

In connection with the use of third-party cookies, Personal Data collected through such cookies, including information that may constitute Personal Data, are also collected and processed by the respective third-party providers. Further details regarding such processing are provided in Section 3 (Cookies and Similar Technologies) of this Privacy Policy.

 

In addition, Personal Data may be disclosed where required by law to:

· law enforcement authorities;

· courts and judicial authorities;

· tax authorities;

· regulatory, supervisory, and inspection authorities; and

· the General Inspector of Financial Information and other competent authorities responsible for anti-money laundering supervision,

including where disclosure is made in response to a lawful request, order, or statutory obligation imposed on the Controller.

 

7. Transfers of Personal Data Outside the EEA

The level of protection afforded to Personal Data outside the European Economic Area (EEA) may differ from that provided under European data protection laws. Accordingly, we ensure that Personal Data are transferred outside the EEA only where necessary and subject to appropriate safeguards designed to ensure an adequate level of protection. Where required by applicable law or by the nature of the transfer, the Controller carries out a Transfer Impact Assessment (TIA) to evaluate the risks associated with the transfer of Personal Data outside the EEA and to determine whether appropriate safeguards are in place.

 

Due to our use of certain services and tools provided by companies headquartered in the United States (including, for example, Google and Meta services), Personal Data relating to Users, such as cookie identifiers and other online identifiers, may be transferred to and processed on servers located in the United States. Pursuant to the European Commission Adequacy Decision of 10 July 2023, the United States has been recognised as providing an adequate level of protection for Personal Data transferred to organisations certified under the EU–U.S. Data Privacy Framework ("DPF"). Entities such as Google LLC and Meta Platforms Inc. participate in and are certified under the EU–U.S. Data Privacy Framework. Where Personal Data are transferred to recipients that are not certified under the EU–U.S. Data Privacy Framework, such transfers are carried out on the basis of appropriate safeguards recognised under the GDPR, including the Standard Contractual Clauses ("SCCs") adopted by the European Commission. For example, transfers of Personal Data to Auction Mobility LLC, which is not certified under the EU–U.S. Data Privacy Framework, are based on the European Commission's approved Standard Contractual

Clauses. Further information regarding the Standard Contractual Clauses adopted by the European Commission is available from the European Commission. Accordingly, where Personal Data are transferred to entities located in the United States, the Controller relies on one or more of the following transfer mechanisms to ensure an adequate level of protection: (i) an adequacy decision adopted by the European Commission, including the EU–U.S. Data Privacy Framework; and/or (ii) the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46 GDPR. Notwithstanding the safeguards described above, Users should be aware that United States law may permit access to Personal Data by U.S. public authorities, including law enforcement and national security agencies, under certain circumstances.

 

8. Anti-Money Laundering and Counter-Terrorist Financing

In connection with our activities relating to the organisation of art auctions and the trading of artworks and collectors' items, we are subject to obligations arising under anti-money laundering and counter-terrorist financing legislation, in particular the Anti-Money Laundering and Counter-Terrorist Financing Act ("AML Act").

 

Where required by applicable law, we process Personal Data for the following purposes:

· applying customer due diligence and other financial security measures;

· identifying and verifying the identity of clients;

· identifying and verifying beneficial owners;

· assessing business relationships and associated risk levels;

· monitoring transactions and activities related to participation in auctions;

· detecting activities that may indicate money laundering or terrorist financing;

· fulfilling reporting obligations towards the General Inspector of Financial Information;

· documenting compliance with obligations arising under the AML Act.

 

Categories of Personal Data Processed

The categories of Personal Data processed for AML/KYC purposes may include, in particular:

· identification and contact details;

· the Polish PESEL number or date of birth;

· nationality;

· identity document number and series;

· information relating to the representation of a legal entity;

· beneficial ownership information;

· information concerning transactions, source of funds, and payment methods;

· any other information required under the AML Act.

 

Legal Basis for Processing

The legal basis for processing Personal Data for AML/KYC purposes is Article 6(1)(c) GDPR, namely that processing is necessary for compliance with legal obligations to which the Controller is subject under the AML Act.

 

Disclosure of Personal Data

Where required by law, Personal Data may be disclosed to entities and authorities authorised to receive such information, including in particular:

· the General Inspector of Financial Information;

· law enforcement authorities;

· public administration bodies;

· entities supporting the Controller in fulfilling AML/KYC obligations, including providers of compliance, identity verification, sanctions screening, and transaction monitoring services.

 

Retention Period

Personal Data processed in connection with obligations arising under the AML Act shall be retained for five (5) years, calculated from the first day of the calendar year following the year in which the business relationship with the client was terminated or an occasional transaction was completed, unless a longer retention period is required by applicable law.

 

AML/KYC Risk Assessment and Data Analysis

In fulfilling its obligations under the AML Act, the Controller may conduct risk assessments and apply data analysis mechanisms relating to business relationships, transactions, and client activities. Such analysis may include, in particular, information relating to:

· the value and frequency of transactions;

· the manner of participation in auctions;

· the source of funds;

· the country of residence, incorporation, or business activity;

· business, corporate, or organisational relationships;

· information obtained from publicly available registers, sanctions lists, and other sources required under AML legislation;

· the history of the client's relationship with the Controller; and

· the risk level assigned to the bus

Purposes of Data Analysis

Data analysis mechanisms are used for the purposes of:

· complying with legal obligations relating to anti-money laundering and counter-terrorist financing;

· conducting AML/KYC risk assessments;

· detecting unusual, suspicious, or potentially prohibited transactions;

· applying appropriate customer due diligence and financial security measures; and

· protecting the Controller against fraud, abuse, and breaches of applicable law.

 

Such analysis may result in the assignment of a specific risk level to a business relationship or transaction. This risk classification may affect:

· the scope of documentation required from the client;

· the level of identity verification to be carried out; and

· the need to undertake additional due diligence or explanatory measures in accordance with AML legislation.

 

No Solely Automated Decision-Making

Notwithstanding the foregoing, the Controller does not make decisions concerning data subjects based solely on automated processing, including profiling, where such decisions would produce legal effects concerning the individual or similarly significantly affect them within the meaning of Article 22 GDPR. Any decision regarding the establishment, continuation, suspension, or refusal of a business relationship or transaction is made with meaningful human involvement by an appropriately qualified employee or adviser, following an individual assessment of the circumstances of the specific case.

 

Consequences of Failure to Provide Required Data

Failure to provide Personal Data required by applicable AML legislation may result in:

· refusal to establish or continue a business relationship;

· refusal to permit participation in an auction; or

· refusal to execute a transaction.

 

9. Security

To ensure the security of Users' Personal Data, we regularly conduct risk assessments and implement appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, misuse, or unauthorised access. We ensure that all processing activities involving Personal Data are appropriately logged,

monitored, and carried out exclusively by authorised personnel and authorised service providers acting under the Controller's instructions. Whenever Personal Data are transmitted through the Service, we use secure and encrypted communication channels to protect data in transit. The Controller applies the principle of data minimisation and processes only such Personal Data as are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. We take all reasonable and necessary steps to ensure that our processors, subcontractors, and other third parties engaged in the processing of Personal Data implement and maintain appropriate technical and organisational security measures consistent with applicable data protection requirements.

 

The Controller does not make decisions concerning Users based solely on automated processing, including profiling, which produce legal effects concerning the User or similarly significantly affect the User within the meaning of Article 22 GDPR. In certain circumstances, the Controller may carry out data analysis relating to User activity, preferences, behavioural patterns, or AML/KYC risk assessments. However, such analysis does not result in decisions producing legal effects or similarly significant consequences being made solely by automated means.

 

Where processing is based on the Controller's legitimate interests pursuant to Article 6(1)(f) GDPR, the Controller performs an assessment of the impact of such processing on the rights and freedoms of data subjects (commonly referred to as a balancing test) to ensure that those interests do not override the interests or fundamental rights and freedoms of the individuals concerned.

 

The services provided through the Service are not directed to individuals under the age of eighteen (18). The Controller does not knowingly collect or process Personal Data relating to persons under the age of 18 without the prior and explicit consent of their parent, legal guardian, or other authorised legal representative where such consent is required under applicable law.

 

10. Contact Details and Data Protection Officer

You may contact us by post at following adress:

DESA Unicum S.A., ul. Piękna 1A, 00-477 Warsaw, Poland

 

The Controller has appointed a Data Protection Officer ("DPO"). The Controller's Data Protection Officer is Ignacy Michałowski. For all matters relating to the processing of Personal Data and the exercise of data protection rights, you may contact the Data Protection Officer:

 

 

By post:

DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, Poland

Please mark correspondence: “Data Protection Officer"

 

By e-mail: rodo@desa.pl

 

The Data Protection Officer may be contacted regarding any matters concerning the processing of Personal Data and the exercise of rights under applicable data protection legislation.

 

We regularly review and update this Privacy Policy as necessary, including in order to:

· ensure the continued security of Personal Data;

· reflect changes in applicable laws and regulations;

· implement changes to DESA's internal procedures; and

· introduce new services, features, functionalities, or processing activities.

 

Where any changes to this Privacy Policy are material, we will make reasonable efforts to notify affected individuals in advance through available communication channels. The most current version of this Privacy Policy shall supersede all previous versions and shall be made available through the Service.

 

This Privacy Policy is effective as of 24th June 2026.

PRIVACY POLICY

 

1. Definitions and General Information 

 

When you visit or use our website, we collect and process your personal data. This privacy policy outlines the principles and purposes of processing such data and includes information about cookies and similar technologies used on the website. By using the website, you confirm your acceptance of these terms and conditions.

 

The personal data collected through the website is processed by Desa Unicum in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), the Polish Personal Data Protection Act of 10 May 2018, and the Electronic Communications Law of 12 July 2024.

 

The following key terms have the following meanings:

 

TERM

EXPLANATION

Data Controller or We 

The Data Controller is the entity that determines the purposes and means of processing personal data and is also responsible, among other things, for ensuring an appropriate level of data protection and for exercising the rights of individuals whose data is being processed.  

 

The controller of Your Personal Data collected in connection with Your use of the website is us, that is:

 

DESA Unicum S.A. headquartered in Warsaw (str. Piękna 1A, 00-477 Warsaw)

Personal Data

Any information about an identified or identifiable natural person (i.e., a living human being); an identifiable person is one who can be identified directly or indirectly, for example, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Privacy Policy 

this document 

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

website 

The website available at www.desal.pl, allowing users to access the services offered through it.

You or user 

Any natural person visiting the website.

 

2. Purposes and Legal Basis for the Processing of Personal Data

 

AREA

PURPOSE AND LEGAL BASIS

USE OF THE WEBSITE

We use cookies or similar technologies within the website. Therefore, as the Data Controller, we process information that may be considered Personal Data (e.g., IP address, online identifiers, device data, activity data within the website). We process this information for the following purposes:

  • To provide you the website access – legal basis: necessity for the performance of a service (Art. 6 (1) (b) GDPR);

  • Analytical and statistical purposes – legal basis: our legitimate interest (Art. 6 (1) (f) GDPR), which involves analyzing user activity and preferences to improve functionality and services, subject to Your consent to use analytical and statistical cookies or similar technologies.

  

More information about cookies can be found later in this Privacy Policy.

 

Your activity within the service is recorded in so-called system logs (a special program used to store chronological records of events and actions related to our IT system/service). These logs may contain Personal Data (e.g., IP address, device data). This information is primarily processed for technical and administrative purposes (e.g., error detection), to ensure the security of our IT system/service (e.g., detecting cyberattacks), and for analytical/statistical purposes – the legal basis being our legitimate interest (Art. 6(1)(f) GDPR), aimed at ensuring the proper functioning of the website and it's improvement, as well as protecting our economic interests.

CONTACT FORM, HELPLINE, E-MAIL

We offer various communication channels, such as an online contact form, helpline, email, and social media (Facebook, Instagram, LinkedIn, YouTube). When You contact us, we may process Your Personal Data.

 

When using our contact form on our website, You will be asked to provide necessary Personal Data (e.g., name, email address). This data is required to handle Your inquiry and establish communication. Providing the data is voluntary, but the form cannot be submitted without it.

 

When contacting us through available channels, we process Your Personal Data to identify the sender and handle the inquiry. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR), which is to respond and support users.

 

In some cases (e.g., complaint submission), Your data may also be processed for the establishment, exercise, or defense of claims. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR), aimed at protecting our rights and property interests, resolving any potential dispute with You, and responding to Your complaint.

REGISTRATION FOR ONLINE AUCTIONS (THROUGH DESA UNICUM PLATFORM/APP)

 

You can sign up for online auctions via the DESA Unicum auction management platform/application (Auction Mobility). If you choose to use this option, after selecting the appropriate interactive button on the website (“Register"), You will be redirected to the platform (or, where applicable, to the application) at https://bid.desa.pl/, where in order to register, You will need to either log in to Your account on that platform/application or provide the Personal Data required for registration (e.g. first name, last name, email address). As part of this auction management process, the controller of Your Personal Data is the owner of the bid.desa.pl platform/application – Auction Mobility LLC (192 South St., Suite 600, Boston, MA 02111). Detailed information on data processing can be found in the following document: https://bid.desa.pl/privacy-policy/?#/contact-us.

 

Podanie danych niezbędnych do rejestracji jest dobrowolne, ale brak ich podania uniemożliwi Ci wzięcie udziału w aukcji. Podane przez Ciebie dane będziemy przetwarzać w następujących celach: 

 

  • Contract execution – legal basis: necessity to perform a contract or take pre-contractual steps (Art. 6(1)(b) GDPR);

  • Contacting You via Your e-mail address for purposes related to the provision of services, including coordination of Your participation in the auction (e.g., reminders about the auction date, confirmation of participation, information about organizational changes affecting the provision of the service) – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), which consists in ensuring efficient service for auction participants;

  • Fulfilling our legal obligations related to receiving a payment from You, such as issuing an invoice or receipt – the legal basis for processing is our legal obligation (Article 6(1)(c) of the GDPR) in connection with relevant tax and accounting regulations;

  • The possible establishment, exercise, or defense of legal claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), consisting in handling claims, striving to resolve disputes, and protecting our economic interests.

  • These provisions apply to all auctions organized by DESA Unicum available on the desa.pl website, including thematic and recurring auctions such as the “Young Art Auction." The data processing rules described in this section apply regardless of the name of the auction or its specific subpage within the desa.pl domain. 

COMPANY PROFILE ON SOCIAL MEDIA

If You visit our profile on social media platforms like

Facebook (https://www.facebook.com/DESAUnicumWarszawa),

Instagram (https://www.instagram.com/desa_unicum),

LinkedIn (https://www.linkedin.com/company/desa-unicum),

YouTube (https://www.youtube.com/@DesaUnicum),

Pinterest (https://pl.pinterest.com/desaunicum) and interact with us (e.g., follow, comment, like), we process Your Personal Data.

 

The scope of Personal Data we process includes data You provide to us yourself, as well as data obtained by us from the operator of a given platform, including data such as Your identifier on a social media platform (e.g., your first and last name or profile name), profile picture/avatar, etc. Providing this data is voluntary, but without providing it, You will not be able to use certain functions of the social media platform (e.g., add comments, send us messages). 

 

Independently of us, the platform operator processes Your Personal Data to provide You with the services of that platform, in accordance with it's terms and conditions of use. Please familiarize yourself with the terms of service and privacy policy/data processing information applicable on the platform You use.

When browsing our website, You will find links directing to our profiles (company accounts/pages) on social media platforms. By clicking such a link, You will be redirected to our profile (company account/page) maintained on the selected platform. After being redirected to such a platform, the operator of that platform is also the controller of Your Personal Data, and may use the collected information for their own purposes (e.g., they may use information that You have moved from our service to the social media platform for advertising purposes, market research, or gathering information about your preferences). We have no influence over the processing of Personal Data carried out by the platform operator independently from us, as a separate controller. Detailed information about the processing of Personal Data by social media platforms can be found in their privacy policies:

 

 

Facebook, Instagram, LinkedIn, YouTube 

If you use our profile (company page) on these platforms or content associated with it, we process Your Personal Data. The data we process may include:

  • username; 

  • comments posted on our company page; 

  • messages sent to us; 

  • activity on our company page (using the “Audience Insights" service we utilize), such as visits to our company page, posts, average video view duration, information about the country and city of visitors, statistics regarding visitors' gender; 

  • other information necessary to fulfill requests or to uniquely identify visitors.

 

The operator of the Facebook and Instagram platforms is Meta Platforms Ireland Limited (Serpentine Avenue, Block J, Dublin 4, Ireland - hereinafter “Meta"). Meta processes Your Personal Data in accordance with its privacy policy, which

is available at https://www.facebook.com/privacy/policy/ (Facebook) and https://privacycenter.instagram.com/policy (Instagram). 

 

Co-management with Meta 

We use statistical information related to the use of our profile (company page) on Facebook and Instagram, which Meta provides to us in anonymized form, including through the “Audience Insights" service. This service does not allow the information to be linked to individual users or access their personal profiles. More information about company page statistics on Facebook and Instagram can be found at: https://www.facebook.com/legal/terms/information_about_page_insights_data

We are joint controllers of Your Personal Data together with the operators of the Facebook and Instagram platforms - Meta (Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland) - in relation to data processing for page statistics (data for statistical purposes). The co-management includes aggregate analysis of data to display statistics on the activity of users on our profile.

Meta's responsibilities regarding data processing in the co-management include:

  • having the legal basis for processing data for page statistics purposes; 

  • ensuring the rights of data subjects are respected;

  • reporting data breaches to the supervisory authority and notifying affected individuals; · providing appropriate technical and organizational measures to ensure the security of your data.

Our responsibilities regarding data processing in the co-management include: 

  • having the legal basis for processing data for statistics purposes; 

  • fulfilling information obligations regarding the processing purposes carried out by us.

The main supervisory authority for the joint data processing is the Irish Data Protection Commission. Detailed information about the mutual arrangements between the joint controllers is available at: https://www.facebook.com/legal/terms/page_controller_addendum

 

In connection with managing profiles (company pages) on the platforms, we may process Your Personal Data for purposes based on our legitimate interest (Article 6(1)(f) of the GDPR), consisting of:

  • managing the profile on the social media platform under the terms set by the platform operator; 

  • conducting marketing campaigns on the website; 

  • informing via our profile about our business activities; 

  • building and strengthening relationships with potential and current customers through communication via the social media platform; 

  • performing analyses and statistics regarding the functioning, popularity, and usage of our profile; 

  • establishing, pursuing, and defending against any claims related to the use of the profile.

 

Pinterest 

If you use our profiles/accounts on the Pinterest platform (including the main DESA Unicum profile and subprofiles, e.g. “DESA Młoda Sztuka"), we process the data that you voluntarily provide to us on this platform (e.g. username, comments, messages), as well as statistical data made available to us in aggregated form by the platform operator. The operator of the Pinterest platform is the entity operating the Pinterest service. Data on this platform is also processed by its operator as a separate data controller, in accordance with its terms and conditions and privacy policy. We encourage you to familiarize yourself with the data processing rules applicable on Pinterest: https://policy.pinterest.com/pl/privacy-policy. 

  • We process the data on the basis of our legitimate interest (Article 6(1)(f) of the GDPR), in particular for the purpose of operating the profile, communicating with users, presenting content related to our activities, analyzing the performance of the profile, and, where necessary, establishing, pursuing, or defending legal claims. 

 

NEWSLETTER 

If You want to receive information about our auctions, You can use our free newsletter service (newsletter subscription). To do this, we will ask You to provide Your e-mail address. This is voluntary but necessary to use the newsletter.

 

By subscribing to the newsletter, you agree to receive commercial information, including information about auctions and other marketing content related to Desa Unicum. Your consent also includes the use of systems for automatic newsletter delivery. 

 

The legal basis for processing Your Personal Data for the newsletter is your consent (Article 6(1)(a) of the GDPR). You can unsubscribe newsletter (withdraw Your consent) at any time. Simply click the special link at the end of each message or send us an e-mail requesting to unsubscribe. Withdrawal of consent does not affect the lawfulness of the processing of Your Personal Data based on consent before it's withdrawal.

MARKETING AND INFORMATION ABOUT OUR ACTIVITIES

We conduct marketing activities in compliance with applicable legal regulations, including respecting restrictions or bans on advertising and promotions. 

 

Sending Marketing Content

You may optionally agree to receive from us, via Your chosen communication channel (e.g., email, SMS/MMS, or similar electronic means), our offers, information about auctions, and similar marketing content related to us and our activities. The legal basis for processing is your consent (Art. 6(1)(a) GDPR).

 

Internet Marketing

We may also - within the limits allowed by law - inform You about our activities using internet marketing tools (e.g., banners on other websites). For this purpose, we may use information collected when you use our website (e.g., the fact that You are a client/visited the webiste can help us optimize our online campaigns). The legal basis for such processing is our legitimate interest in informing You about our activities and services (Art. 6(1)(f) GDPR).

 

We use marketing partners such as Meta (Facebook) to display our campaigns tailored based on information collected during Your use of the website, including through cookies, if You have consented to their use. The legal basis for this processing is Your consent (Art. 6(1)(a) GDPR). More information can be found in the cookie section of our privacy policy.  

 

3. Cookies and Similar Technologies

On our website, we use cookies and similar technologies stored on the user's device. These allow us and our partners to collect information (e.g., tracking pixels, tags), collectively called “cookies" for simplicity.

 

Cookies are small text files saved and stored on Your device (e.g., computer or smartphone memory). They enable, among other things, recognizing your device, correctly displaying the website (including adapting it to user preferences), and collecting various information related to Your browsing of the service. Cookies usually contain the website name (domain), storage duration on the device, and a unique identifier.

 

Cookies serve various functions. Some are essential for the correct operation of the service, while others collect information about Your usage, such as remembering visits and actions performed during Your session.

 

We use cookies and similar technologies primarily for:

· ensuring proper website functioning;

· analytical and statistical purposes - to better understand user behavior and improve the website;

· marketing purposes (e.g., for internet campaign data collection).

 

Information collected by cookies generally does not directly identify You. From our perspective, cookie data is anonymous. However, in some cases, especially combined with other information (e.g., IP address combined with cookie ID and data from external providers), cookies may potentially identify You. We take a transparent, privacy-focused approach to cookies and treat their use as Personal Data processing in our privacy policy out of caution.

 

Cookies have different lifespans, after which they are automatically deleted (expired) - unless You delete them yourself earlier. Some cookies are temporary (so-called session cookies), which are stored only for the duration of Your session on the website or slightly longer (e.g., several minutes) and are automatically deleted when You close Your browser. Other cookies (e.g., Google Analytics cookies or cookies related to displaying the cookie consent message) are stored for longer periods (e.g., several months or even years) and can be deleted, for example, through Your browser settings.

 

Some cookies originate from our domain (so-called first-party cookies), while others come from external servers and are stored by third parties (e.g., service providers we use - so-called third-party cookies).

 

3.1. Essential Cookies

Some cookies are necessary for the service's correct and secure operation. Their use does not require Your consent under applicable laws (Art. 398 of the Electronic Communications Law).

 

3.2. Analytical and Statistical Cookies

We use cookies to monitor service usage and pages viewed for analytics and statistics. These include IP and MAC addresses, general geographic data, browser and device types, ISP info, and your actions within the service. This helps us create reports and statistics to improve the service and fix errors.

 

3.3. Marketing Cookies

Marketing cookies allow the display of marketing content (e.g., information about our activities) tailored to users, based on data such as visits to the website, pages viewed, and clicked links. These cookies are used, among other things, to personalize marketing content on the internet and to display ads outside of our website, as well as to generate marketing statistics. Information collected by these cookies may be shared with other companies that provide advertising networks.


All marketing activities comply with applicable advertising restrictions and bans relevant to our business.

 

3.4. External Providers' Tools

Within our website, we use various external services and tools that utilize cookies. This applies in particular to activities related to analytics and marketing. More information about the individual providers and tools we use is provided below.

 

Google Analytics

We use the Google Analytics service on our website, provided by Google (Google Ireland Limited, Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). In order to use Google Analytics, we use our own cookies to measure, create, and report statistics on your interaction with our website. The information collected by Google Analytics is used to produce general, aggregated analyses and statistics. Google Analytics does not use this data to identify users nor does it combine the data in a way that would allow such identification.

 

Regardless of the requirement to obtain consent for the use of analytical and statistical cookies (as described below), You can disable the storage of Google Analytics cookies by adjusting the settings of Your web browser. You can also block the collection and processing of data by Google Analytics by downloading and installing a special browser add-on available at: https://tools.google.com/dlpage/gaoptout/.

More information about Google Analytics can be found at: https://support.google.com/analytics/answer/6004245?hl=en and in Google's Privacy Policy: www.google.com/policies/privacy/partners/.

 

Google Marketing Tools

We use Google tools for marketing purposes. Google's marketing services (e.g. Google Ads) allow us to display our campaigns in the Google search engine and on websites that are part of the Google advertising network. We also analyze the effectiveness of these campaigns, which helps us better tailor them to users' expectations. As part of these analyses, we do not collect or process Your personal data – Google only provides us with statistics that allow us to determine which advertising measures were effective.

 

These marketing services are provided to us by Google Ireland Limited (Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). More information about how Google processes personal data can be found here: https://policies.google.com/privacy. If You have a Google account, You can manage the marketing content shown to You via cookies using Your account settings: https://myaccount.google.com/. In some cases, Google processes personal data on our behalf (as a data processor) – this applies to Google Marketing Platform and certain features of Google Ads. In other cases, Google acts as an independent data controller. Detailed information (in English) can be found here: https://business.safety.google/gdpr/.

 

Meta

In our service, we use tools provided by Meta Platforms Ireland Ltd, such as the Meta Pixel and event analysis. For example, when you visit our website, the Meta Pixel transmits information about your activity to Meta. This allows us to better tailor our advertising campaigns on the Facebook platform and assess their effectiveness. It also enables us to receive analytics and data regarding our products and services from Meta.

The process of collecting and processing data is carried out jointly with Meta Platforms Ireland Limited (joint controllership). This includes the following purposes:

  • creating personalized or relevant advertisements and optimizing them;
  • providing commercial and transactional information (e.g., via Messenger).


Joint controllership does not include the following processes:

  • processes that occur after data is collected and transmitted to Meta (these are solely the responsibility of Meta);
  • preparation of reports and analyses in aggregated and anonymized form, carried out by Meta as a data processor, which falls under our responsibility.

We have concluded a joint controllership agreement with Meta, which You can read here: https://www.facebook.com/legal/controller_addendum. This agreement outlines the respective obligations for fulfilling GDPR requirements with regard to joint controllership. More information about the processing of personal data in cooperation with Meta can be found in the Meta Business Tools Terms of Service, available here: https://www.facebook.com/legal/terms/businesstools. Further details on how Meta Platforms Ireland Limited processes personal data (including the legal basis for processing and how You can exercise Your rights with Meta) can be found here: https://www.facebook.com/about/privacy.

 

HotJar

Hotjar is a tool that enables us to analyze user activity on our website - for example, by anonymously collecting information about clicks on various links and the time spent on specific pages. Hotjar uses cookies and other technologies to collect data on user behavior and their devices. This includes the device's IP address (processed during the session and stored in anonymized form), screen size, device type (unique identifiers), browser information, geographic location (country only), and the preferred language used to display the website. The tool does not allow for the identification of the user. Detailed information about the data collected by Hotjar can be found here: https://www.hotjar.com/legal/policies/privacy/.

 

The Hotjar tool is provided by Hotjar Ltd. (Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta), which processes personal data on our behalf (as a data processor under the GDPR).

 

Livechat  
Livechat is an online tool used for sales and remote customer support. It allows users to chat via a messenger application that does not require installation on the device and is accessible by clicking a contact button. Agents use an application equipped with tools that provide information about the interlocutor (e.g., visited pages), which facilitates communication and enables offering the best possible assistance. The Livechat privacy policy is available at: https://www.livechat.com/legal/privacy-policy/

 

Pinterest marketing tools 

We may use marketing tools provided by the Pinterest platform (e.g., the Pinterest Tag) to measure the effectiveness of our campaigns and to deliver information about our activities to users of this platform. The use of these tools may involve the storage of cookies or similar technologies by the Pinterest operator (after you have given your consent to marketing cookies on our website). Details regarding how the Pinterest operator processes user data can be found in the documents made available by the operator of this platform. 

 

3.5. Consent to Use Cookies

Using cookies requires your consent (except for so-called strictly necessary cookies, as mentioned above). On our website, we display a notification informing you about the use of cookies. In this notification, you can give consent to use cookies for specific purposes or refuse consent. If you refuse, we will only use cookies necessary for the functioning of the service-your consent is not required for these because without them the service will not work properly (Article 398 of the Electronic Communications Law).

 

If the use of cookies requiring consent (e.g., analytical, marketing) leads to processing personal data, the basis for this processing is your consent (Article 6(1)(a) of the GDPR). Further processing of your personal data originally collected via cookies may take place based on our legitimate interest (Article 6(1)(f) GDPR - e.g., marketing of products or services, creating statistics and analyses), as described in previous sections of the privacy policy.

 

In the case of third-party cookies, giving consent for their use also means consenting to the transfer of your data collected via those cookies to an external provider (another company).

 

You can withdraw your consent to the use of cookies at any time, e.g., by using the cookie settings in the popup displayed on our service interface or via your web browser settings. You can also set your browser to automatically block all or selected cookies. Detailed information about browser features and settings can be found in its documentation.

 

Please note that blocking necessary cookies may cause the service to malfunction for technical reasons.

 

3.6.    List of Cookies Used on the Website

Name

Cathegory

Provider 

Duration 

Description  

__cf_bm 

Essential

vimeo.com 

1 day

This cookie, set by Cloudflare, is used to manage Cloudflare Bot Management.

CookieConsent 

Essential 

desa.pl 

1 year

Stores the user's cookie consent state for the current domain.

csrftoken 

Essential 

desa.pl 

1 year

Helps prevent CSRF (Cross-Site Request Forgery) attacks.

SESS# 

Essential

desa.pl 

14 days

Maintains user states between page requests.

test_cookie 

Essential

doubleclick.net 

1 day

Used to check if the user's browser supports cookies.

__lc_cid 

Analytical / Statistical

accounts.livechatinc.com 

400 days

Necessary for the chat function to operate on the website.

__lc_cst 

Analytical / Statistical

accounts.livechatinc.com 

400 days

Necessary for the chat function to operate on the website.

__oauth_redirect_detector 

Analytical / Statistical

accounts.livechatinc.com 

1 day

Allows the website to recognize the user to optimize chat functionality.

django_language 

Analytical / Statistical

desa.pl 

1 year

Specifies the visitor's preferred language. Enables the website to set the preferred language on return visits.

_clck 

Analytical / Statistical

desa.pl 

1 year

Collects data on user navigation and behavior on the website. Used to create statistical reports and heatmaps for the site owner.

_clsk 

Analytical / Statistical

desa.pl 

1 day 

Records statistical data on user behavior on the website. Used for internal analysis by the website operator.

_cltk 

Analytical / Statistical

clarity.ms 

Session

Records statistical data on user behavior on the website. Used for internal analysis by the website operator.

_ga 

Analytical / Statistical

desa.pl 

25 months

Records a unique identifier used to generate statistical data on how the visitor uses the website.

ga# 

Analytical / Statistical

desa.pl 

25 months

Used by Google Analytics to collect data on the number of user visits, as well as first and last visit dates.

_gat 

Analytical / Statistical

desa.pl 

1 day

Used by Google Analytics to limit the number of requests.

_gid 

Analytical / Statistical

desa.pl 

1 day 

Records a unique identifier used to generate statistical data on how the visitor uses the website.

_hjAbsoluteSesyjnyInProgress 

Analytical / Statistical

desa.pl 

1 day

This cookie counts how many times the site was visited by different users by assigning an identifier to avoid double counting.

_hjFirstSeen 

Analytical / Statistical

desa.pl 

1 day 

This cookie determines whether the user has visited the site before or is a new visitor.

hjIncludedInSesyjnySample# 

Analytical / Statistical

desa.pl 

1 day

Collects statistics about visitor sessions, such as number of visits, average time spent, and pages viewed.

hjSesyjny# 

Analytical / Statistical

desa.pl 

1 day

Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.

hjSesyjnyUser# 

Analytical / Statistical 

desa.pl 

1 year

Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.

_livechat_has_visited 

Analytical / Statistical

cdn.livechatinc.com 

Permament 

Identifies visitors across devices and visits to optimize chat functions on the website.

c.gif 

Analytical / Statistical

c.clarity.ms 

Session

Collects data on user navigation and behavior for statistical reports and heatmaps for the site owner.

vuid 

Analytical / Statistical

vimeo.com 

2 years 

Collects data about user visits on the site, such as pages viewed.

_fbp 

Marketing

desa.pl 

3 months 

Used by Facebook to deliver a range of advertising products such as real-time bidding from external advertisers.

_gcl_au 

Marketing

desa.pl 

3 months

Used by Google AdSense to experiment with advertising effectiveness on websites using their services.

_uetsid 

Marketing

bing.com 

Permament

Tracks visitors across multiple websites to present relevant ads based on visitor preferences.

_uetsid 

Marketing

desa.pl 

1 day

Collects data on visitor behavior across multiple websites to deliver more relevant ads and limit repeated ad views. 

_uetsid_exp 

Marketing

bing.com 

Permament

Contains the expiration date for the related _uetsid cookie.

_uetvid 

Marketing

bing.com 

Permament

Tracks visitors across multiple websites to present relevant ads based on visitor preferences.

_uetvid 

Marketing

desa.pl 

1 year

Tracks visitors across multiple websites to present relevant ads based on visitor preferences.

_uetvid_exp 

Marketing

bing.com 

Permament

Contains the expiration date for the related _uetvid cookie.

pagead/landing 

Marketing

doubleclick.net 

Session

Collects data on visitor behavior across multiple websites to present more relevant ads and limit repeated ad views.

 

3.7. Cookie Mechanism

The cookie mechanism is safe for Your device. It does not allow viruses or other unwanted software to enter Your device. However, You can limit or disable cookies in your browser settings. If You do so, You will still be able to use the Service, although some features that require cookies may be unavailable.

 

3.8. Changing Cookie Settings

Below are instructions on how to change cookie settings in popular web browsers:

a) Internet Edge;

b) Mozilla Firefox browser;

c) Chrome browser;   

d) Safari browser;   

e) Opera browser.  

 

4. Personal Data Processing Period

The period of processing Your personal data depends on it's type, purpose, and the legal basis for processing. We store the data:

  • in the case of processing based on legitimate interest (e.g., protection against or pursuit of claims) – for the time necessary to fulfill that interest (e.g., for monetary claims – until the statute of limitations), unless you successfully object to the processing earlier;
     
  • when the basis for processing is the necessity to conclude and perform a contract – for the duration of that contract;
     
  • when processing is required by applicable legal regulations – for the time specified by those regulations (e.g., tax documentation is usually kept for 5 years from the end of the year in which the tax payment was due);
     
  • when data is processed based on consent – until the consent is withdrawn, unless the data is no longer needed for the purpose for which the consent was given.

 

The period of processing your personal data may be extended if processing is necessary to establish, pursue, or defend against potential claims, or when necessary to comply with our legal obligations. After this period, the data is deleted or irreversibly anonymized.

 

Personal data provided in comments on our social media fanpages will be stored until deleted by the author. The retention period for any data related to the use of our social media fanpages is determined by the operators of those platforms.

 

5. Rights of Data Subjects

In accordance with Articles 15–22 of the GDPR, each user has the following rights:

 

  • Right of access to data (Article 15 GDPR): The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the data. In accordance with Article 15, the controller shall provide a copy of the personal data undergoing processing.
     
  • Right to rectification (Article 16 GDPR): The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay.
     
  • Right to erasure (“right to be forgotten") (Article 17 GDPR): The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing.

  • Right to restriction of processing (Article 18 GDPR): The data subject has the right to obtain from the controller restriction of processing where:

a) the accuracy of the data is contested – for a period enabling the controller to verify the data;

b) the data subject has objected to processing pursuant to Article 21(1) – pending verification whether the controller's legitimate grounds override those of the data subject;

c) the processing is unlawful and the data subject opposes the erasure of the data and requests restriction of their use instead.

 

  • Right to data portability (Article 19 GDPR)

 

  • Right to object: If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.
     
  • Right to lodge a complaint with a supervisory authority: If you believe that your personal data is being processed unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
     

When exercising your rights described above, we may verify your identity.

 

6. Data Recipients

 

As part of operating the website, we use the services of third parties (our subcontractors or providers). Therefore, the recipients of Your personal data will include IT service providers (e.g., hosting), entities such as banks and payment operators, companies providing accounting services (in connection with issuing invoices/receipts), and the operator of the auction management platform/application used by DESA Unicum (Auction Mobility), to the extent that it acts as a data processor – in accordance with Article 28 of the GDPR. In such cases, we process users' personal data (e.g., auction participants) solely based on documented instructions from the data controller, in order to enable the handling of the sales process via our auction system. The processing is carried out in accordance with a data processing agreement and the data is not used by us for any other purpose.

 

Due to the use of external cookies, the data collected by these cookies – including information that may constitute personal data – is collected by the third-party providers of those cookies (details can be found in point 3 of the privacy policy regarding cookies).

 

7. Transfer of Data Outside the EEA

 

The level of protection for personal data outside the European Economic Area (EEA) differs from that guaranteed by European law. For this reason, we ensure that Your personal data will only be transferred outside the EEA when it is necessary and with appropriate safeguards in place.

Due to our use of certain tools provided by companies headquartered in the USA (e.g., services from Google, Meta), user data (such as cookie identifiers) may be transferred to servers located in the United States. According to the European Commission's decision of July 10, 2023, the USA has been recognized as a country ensuring an adequate level of personal data protection for companies participating in the EU–U.S. Data Privacy Framework. Companies such as Google LLC and Meta Platforms Inc. are part of this program. In the case of Auction Mobility LLC, which is not part of the program, the transfer of personal data is based on the Standard Contractual Clauses approved by the European Commission. More details about these standard clauses can be found here: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847.

 

8. Security

To ensure the security of Your personal data, we regularly conduct risk assessments and apply appropriate organizational and technical measures. We ensure that all operations involving personal data are logged and carried out exclusively by authorized employees and collaborators. When transmitting personal data through the website, we provide a secure and encrypted connection to our server.

 

We take all necessary steps to ensure that our subcontractors and other cooperating entities also implement appropriate security measures when processing Your personal data on our behalf.

 

9.   Our Contact Details and Data Protection Officer

 

You can contact us by mail at the following address: DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, Poland.

We have appointed a Data Protection Officer (DPO or IOD in Polish). Our DPO is Krzysztof Pawelec. You may contact him regarding matters related to the processing of your personal data by sending a letter to: DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, or via email to: rodo@desa.pl, with the subject line “IOD" (“DPO").

 

10.  Changes to the Privacy Policy

 

We regularly review our privacy policy and update it when necessary. If the changes are significant, we will make every effort to inform you through available communication channels (e.g., via email).

 

 

The current version of the privacy policy has been in effect since 28th/October/2025

 

Withdrawing consent to the processing of personal data

 

Dear Sir or Madam,

you have the right to withdraw your consent to the processing of your personal data or exercise your other rights in connection with the processing of personal data at any time. For this purpose, please download the form below, print it, fill in, and sign it, and send it back by e-mail to: biuro@desa.pl or by post to the following address: DESA Unicum S.A., Piękna 1A, 00-477 Warszawa.

 

 

Contact form

PRIVACY POLICY

 

1. Definitions and General Information 

 

When you visit or use our website, we collect and process your personal data. This privacy policy outlines the principles and purposes of processing such data and includes information about cookies and similar technologies used on the website. By using the website, you confirm your acceptance of these terms and conditions.

 

The personal data collected through the website is processed by Desa Unicum in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), the Polish Personal Data Protection Act of 10 May 2018, and the Electronic Communications Law of 12 July 2024.

 

The following key terms have the following meanings:

 

TERM

EXPLANATION

Data Controller or We 

The Data Controller is the entity that determines the purposes and means of processing personal data and is also responsible, among other things, for ensuring an appropriate level of data protection and for exercising the rights of individuals whose data is being processed.  

 

The controller of Your Personal Data collected in connection with Your use of the website is us, that is:

 

DESA Unicum S.A. headquartered in Warsaw (str. Piękna 1A, 00-477 Warsaw)

Personal Data

Any information about an identified or identifiable natural person (i.e., a living human being); an identifiable person is one who can be identified directly or indirectly, for example, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Privacy Policy 

this document 

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

website 

The website available at www.desal.pl, allowing users to access the services offered through it.

You or user 

Any natural person visiting the website.

 

2. Purposes and Legal Basis for the Processing of Personal Data

 

AREA

PURPOSE AND LEGAL BASIS

USE OF THE WEBSITE

We use cookies or similar technologies within the website. Therefore, as the Data Controller, we process information that may be considered Personal Data (e.g., IP address, online identifiers, device data, activity data within the website). We process this information for the following purposes:

  • To provide you the website access – legal basis: necessity for the performance of a service (Art. 6 (1) (b) GDPR);

  • Analytical and statistical purposes – legal basis: our legitimate interest (Art. 6 (1) (f) GDPR), which involves analyzing user activity and preferences to improve functionality and services, subject to Your consent to use analytical and statistical cookies or similar technologies.

  

More information about cookies can be found later in this Privacy Policy.

 

Your activity within the service is recorded in so-called system logs (a special program used to store chronological records of events and actions related to our IT system/service). These logs may contain Personal Data (e.g., IP address, device data). This information is primarily processed for technical and administrative purposes (e.g., error detection), to ensure the security of our IT system/service (e.g., detecting cyberattacks), and for analytical/statistical purposes – the legal basis being our legitimate interest (Art. 6(1)(f) GDPR), aimed at ensuring the proper functioning of the website and it's improvement, as well as protecting our economic interests.

CONTACT FORM, HELPLINE, E-MAIL

We offer various communication channels, such as an online contact form, helpline, email, and social media (Facebook, Instagram, LinkedIn, YouTube). When You contact us, we may process Your Personal Data.

 

When using our contact form on our website, You will be asked to provide necessary Personal Data (e.g., name, email address). This data is required to handle Your inquiry and establish communication. Providing the data is voluntary, but the form cannot be submitted without it.

 

When contacting us through available channels, we process Your Personal Data to identify the sender and handle the inquiry. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR), which is to respond and support users.

 

In some cases (e.g., complaint submission), Your data may also be processed for the establishment, exercise, or defense of claims. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR), aimed at protecting our rights and property interests, resolving any potential dispute with You, and responding to Your complaint.

REGISTRATION FOR ONLINE AUCTIONS (THROUGH DESA UNICUM PLATFORM/APP)

 

You can sign up for online auctions via the DESA Unicum auction management platform/application (Auction Mobility). If you choose to use this option, after selecting the appropriate interactive button on the website (“Register"), You will be redirected to the platform (or, where applicable, to the application) at https://bid.desa.pl/, where in order to register, You will need to either log in to Your account on that platform/application or provide the Personal Data required for registration (e.g. first name, last name, email address). As part of this auction management process, the controller of Your Personal Data is the owner of the bid.desa.pl platform/application – Auction Mobility LLC (192 South St., Suite 600, Boston, MA 02111). Detailed information on data processing can be found in the following document: https://bid.desa.pl/privacy-policy/?#/contact-us.

 

Podanie danych niezbędnych do rejestracji jest dobrowolne, ale brak ich podania uniemożliwi Ci wzięcie udziału w aukcji. Podane przez Ciebie dane będziemy przetwarzać w następujących celach: 

 

  • Contract execution – legal basis: necessity to perform a contract or take pre-contractual steps (Art. 6(1)(b) GDPR);

  • Contacting You via Your e-mail address for purposes related to the provision of services, including coordination of Your participation in the auction (e.g., reminders about the auction date, confirmation of participation, information about organizational changes affecting the provision of the service) – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), which consists in ensuring efficient service for auction participants;

  • Fulfilling our legal obligations related to receiving a payment from You, such as issuing an invoice or receipt – the legal basis for processing is our legal obligation (Article 6(1)(c) of the GDPR) in connection with relevant tax and accounting regulations;

  • The possible establishment, exercise, or defense of legal claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), consisting in handling claims, striving to resolve disputes, and protecting our economic interests.

COMPANY PROFILE ON SOCIAL MEDIA

If You visit our profile on social media platforms like

Facebook (https://www.facebook.com/DESAUnicumWarszawa),

Instagram (https://www.instagram.com/desa_unicum),

LinkedIn (https://www.linkedin.com/company/desa-unicum),

YouTube (https://www.youtube.com/@DesaUnicum) and interact with us (e.g., follow, comment, like), we process Your Personal Data.

 

The scope of Personal Data we process includes data You provide to us yourself, as well as data obtained by us from the operator of a given platform, including data such as Your identifier on a social media platform (e.g., your first and last name or profile name), profile picture/avatar, etc. Providing this data is voluntary, but without providing it, You will not be able to use certain functions of the social media platform (e.g., add comments, send us messages). 

 

Independently of us, the platform operator processes Your Personal Data to provide You with the services of that platform, in accordance with it's terms and conditions of use. Please familiarize yourself with the terms of service and privacy policy/data processing information applicable on the platform You use.

When browsing our website, You will find links directing to our profiles (company accounts/pages) on social media platforms. By clicking such a link, You will be redirected to our profile (company account/page) maintained on the selected platform. After being redirected to such a platform, the operator of that platform is also the controller of Your Personal Data, and may use the collected information for their own purposes (e.g., they may use information that You have moved from our service to the social media platform for advertising purposes, market research, or gathering information about your preferences). We have no influence over the processing of Personal Data carried out by the platform operator independently from us, as a separate controller. Detailed information about the processing of Personal Data by social media platforms can be found in their privacy policies:

 

 

Facebook, Instagram, LinkedIn, YouTube 

If you use our profile (company page) on these platforms or content associated with it, we process Your Personal Data. The data we process may include:

  • username; 

  • comments posted on our company page; 

  • messages sent to us; 

  • activity on our company page (using the “Audience Insights" service we utilize), such as visits to our company page, posts, average video view duration, information about the country and city of visitors, statistics regarding visitors' gender; 

  • other information necessary to fulfill requests or to uniquely identify visitors.

 

The operator of the Facebook and Instagram platforms is Meta Platforms Ireland Limited (Serpentine Avenue, Block J, Dublin 4, Ireland - hereinafter “Meta"). Meta processes Your Personal Data in accordance with its privacy policy, which

is available at https://www.facebook.com/privacy/policy/ (Facebook) and https://privacycenter.instagram.com/policy (Instagram). 

 

Co-management with Meta 

We use statistical information related to the use of our profile (company page) on Facebook and Instagram, which Meta provides to us in anonymized form, including through the “Audience Insights" service. This service does not allow the information to be linked to individual users or access their personal profiles. More information about company page statistics on Facebook and Instagram can be found at: https://www.facebook.com/legal/terms/information_about_page_insights_data

We are joint controllers of Your Personal Data together with the operators of the Facebook and Instagram platforms - Meta (Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland) - in relation to data processing for page statistics (data for statistical purposes). The co-management includes aggregate analysis of data to display statistics on the activity of users on our profile.

Meta's responsibilities regarding data processing in the co-management include:

  • having the legal basis for processing data for page statistics purposes; 

  • ensuring the rights of data subjects are respected;

  • reporting data breaches to the supervisory authority and notifying affected individuals; · providing appropriate technical and organizational measures to ensure the security of your data.

Our responsibilities regarding data processing in the co-management include: 

  • having the legal basis for processing data for statistics purposes; 

  • fulfilling information obligations regarding the processing purposes carried out by us.

The main supervisory authority for the joint data processing is the Irish Data Protection Commission. Detailed information about the mutual arrangements between the joint controllers is available at: https://www.facebook.com/legal/terms/page_controller_addendum

 

In connection with managing profiles (company pages) on the platforms, we may process Your Personal Data for purposes based on our legitimate interest (Article 6(1)(f) of the GDPR), consisting of:

  • managing the profile on the social media platform under the terms set by the platform operator; 

  • conducting marketing campaigns on the website; 

  • informing via our profile about our business activities; 

  • building and strengthening relationships with potential and current customers through communication via the social media platform; 

  • performing analyses and statistics regarding the functioning, popularity, and usage of our profile; 

  • establishing, pursuing, and defending against any claims related to the use of the profile.

NEWSLETTER 

If You want to receive information about our auctions, You can use our free newsletter service (newsletter subscription). To do this, we will ask You to provide Your e-mail address. This is voluntary but necessary to use the newsletter.

 

By subscribing to the newsletter, you agree to receive commercial information, including information about auctions and other marketing content related to Desa Unicum. Your consent also includes the use of systems for automatic newsletter delivery. 

 

The legal basis for processing Your Personal Data for the newsletter is your consent (Article 6(1)(a) of the GDPR). You can unsubscribe newsletter (withdraw Your consent) at any time. Simply click the special link at the end of each message or send us an e-mail requesting to unsubscribe. Withdrawal of consent does not affect the lawfulness of the processing of Your Personal Data based on consent before it's withdrawal.

MARKETING AND INFORMATION ABOUT OUR ACTIVITIES

We conduct marketing activities in compliance with applicable legal regulations, including respecting restrictions or bans on advertising and promotions. 

 

Sending Marketing Content

You may optionally agree to receive from us, via Your chosen communication channel (e.g., email, SMS/MMS, or similar electronic means), our offers, information about auctions, and similar marketing content related to us and our activities. The legal basis for processing is your consent (Art. 6(1)(a) GDPR).

 

Internet Marketing

We may also - within the limits allowed by law - inform You about our activities using internet marketing tools (e.g., banners on other websites). For this purpose, we may use information collected when you use our website (e.g., the fact that You are a client/visited the webiste can help us optimize our online campaigns). The legal basis for such processing is our legitimate interest in informing You about our activities and services (Art. 6(1)(f) GDPR).

 

We use marketing partners such as Meta (Facebook) to display our campaigns tailored based on information collected during Your use of the website, including through cookies, if You have consented to their use. The legal basis for this processing is Your consent (Art. 6(1)(a) GDPR). More information can be found in the cookie section of our privacy policy.  

 

3. Cookies and Similar Technologies

On our website, we use cookies and similar technologies stored on the user's device. These allow us and our partners to collect information (e.g., tracking pixels, tags), collectively called “cookies" for simplicity.

 

Cookies are small text files saved and stored on Your device (e.g., computer or smartphone memory). They enable, among other things, recognizing your device, correctly displaying the website (including adapting it to user preferences), and collecting various information related to Your browsing of the service. Cookies usually contain the website name (domain), storage duration on the device, and a unique identifier.

 

Cookies serve various functions. Some are essential for the correct operation of the service, while others collect information about Your usage, such as remembering visits and actions performed during Your session.

 

We use cookies and similar technologies primarily for:

· ensuring proper website functioning;

· analytical and statistical purposes - to better understand user behavior and improve the website;

· marketing purposes (e.g., for internet campaign data collection).

 

Information collected by cookies generally does not directly identify You. From our perspective, cookie data is anonymous. However, in some cases, especially combined with other information (e.g., IP address combined with cookie ID and data from external providers), cookies may potentially identify You. We take a transparent, privacy-focused approach to cookies and treat their use as Personal Data processing in our privacy policy out of caution.

 

Cookies have different lifespans, after which they are automatically deleted (expired) - unless You delete them yourself earlier. Some cookies are temporary (so-called session cookies), which are stored only for the duration of Your session on the website or slightly longer (e.g., several minutes) and are automatically deleted when You close Your browser. Other cookies (e.g., Google Analytics cookies or cookies related to displaying the cookie consent message) are stored for longer periods (e.g., several months or even years) and can be deleted, for example, through Your browser settings.

 

Some cookies originate from our domain (so-called first-party cookies), while others come from external servers and are stored by third parties (e.g., service providers we use - so-called third-party cookies).

 

3.1. Essential Cookies

Some cookies are necessary for the service's correct and secure operation. Their use does not require Your consent under applicable laws (Art. 398 of the Electronic Communications Law).

 

3.2. Analytical and Statistical Cookies

We use cookies to monitor service usage and pages viewed for analytics and statistics. These include IP and MAC addresses, general geographic data, browser and device types, ISP info, and your actions within the service. This helps us create reports and statistics to improve the service and fix errors.

 

3.3. Marketing Cookies

Marketing cookies allow the display of marketing content (e.g., information about our activities) tailored to users, based on data such as visits to the website, pages viewed, and clicked links. These cookies are used, among other things, to personalize marketing content on the internet and to display ads outside of our website, as well as to generate marketing statistics. Information collected by these cookies may be shared with other companies that provide advertising networks.


All marketing activities comply with applicable advertising restrictions and bans relevant to our business.

 

3.4. External Providers' Tools

Within our website, we use various external services and tools that utilize cookies. This applies in particular to activities related to analytics and marketing. More information about the individual providers and tools we use is provided below.

 

Google Analytics

We use the Google Analytics service on our website, provided by Google (Google Ireland Limited, Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). In order to use Google Analytics, we use our own cookies to measure, create, and report statistics on your interaction with our website. The information collected by Google Analytics is used to produce general, aggregated analyses and statistics. Google Analytics does not use this data to identify users nor does it combine the data in a way that would allow such identification.

 

Regardless of the requirement to obtain consent for the use of analytical and statistical cookies (as described below), You can disable the storage of Google Analytics cookies by adjusting the settings of Your web browser. You can also block the collection and processing of data by Google Analytics by downloading and installing a special browser add-on available at: https://tools.google.com/dlpage/gaoptout/.

More information about Google Analytics can be found at: https://support.google.com/analytics/answer/6004245?hl=en and in Google's Privacy Policy: www.google.com/policies/privacy/partners/.

 

Google Marketing Tools

We use Google tools for marketing purposes. Google's marketing services (e.g. Google Ads) allow us to display our campaigns in the Google search engine and on websites that are part of the Google advertising network. We also analyze the effectiveness of these campaigns, which helps us better tailor them to users' expectations. As part of these analyses, we do not collect or process Your personal data – Google only provides us with statistics that allow us to determine which advertising measures were effective.

 

These marketing services are provided to us by Google Ireland Limited (Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). More information about how Google processes personal data can be found here: https://policies.google.com/privacy. If You have a Google account, You can manage the marketing content shown to You via cookies using Your account settings: https://myaccount.google.com/. In some cases, Google processes personal data on our behalf (as a data processor) – this applies to Google Marketing Platform and certain features of Google Ads. In other cases, Google acts as an independent data controller. Detailed information (in English) can be found here: https://business.safety.google/gdpr/.

 

Meta

In our service, we use tools provided by Meta Platforms Ireland Ltd, such as the Meta Pixel and event analysis. For example, when you visit our website, the Meta Pixel transmits information about your activity to Meta. This allows us to better tailor our advertising campaigns on the Facebook platform and assess their effectiveness. It also enables us to receive analytics and data regarding our products and services from Meta.

The process of collecting and processing data is carried out jointly with Meta Platforms Ireland Limited (joint controllership). This includes the following purposes:

  • creating personalized or relevant advertisements and optimizing them;
  • providing commercial and transactional information (e.g., via Messenger).


Joint controllership does not include the following processes:

  • processes that occur after data is collected and transmitted to Meta (these are solely the responsibility of Meta);
  • preparation of reports and analyses in aggregated and anonymized form, carried out by Meta as a data processor, which falls under our responsibility.

We have concluded a joint controllership agreement with Meta, which You can read here: https://www.facebook.com/legal/controller_addendum. This agreement outlines the respective obligations for fulfilling GDPR requirements with regard to joint controllership. More information about the processing of personal data in cooperation with Meta can be found in the Meta Business Tools Terms of Service, available here: https://www.facebook.com/legal/terms/businesstools. Further details on how Meta Platforms Ireland Limited processes personal data (including the legal basis for processing and how You can exercise Your rights with Meta) can be found here: https://www.facebook.com/about/privacy.

 

HotJar

Hotjar is a tool that enables us to analyze user activity on our website - for example, by anonymously collecting information about clicks on various links and the time spent on specific pages. Hotjar uses cookies and other technologies to collect data on user behavior and their devices. This includes the device's IP address (processed during the session and stored in anonymized form), screen size, device type (unique identifiers), browser information, geographic location (country only), and the preferred language used to display the website. The tool does not allow for the identification of the user. Detailed information about the data collected by Hotjar can be found here: https://www.hotjar.com/legal/policies/privacy/.

 

The Hotjar tool is provided by Hotjar Ltd. (Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta), which processes personal data on our behalf (as a data processor under the GDPR).

 

Livechat  
Livechat is an online tool used for sales and remote customer support. It allows users to chat via a messenger application that does not require installation on the device and is accessible by clicking a contact button. Agents use an application equipped with tools that provide information about the interlocutor (e.g., visited pages), which facilitates communication and enables offering the best possible assistance. The Livechat privacy policy is available at: https://www.livechat.com/legal/privacy-policy/

 

3.5. Consent to Use Cookies

Using cookies requires your consent (except for so-called strictly necessary cookies, as mentioned above). On our website, we display a notification informing you about the use of cookies. In this notification, you can give consent to use cookies for specific purposes or refuse consent. If you refuse, we will only use cookies necessary for the functioning of the service-your consent is not required for these because without them the service will not work properly (Article 398 of the Electronic Communications Law).

 

If the use of cookies requiring consent (e.g., analytical, marketing) leads to processing personal data, the basis for this processing is your consent (Article 6(1)(a) of the GDPR). Further processing of your personal data originally collected via cookies may take place based on our legitimate interest (Article 6(1)(f) GDPR - e.g., marketing of products or services, creating statistics and analyses), as described in previous sections of the privacy policy.

 

In the case of third-party cookies, giving consent for their use also means consenting to the transfer of your data collected via those cookies to an external provider (another company).

 

You can withdraw your consent to the use of cookies at any time, e.g., by using the cookie settings in the popup displayed on our service interface or via your web browser settings. You can also set your browser to automatically block all or selected cookies. Detailed information about browser features and settings can be found in its documentation.

 

Please note that blocking necessary cookies may cause the service to malfunction for technical reasons.

 

3.6.    List of Cookies Used on the Website

Name

Cathegory

Provider 

Duration 

Description  

__cf_bm 

Essential

vimeo.com 

1 day

This cookie, set by Cloudflare, is used to manage Cloudflare Bot Management.

CookieConsent 

Essential 

desa.pl 

1 year

Stores the user's cookie consent state for the current domain.

csrftoken 

Essential 

desa.pl 

1 year

Helps prevent CSRF (Cross-Site Request Forgery) attacks.

SESS# 

Essential

desa.pl 

14 days

Maintains user states between page requests.

test_cookie 

Essential

doubleclick.net 

1 day

Used to check if the user's browser supports cookies.

__lc_cid 

Analytical / Statistical

accounts.livechatinc.com 

400 days

Necessary for the chat function to operate on the website.

__lc_cst 

Analytical / Statistical

accounts.livechatinc.com 

400 days

Necessary for the chat function to operate on the website.

__oauth_redirect_detector 

Analytical / Statistical

accounts.livechatinc.com 

1 day

Allows the website to recognize the user to optimize chat functionality.

django_language 

Analytical / Statistical

desa.pl 

1 year

Specifies the visitor's preferred language. Enables the website to set the preferred language on return visits.

_clck 

Analytical / Statistical

desa.pl 

1 year

Collects data on user navigation and behavior on the website. Used to create statistical reports and heatmaps for the site owner.

_clsk 

Analytical / Statistical

desa.pl 

1 day 

Records statistical data on user behavior on the website. Used for internal analysis by the website operator.

_cltk 

Analytical / Statistical

clarity.ms 

Session

Records statistical data on user behavior on the website. Used for internal analysis by the website operator.

_ga 

Analytical / Statistical

desa.pl 

25 months

Records a unique identifier used to generate statistical data on how the visitor uses the website.

ga# 

Analytical / Statistical

desa.pl 

25 months

Used by Google Analytics to collect data on the number of user visits, as well as first and last visit dates.

_gat 

Analytical / Statistical

desa.pl 

1 day

Used by Google Analytics to limit the number of requests.

_gid 

Analytical / Statistical

desa.pl 

1 day 

Records a unique identifier used to generate statistical data on how the visitor uses the website.

_hjAbsoluteSesyjnyInProgress 

Analytical / Statistical

desa.pl 

1 day

This cookie counts how many times the site was visited by different users by assigning an identifier to avoid double counting.

_hjFirstSeen 

Analytical / Statistical

desa.pl 

1 day 

This cookie determines whether the user has visited the site before or is a new visitor.

hjIncludedInSesyjnySample# 

Analytical / Statistical

desa.pl 

1 day

Collects statistics about visitor sessions, such as number of visits, average time spent, and pages viewed.

hjSesyjny# 

Analytical / Statistical

desa.pl 

1 day

Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.

hjSesyjnyUser# 

Analytical / Statistical 

desa.pl 

1 year

Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.

_livechat_has_visited 

Analytical / Statistical

cdn.livechatinc.com 

Permament 

Identifies visitors across devices and visits to optimize chat functions on the website.

c.gif 

Analytical / Statistical

c.clarity.ms 

Session

Collects data on user navigation and behavior for statistical reports and heatmaps for the site owner.

vuid 

Analytical / Statistical

vimeo.com 

2 years 

Collects data about user visits on the site, such as pages viewed.

_fbp 

Marketing

desa.pl 

3 months 

Used by Facebook to deliver a range of advertising products such as real-time bidding from external advertisers.

_gcl_au 

Marketing

desa.pl 

3 months

Used by Google AdSense to experiment with advertising effectiveness on websites using their services.

_uetsid 

Marketing

bing.com 

Permament

Tracks visitors across multiple websites to present relevant ads based on visitor preferences.

_uetsid 

Marketing

desa.pl 

1 day

Collects data on visitor behavior across multiple websites to deliver more relevant ads and limit repeated ad views. 

_uetsid_exp 

Marketing

bing.com 

Permament

Contains the expiration date for the related _uetsid cookie.

_uetvid 

Marketing

bing.com 

Permament

Tracks visitors across multiple websites to present relevant ads based on visitor preferences.

_uetvid 

Marketing

desa.pl 

1 year

Tracks visitors across multiple websites to present relevant ads based on visitor preferences.

_uetvid_exp 

Marketing

bing.com 

Permament

Contains the expiration date for the related _uetvid cookie.

pagead/landing 

Marketing

doubleclick.net 

Session

Collects data on visitor behavior across multiple websites to present more relevant ads and limit repeated ad views.

 

3.7. Cookie Mechanism

The cookie mechanism is safe for Your device. It does not allow viruses or other unwanted software to enter Your device. However, You can limit or disable cookies in your browser settings. If You do so, You will still be able to use the Service, although some features that require cookies may be unavailable.

 

3.8. Changing Cookie Settings

Below are instructions on how to change cookie settings in popular web browsers:

a) Internet Edge;

b) Mozilla Firefox browser;

c) Chrome browser;   

d) Safari browser;   

e) Opera browser.  

 

4. Personal Data Processing Period

The period of processing Your personal data depends on it's type, purpose, and the legal basis for processing. We store the data:

  • in the case of processing based on legitimate interest (e.g., protection against or pursuit of claims) – for the time necessary to fulfill that interest (e.g., for monetary claims – until the statute of limitations), unless you successfully object to the processing earlier;
     
  • when the basis for processing is the necessity to conclude and perform a contract – for the duration of that contract;
     
  • when processing is required by applicable legal regulations – for the time specified by those regulations (e.g., tax documentation is usually kept for 5 years from the end of the year in which the tax payment was due);
     
  • when data is processed based on consent – until the consent is withdrawn, unless the data is no longer needed for the purpose for which the consent was given.

 

The period of processing your personal data may be extended if processing is necessary to establish, pursue, or defend against potential claims, or when necessary to comply with our legal obligations. After this period, the data is deleted or irreversibly anonymized.

 

Personal data provided in comments on our social media fanpages will be stored until deleted by the author. The retention period for any data related to the use of our social media fanpages is determined by the operators of those platforms.

 

5. Rights of Data Subjects

In accordance with Articles 15–22 of the GDPR, each user has the following rights:

 

  • Right of access to data (Article 15 GDPR): The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the data. In accordance with Article 15, the controller shall provide a copy of the personal data undergoing processing.
     
  • Right to rectification (Article 16 GDPR): The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay.
     
  • Right to erasure (“right to be forgotten") (Article 17 GDPR): The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing.

  • Right to restriction of processing (Article 18 GDPR): The data subject has the right to obtain from the controller restriction of processing where:

a) the accuracy of the data is contested – for a period enabling the controller to verify the data;

b) the data subject has objected to processing pursuant to Article 21(1) – pending verification whether the controller's legitimate grounds override those of the data subject;

c) the processing is unlawful and the data subject opposes the erasure of the data and requests restriction of their use instead.

 

  • Right to data portability (Article 19 GDPR)

 

  • Right to object: If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.
     
  • Right to lodge a complaint with a supervisory authority: If you believe that your personal data is being processed unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
     

When exercising your rights described above, we may verify your identity.

 

6. Data Recipients

 

As part of operating the website, we use the services of third parties (our subcontractors or providers). Therefore, the recipients of Your personal data will include IT service providers (e.g., hosting), entities such as banks and payment operators, companies providing accounting services (in connection with issuing invoices/receipts), and the operator of the auction management platform/application used by DESA Unicum (Auction Mobility), to the extent that it acts as a data processor – in accordance with Article 28 of the GDPR. In such cases, we process users' personal data (e.g., auction participants) solely based on documented instructions from the data controller, in order to enable the handling of the sales process via our auction system. The processing is carried out in accordance with a data processing agreement and the data is not used by us for any other purpose.

 

Due to the use of external cookies, the data collected by these cookies – including information that may constitute personal data – is collected by the third-party providers of those cookies (details can be found in point 3 of the privacy policy regarding cookies).

 

7. Transfer of Data Outside the EEA

 

The level of protection for personal data outside the European Economic Area (EEA) differs from that guaranteed by European law. For this reason, we ensure that Your personal data will only be transferred outside the EEA when it is necessary and with appropriate safeguards in place.

Due to our use of certain tools provided by companies headquartered in the USA (e.g., services from Google, Meta), user data (such as cookie identifiers) may be transferred to servers located in the United States. According to the European Commission's decision of July 10, 2023, the USA has been recognized as a country ensuring an adequate level of personal data protection for companies participating in the EU–U.S. Data Privacy Framework. Companies such as Google LLC and Meta Platforms Inc. are part of this program. In the case of Auction Mobility LLC, which is not part of the program, the transfer of personal data is based on the Standard Contractual Clauses approved by the European Commission. More details about these standard clauses can be found here: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847.

 

8. Security

To ensure the security of Your personal data, we regularly conduct risk assessments and apply appropriate organizational and technical measures. We ensure that all operations involving personal data are logged and carried out exclusively by authorized employees and collaborators. When transmitting personal data through the website, we provide a secure and encrypted connection to our server.

 

We take all necessary steps to ensure that our subcontractors and other cooperating entities also implement appropriate security measures when processing Your personal data on our behalf.

 

9.   Our Contact Details and Data Protection Officer

 

You can contact us by mail at the following address: DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, Poland.

We have appointed a Data Protection Officer (DPO or IOD in Polish). Our DPO is Krzysztof Pawelec. You may contact him regarding matters related to the processing of your personal data by sending a letter to: DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, or via email to: rodo@desa.pl, with the subject line “IOD" (“DPO").

 

10.  Changes to the Privacy Policy

 

We regularly review our privacy policy and update it when necessary. If the changes are significant, we will make every effort to inform you through available communication channels (e.g., via email).

 

The current version of the privacy policy has been in effect since 22th/May/2025.

 

Withdrawing consent to the processing of personal data

 

Dear Sir or Madam,

you have the right to withdraw your consent to the processing of your personal data or exercise your other rights in connection with the processing of personal data at any time. For this purpose, please download the form below, print it, fill in, and sign it, and send it back by e-mail to: biuro@desa.pl or by post to the following address: DESA Unicum S.A., Piękna 1A, 00-477 Warszawa.

 

 

 

 

Privacy Policy
Disclosure requirement under Article 13 of the GDPR*

 

(*the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)

Who is the controller of your personal data?

The controller of your personal data is Desa Unicum S.A. with the registered office in Warsaw at Piękna 1A (hereinafter referred to as "We", "Desa", or "Company") running the Desa Unicum Auction House and the website located at the following URL: www.desa.pl.
 

Contact regarding the processing of your personal data by Desa

In order to provide information regarding the processing of your personal data by Desa, you can contact us by letter, e-mail, and telephone, our contact details are provided below:

Piękna 1A
00-477 Warszawa
Phone no.: +48 22 163 66 00
fax +48 22 163 67 99
biuro@desa.pl

 


How did we receive your data?

We received the data from you upon concluding a commission contract, concluding a gallery sales contract, concluding a contract for conservation services, or contract for providing other services, submitting the item for valuation, via the contact form, during personal or online registration for our auctions, or you provided them to us by e-mail.
 

For what purpose and on what legal grounds do we process your personal data?

Processing your personal data is necessary to perform the contract concluded with you, including:

  • performance of contracts for sale, conservation services, framing, or commissioned sale;
  • handling complaints if you submit a complaint;
  • handling requests that you send to us (e.g. via the contact form);
  • contacting you, included in cases related to the performance of contracts, making and receiving payments.

In addition, the law requires us to process your data for:

  • tax and accounting purposes;
  • keeping a record book of monuments accepted or offered for sale;
  • counteracting money laundering and terrorist financing.

Your data is also processed by Desa in pursuance of our legitimate interest, for the purposes indicated below:

  • conducting marketing activities towards you, including conducting direct marketing regarding goods and services offered by Desa;
  • contacting you, including for purposes related to authorized marketing activities, through available communication channels, in particular and upon your consent - via e-mail and telephone;
  • handling your requests, in particular, the requests sent to the Customer Service Center and via the contact form in the cases when they are not directly related to the performance of the contract;
  • debt collection; conducting legal proceedings, arbitration and mediation proceedings;
  • storing data for archiving purposes and accountability (proving that we act in compliance with the obligation arising from applicable law).

Our website desa.pl applies Google Ads features, such as remarketing or conversion tracking, we use the consent of our customers from the European Economic Area and the United Kingdom for cookies or personal data for personalized advertisements (in the case of remarketing).

If you give your consent, we process your personal data in order to save data in cookies and collect data from websites.

You can withdraw your consent to the processing of personal data in any manner, at any time. We shall process your personal data until you withdraw your consent or until our duty to process your data, imposed on Desa by generally applicable law, expires.

Do you need to provide us your personal data?

For the purposes of performing the obligations arising from the contract concluded between you and us, as well as to comply with the requirements of generally applicable law, it is necessary that you provide the following personal data:

  • name and surname;
  • home address or address for correspondence;
  • Identification number PESEL or the number of your identity document;
  • e-mail address;
  • phone number;
  • bank account number.

If for some reason you do not provide your personal data (not including your bank account number), unfortunately we will not be able to conclude a contract with you.

If required by law, we may require you to provide other data necessary e.g. for accounting or tax purposes. Apart from these cases, providing your data is voluntary.

What are your rights related to the processing of personal data by Desa

You have the following rights related to the processing of personal data:

  • the right to withdraw consent to data processing,
  • the right of access to your personal data,
  • the right to demand rectification of your personal data,
  • the right to demand erasure of your personal data,
  • the right to demand restriction of processing of your personal data,
  • the right to object to the processing of your personal data resulting from your particular situation - cases in which we process your data in pursuance of our legitimate interest,
  • the right to data portability, that is to receive from your us the personal data you provided in a commonly used structured machine-readable format. You can send this data to another data controller or request that we send your data to another data controller. However, we shall send the data only if it is technically possible. The right to data portability applies only to the data which is processed on the basis of the contract concluded with you and upon your consent,

If you wish to exercise the above rights, contact us via the form available on the website www.desa.pl or at the reception desk at our headquarters.

You can exercise these rights in the following cases:

  • regarding the request for data rectification: you noticed that your data is incorrect or incomplete;
  • regarding the erasure of your data: the Company no longer needs your data for the original reason we collected or used it for; you have withdrawn your consent to data processing; have objected to the use of your data; your data have been used unlawfully; we have a legal obligation to erase your data or the data was collected from you as a child for an online service;
  • regarding the request to restrict data processing: you have noticed that your data is incorrect - you can request to restrict the processing of your data for a period that allows us to check whether your data is correct; your data have been used unlawfully, but you do not want your data to be erased; we no longer need your data, but you may need it to the defending or seeking legal claims; or you exercise your right to object to data processing - pending determining whether our legitimate grounds override the grounds for your objection;
  • regarding your request to transmit your data: the processing of your data takes place upon your consent or on the basis of the contract concluded with you, as well as when data processing takes place automatically.

You have the right to submit a complaint regarding the processing of your personal data by us to the supervisory body, which is the Inspector General for the Protection of Personal Data (address: Generalny Inspektor Ochrony Danych Osobowych, Stawki 2, 00-193 Warszawa).

In what situations can you object to the processing of your data by Desa?

You have the right to object to the processing of your personal data in the following cases:

  • the processing of your personal data is carried out on the basis of a legitimate interest or for statistical purposes and the objection is justified by your particular situation,
  • your personal data is processed for the purposes of direct marketing, including profiling.

Remember that you can exercise your right to object from 25 May 2018.

With whom do we share your personal data?

We share your personal data with entities supporting us in bookkeeping, running the website, IT systems, and providing consulting and auditing services. Entities authorized to process your personal data perform their tasks on the basis of a contract concluded with us and only in accordance with our instructions. The contracts for data processing concluded by us contain contractual clauses approved by the European Commission. In addition, we have the right to share your personal data with public authorities involved in countering fraud and abuse.

For how long do we store your personal data?

We store your personal data for the duration of the contract concluded with you and after its termination for:

  • seeking legal claims in connection with the performance of the contract,
  • performing duties resulting from legal provisions, including, in particular, for tax and accounting purposes,
  • preventing abuse and fraud,
  • statistical and archiving purposes,

a maximum of 10 years from the date of contract termination or for the period specified by law that requires us to process your data.

We store your personal data for marketing purposes for the duration of the contract or until you object to such processing, whichever occurs first.

Do we transfer your data to countries outside the European Economic Area?

Your personal data are transferred outside the European Economic Area to Google LLC based on appropriate legal safeguards, that is contractual clauses for the protection of personal data, approved by the European Commission.

Do we process your personal data automatically (including profiling) in a way that affects your rights

Your personal data will be processed in an automated manner, without the use of automated profiling. It shall not have any legal effects on you or materially affect your legal situation.

 

Withdrawing consent to the processing of personal data

Dear Sir or Madam,

you have the right to withdraw your consent to the processing of your personal data or exercise your other rights in connection with the processing of personal data at any time. For this purpose, please download the form below, print it, fill in, and sign it, and send it back by e-mail to: biuro@desa.pl or by post to the following address: DESA Unicum S.A., Piękna 1A, 00-477 Warszawa
Privacy Policy Auction Terms and Conditions (PDF)