PRIVACY POLICY

1. Definitions and General Information

When you visit or use our website, we collect and process your personal data. This privacy policy outlines the principles and purposes of processing such data and includes information about cookies and similar technologies used on the website. By using the website, you confirm your acceptance of these terms and conditions.

The personal data collected through the website is processed by Desa Unicum in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), the Polish Personal Data Protection Act of 10 May 2018, and the Electronic Communications Law of 12 July 2024.

The following key terms have the following meanings:

TERM	EXPLANATION
Data Controller or We	The Data Controller is the entity that determines the purposes and means of processing personal data and is also responsible, among other things, for ensuring an appropriate level of data protection and for exercising the rights of individuals whose data is being processed. The controller of Your Personal Data collected in connection with Your use of the website is us, that is: DESA Unicum S.A. headquartered in Warsaw (str. Piękna 1A, 00-477 Warsaw)
Personal Data	Any information about an identified or identifiable natural person (i.e., a living human being); an identifiable person is one who can be identified directly or indirectly, for example, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Privacy Policy	this document
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
website	The website available at www.desal.pl, allowing users to access the services offered through it.
You or user	Any natural person visiting the website.

2. Purposes and Legal Basis for the Processing of Personal Data

AREA	PURPOSE AND LEGAL BASIS
USE OF THE WEBSITE	We use cookies or similar technologies within the website. Therefore, as the Data Controller, we process information that may be considered Personal Data (e.g., IP address, online identifiers, device data, activity data within the website). We process this information for the following purposes: To provide you the website access – legal basis: necessity for the performance of a service (Art. 6 (1) (b) GDPR); Analytical and statistical purposes – legal basis: our legitimate interest (Art. 6 (1) (f) GDPR), which involves analyzing user activity and preferences to improve functionality and services, subject to Your consent to use analytical and statistical cookies or similar technologies. More information about cookies can be found later in this Privacy Policy. Your activity within the service is recorded in so-called system logs (a special program used to store chronological records of events and actions related to our IT system/service). These logs may contain Personal Data (e.g., IP address, device data). This information is primarily processed for technical and administrative purposes (e.g., error detection), to ensure the security of our IT system/service (e.g., detecting cyberattacks), and for analytical/statistical purposes – the legal basis being our legitimate interest (Art. 6(1)(f) GDPR), aimed at ensuring the proper functioning of the website and it's improvement, as well as protecting our economic interests.
CONTACT FORM, HELPLINE, E-MAIL	We offer various communication channels, such as an online contact form, helpline, email, and social media (Facebook, Instagram, LinkedIn, YouTube). When You contact us, we may process Your Personal Data. When using our contact form on our website, You will be asked to provide necessary Personal Data (e.g., name, email address). This data is required to handle Your inquiry and establish communication. Providing the data is voluntary, but the form cannot be submitted without it. When contacting us through available channels, we process Your Personal Data to identify the sender and handle the inquiry. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR), which is to respond and support users. In some cases (e.g., complaint submission), Your data may also be processed for the establishment, exercise, or defense of claims. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR), aimed at protecting our rights and property interests, resolving any potential dispute with You, and responding to Your complaint.
REGISTRATION FOR ONLINE AUCTIONS (THROUGH DESA UNICUM PLATFORM/APP)	You can sign up for online auctions via the DESA Unicum auction management platform/application (Auction Mobility). If you choose to use this option, after selecting the appropriate interactive button on the website (“Register"), You will be redirected to the platform (or, where applicable, to the application) at https://bid.desa.pl/, where in order to register, You will need to either log in to Your account on that platform/application or provide the Personal Data required for registration (e.g. first name, last name, email address). As part of this auction management process, the controller of Your Personal Data is the owner of the bid.desa.pl platform/application – Auction Mobility LLC (192 South St., Suite 600, Boston, MA 02111). Detailed information on data processing can be found in the following document: https://bid.desa.pl/privacy-policy/?#/contact-us. Podanie danych niezbędnych do rejestracji jest dobrowolne, ale brak ich podania uniemożliwi Ci wzięcie udziału w aukcji. Podane przez Ciebie dane będziemy przetwarzać w następujących celach: Contract execution – legal basis: necessity to perform a contract or take pre-contractual steps (Art. 6(1)(b) GDPR); Contacting You via Your e-mail address for purposes related to the provision of services, including coordination of Your participation in the auction (e.g., reminders about the auction date, confirmation of participation, information about organizational changes affecting the provision of the service) – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), which consists in ensuring efficient service for auction participants; Fulfilling our legal obligations related to receiving a payment from You, such as issuing an invoice or receipt – the legal basis for processing is our legal obligation (Article 6(1)(c) of the GDPR) in connection with relevant tax and accounting regulations; The possible establishment, exercise, or defense of legal claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), consisting in handling claims, striving to resolve disputes, and protecting our economic interests. These provisions apply to all auctions organized by DESA Unicum available on the desa.pl website, including thematic and recurring auctions such as the “Young Art Auction." The data processing rules described in this section apply regardless of the name of the auction or its specific subpage within the desa.pl domain.
COMPANY PROFILE ON SOCIAL MEDIA	If You visit our profile on social media platforms like Facebook (https://www.facebook.com/DESAUnicumWarszawa), Instagram (https://www.instagram.com/desa_unicum), LinkedIn (https://www.linkedin.com/company/desa-unicum), YouTube (https://www.youtube.com/@DesaUnicum), Pinterest (https://pl.pinterest.com/desaunicum) and interact with us (e.g., follow, comment, like), we process Your Personal Data. The scope of Personal Data we process includes data You provide to us yourself, as well as data obtained by us from the operator of a given platform, including data such as Your identifier on a social media platform (e.g., your first and last name or profile name), profile picture/avatar, etc. Providing this data is voluntary, but without providing it, You will not be able to use certain functions of the social media platform (e.g., add comments, send us messages). Independently of us, the platform operator processes Your Personal Data to provide You with the services of that platform, in accordance with it's terms and conditions of use. Please familiarize yourself with the terms of service and privacy policy/data processing information applicable on the platform You use. When browsing our website, You will find links directing to our profiles (company accounts/pages) on social media platforms. By clicking such a link, You will be redirected to our profile (company account/page) maintained on the selected platform. After being redirected to such a platform, the operator of that platform is also the controller of Your Personal Data, and may use the collected information for their own purposes (e.g., they may use information that You have moved from our service to the social media platform for advertising purposes, market research, or gathering information about your preferences). We have no influence over the processing of Personal Data carried out by the platform operator independently from us, as a separate controller. Detailed information about the processing of Personal Data by social media platforms can be found in their privacy policies: Facebook: https://www.facebook.com/privacy/policy/?entry_point=comet_dropdown Instagram: https://privacycenter.instagram.com/policy LinkedIn: https://pl.linkedin.com/legal/privacy-policy YouTube: https://policies.google.com/privacy?hl=pl Facebook, Instagram, LinkedIn, YouTube If you use our profile (company page) on these platforms or content associated with it, we process Your Personal Data. The data we process may include: username; comments posted on our company page; messages sent to us; activity on our company page (using the “Audience Insights" service we utilize), such as visits to our company page, posts, average video view duration, information about the country and city of visitors, statistics regarding visitors' gender; other information necessary to fulfill requests or to uniquely identify visitors. The operator of the Facebook and Instagram platforms is Meta Platforms Ireland Limited (Serpentine Avenue, Block J, Dublin 4, Ireland - hereinafter “Meta"). Meta processes Your Personal Data in accordance with its privacy policy, which is available at https://www.facebook.com/privacy/policy/ (Facebook) and https://privacycenter.instagram.com/policy (Instagram). Co-management with Meta We use statistical information related to the use of our profile (company page) on Facebook and Instagram, which Meta provides to us in anonymized form, including through the “Audience Insights" service. This service does not allow the information to be linked to individual users or access their personal profiles. More information about company page statistics on Facebook and Instagram can be found at: https://www.facebook.com/legal/terms/information_about_page_insights_data. We are joint controllers of Your Personal Data together with the operators of the Facebook and Instagram platforms - Meta (Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland) - in relation to data processing for page statistics (data for statistical purposes). The co-management includes aggregate analysis of data to display statistics on the activity of users on our profile. Meta's responsibilities regarding data processing in the co-management include: having the legal basis for processing data for page statistics purposes; ensuring the rights of data subjects are respected; reporting data breaches to the supervisory authority and notifying affected individuals; · providing appropriate technical and organizational measures to ensure the security of your data. Our responsibilities regarding data processing in the co-management include: having the legal basis for processing data for statistics purposes; fulfilling information obligations regarding the processing purposes carried out by us. The main supervisory authority for the joint data processing is the Irish Data Protection Commission. Detailed information about the mutual arrangements between the joint controllers is available at: https://www.facebook.com/legal/terms/page_controller_addendum. In connection with managing profiles (company pages) on the platforms, we may process Your Personal Data for purposes based on our legitimate interest (Article 6(1)(f) of the GDPR), consisting of: managing the profile on the social media platform under the terms set by the platform operator; conducting marketing campaigns on the website; informing via our profile about our business activities; building and strengthening relationships with potential and current customers through communication via the social media platform; performing analyses and statistics regarding the functioning, popularity, and usage of our profile; establishing, pursuing, and defending against any claims related to the use of the profile. Pinterest If you use our profiles/accounts on the Pinterest platform (including the main DESA Unicum profile and subprofiles, e.g. “DESA Młoda Sztuka"), we process the data that you voluntarily provide to us on this platform (e.g. username, comments, messages), as well as statistical data made available to us in aggregated form by the platform operator. The operator of the Pinterest platform is the entity operating the Pinterest service. Data on this platform is also processed by its operator as a separate data controller, in accordance with its terms and conditions and privacy policy. We encourage you to familiarize yourself with the data processing rules applicable on Pinterest: https://policy.pinterest.com/pl/privacy-policy. We process the data on the basis of our legitimate interest (Article 6(1)(f) of the GDPR), in particular for the purpose of operating the profile, communicating with users, presenting content related to our activities, analyzing the performance of the profile, and, where necessary, establishing, pursuing, or defending legal claims.
NEWSLETTER	If You want to receive information about our auctions, You can use our free newsletter service (newsletter subscription). To do this, we will ask You to provide Your e-mail address. This is voluntary but necessary to use the newsletter. By subscribing to the newsletter, you agree to receive commercial information, including information about auctions and other marketing content related to Desa Unicum. Your consent also includes the use of systems for automatic newsletter delivery. The legal basis for processing Your Personal Data for the newsletter is your consent (Article 6(1)(a) of the GDPR). You can unsubscribe newsletter (withdraw Your consent) at any time. Simply click the special link at the end of each message or send us an e-mail requesting to unsubscribe. Withdrawal of consent does not affect the lawfulness of the processing of Your Personal Data based on consent before it's withdrawal.
MARKETING AND INFORMATION ABOUT OUR ACTIVITIES	We conduct marketing activities in compliance with applicable legal regulations, including respecting restrictions or bans on advertising and promotions. Sending Marketing Content You may optionally agree to receive from us, via Your chosen communication channel (e.g., email, SMS/MMS, or similar electronic means), our offers, information about auctions, and similar marketing content related to us and our activities. The legal basis for processing is your consent (Art. 6(1)(a) GDPR). Internet Marketing We may also - within the limits allowed by law - inform You about our activities using internet marketing tools (e.g., banners on other websites). For this purpose, we may use information collected when you use our website (e.g., the fact that You are a client/visited the webiste can help us optimize our online campaigns). The legal basis for such processing is our legitimate interest in informing You about our activities and services (Art. 6(1)(f) GDPR). We use marketing partners such as Meta (Facebook) to display our campaigns tailored based on information collected during Your use of the website, including through cookies, if You have consented to their use. The legal basis for this processing is Your consent (Art. 6(1)(a) GDPR). More information can be found in the cookie section of our privacy policy.

3. Cookies and Similar Technologies

On our website, we use cookies and similar technologies stored on the user's device. These allow us and our partners to collect information (e.g., tracking pixels, tags), collectively called “cookies" for simplicity.

Cookies are small text files saved and stored on Your device (e.g., computer or smartphone memory). They enable, among other things, recognizing your device, correctly displaying the website (including adapting it to user preferences), and collecting various information related to Your browsing of the service. Cookies usually contain the website name (domain), storage duration on the device, and a unique identifier.

Cookies serve various functions. Some are essential for the correct operation of the service, while others collect information about Your usage, such as remembering visits and actions performed during Your session.

We use cookies and similar technologies primarily for:

· ensuring proper website functioning;

· analytical and statistical purposes - to better understand user behavior and improve the website;

· marketing purposes (e.g., for internet campaign data collection).

Information collected by cookies generally does not directly identify You. From our perspective, cookie data is anonymous. However, in some cases, especially combined with other information (e.g., IP address combined with cookie ID and data from external providers), cookies may potentially identify You. We take a transparent, privacy-focused approach to cookies and treat their use as Personal Data processing in our privacy policy out of caution.

Cookies have different lifespans, after which they are automatically deleted (expired) - unless You delete them yourself earlier. Some cookies are temporary (so-called session cookies), which are stored only for the duration of Your session on the website or slightly longer (e.g., several minutes) and are automatically deleted when You close Your browser. Other cookies (e.g., Google Analytics cookies or cookies related to displaying the cookie consent message) are stored for longer periods (e.g., several months or even years) and can be deleted, for example, through Your browser settings.

Some cookies originate from our domain (so-called first-party cookies), while others come from external servers and are stored by third parties (e.g., service providers we use - so-called third-party cookies).

3.1. Essential Cookies

Some cookies are necessary for the service's correct and secure operation. Their use does not require Your consent under applicable laws (Art. 398 of the Electronic Communications Law).

3.2. Analytical and Statistical Cookies

We use cookies to monitor service usage and pages viewed for analytics and statistics. These include IP and MAC addresses, general geographic data, browser and device types, ISP info, and your actions within the service. This helps us create reports and statistics to improve the service and fix errors.

3.3. Marketing Cookies

Marketing cookies allow the display of marketing content (e.g., information about our activities) tailored to users, based on data such as visits to the website, pages viewed, and clicked links. These cookies are used, among other things, to personalize marketing content on the internet and to display ads outside of our website, as well as to generate marketing statistics. Information collected by these cookies may be shared with other companies that provide advertising networks.

All marketing activities comply with applicable advertising restrictions and bans relevant to our business.

3.4. External Providers' Tools

Within our website, we use various external services and tools that utilize cookies. This applies in particular to activities related to analytics and marketing. More information about the individual providers and tools we use is provided below.

Google Analytics

We use the Google Analytics service on our website, provided by Google (Google Ireland Limited, Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). In order to use Google Analytics, we use our own cookies to measure, create, and report statistics on your interaction with our website. The information collected by Google Analytics is used to produce general, aggregated analyses and statistics. Google Analytics does not use this data to identify users nor does it combine the data in a way that would allow such identification.

Regardless of the requirement to obtain consent for the use of analytical and statistical cookies (as described below), You can disable the storage of Google Analytics cookies by adjusting the settings of Your web browser. You can also block the collection and processing of data by Google Analytics by downloading and installing a special browser add-on available at: https://tools.google.com/dlpage/gaoptout/.

More information about Google Analytics can be found at: https://support.google.com/analytics/answer/6004245?hl=en and in Google's Privacy Policy: www.google.com/policies/privacy/partners/.

Google Marketing Tools

We use Google tools for marketing purposes. Google's marketing services (e.g. Google Ads) allow us to display our campaigns in the Google search engine and on websites that are part of the Google advertising network. We also analyze the effectiveness of these campaigns, which helps us better tailor them to users' expectations. As part of these analyses, we do not collect or process Your personal data – Google only provides us with statistics that allow us to determine which advertising measures were effective.

These marketing services are provided to us by Google Ireland Limited (Google Building, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). More information about how Google processes personal data can be found here: https://policies.google.com/privacy. If You have a Google account, You can manage the marketing content shown to You via cookies using Your account settings: https://myaccount.google.com/. In some cases, Google processes personal data on our behalf (as a data processor) – this applies to Google Marketing Platform and certain features of Google Ads. In other cases, Google acts as an independent data controller. Detailed information (in English) can be found here: https://business.safety.google/gdpr/.

Meta

In our service, we use tools provided by Meta Platforms Ireland Ltd, such as the Meta Pixel and event analysis. For example, when you visit our website, the Meta Pixel transmits information about your activity to Meta. This allows us to better tailor our advertising campaigns on the Facebook platform and assess their effectiveness. It also enables us to receive analytics and data regarding our products and services from Meta.

The process of collecting and processing data is carried out jointly with Meta Platforms Ireland Limited (joint controllership). This includes the following purposes:

creating personalized or relevant advertisements and optimizing them;
providing commercial and transactional information (e.g., via Messenger).

Joint controllership does not include the following processes:

processes that occur after data is collected and transmitted to Meta (these are solely the responsibility of Meta);
preparation of reports and analyses in aggregated and anonymized form, carried out by Meta as a data processor, which falls under our responsibility.

We have concluded a joint controllership agreement with Meta, which You can read here: https://www.facebook.com/legal/controller_addendum. This agreement outlines the respective obligations for fulfilling GDPR requirements with regard to joint controllership. More information about the processing of personal data in cooperation with Meta can be found in the Meta Business Tools Terms of Service, available here: https://www.facebook.com/legal/terms/businesstools. Further details on how Meta Platforms Ireland Limited processes personal data (including the legal basis for processing and how You can exercise Your rights with Meta) can be found here: https://www.facebook.com/about/privacy.

HotJar

Hotjar is a tool that enables us to analyze user activity on our website - for example, by anonymously collecting information about clicks on various links and the time spent on specific pages. Hotjar uses cookies and other technologies to collect data on user behavior and their devices. This includes the device's IP address (processed during the session and stored in anonymized form), screen size, device type (unique identifiers), browser information, geographic location (country only), and the preferred language used to display the website. The tool does not allow for the identification of the user. Detailed information about the data collected by Hotjar can be found here: https://www.hotjar.com/legal/policies/privacy/.

The Hotjar tool is provided by Hotjar Ltd. (Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta), which processes personal data on our behalf (as a data processor under the GDPR).

Livechat
Livechat is an online tool used for sales and remote customer support. It allows users to chat via a messenger application that does not require installation on the device and is accessible by clicking a contact button. Agents use an application equipped with tools that provide information about the interlocutor (e.g., visited pages), which facilitates communication and enables offering the best possible assistance. The Livechat privacy policy is available at: https://www.livechat.com/legal/privacy-policy/

Pinterest marketing tools

We may use marketing tools provided by the Pinterest platform (e.g., the Pinterest Tag) to measure the effectiveness of our campaigns and to deliver information about our activities to users of this platform. The use of these tools may involve the storage of cookies or similar technologies by the Pinterest operator (after you have given your consent to marketing cookies on our website). Details regarding how the Pinterest operator processes user data can be found in the documents made available by the operator of this platform.

3.5. Consent to Use Cookies

Using cookies requires your consent (except for so-called strictly necessary cookies, as mentioned above). On our website, we display a notification informing you about the use of cookies. In this notification, you can give consent to use cookies for specific purposes or refuse consent. If you refuse, we will only use cookies necessary for the functioning of the service-your consent is not required for these because without them the service will not work properly (Article 398 of the Electronic Communications Law).

If the use of cookies requiring consent (e.g., analytical, marketing) leads to processing personal data, the basis for this processing is your consent (Article 6(1)(a) of the GDPR). Further processing of your personal data originally collected via cookies may take place based on our legitimate interest (Article 6(1)(f) GDPR - e.g., marketing of products or services, creating statistics and analyses), as described in previous sections of the privacy policy.

In the case of third-party cookies, giving consent for their use also means consenting to the transfer of your data collected via those cookies to an external provider (another company).

You can withdraw your consent to the use of cookies at any time, e.g., by using the cookie settings in the popup displayed on our service interface or via your web browser settings. You can also set your browser to automatically block all or selected cookies. Detailed information about browser features and settings can be found in its documentation.

Please note that blocking necessary cookies may cause the service to malfunction for technical reasons.

3.6. List of Cookies Used on the Website

Name	Cathegory	Provider	Duration	Description
__cf_bm	Essential	vimeo.com	1 day	This cookie, set by Cloudflare, is used to manage Cloudflare Bot Management.
CookieConsent	Essential	desa.pl	1 year	Stores the user's cookie consent state for the current domain.
csrftoken	Essential	desa.pl	1 year	Helps prevent CSRF (Cross-Site Request Forgery) attacks.
SESS#	Essential	desa.pl	14 days	Maintains user states between page requests.
test_cookie	Essential	doubleclick.net	1 day	Used to check if the user's browser supports cookies.
__lc_cid	Analytical / Statistical	accounts.livechatinc.com	400 days	Necessary for the chat function to operate on the website.
__lc_cst	Analytical / Statistical	accounts.livechatinc.com	400 days	Necessary for the chat function to operate on the website.
__oauth_redirect_detector	Analytical / Statistical	accounts.livechatinc.com	1 day	Allows the website to recognize the user to optimize chat functionality.
django_language	Analytical / Statistical	desa.pl	1 year	Specifies the visitor's preferred language. Enables the website to set the preferred language on return visits.
_clck	Analytical / Statistical	desa.pl	1 year	Collects data on user navigation and behavior on the website. Used to create statistical reports and heatmaps for the site owner.
_clsk	Analytical / Statistical	desa.pl	1 day	Records statistical data on user behavior on the website. Used for internal analysis by the website operator.
_cltk	Analytical / Statistical	clarity.ms	Session	Records statistical data on user behavior on the website. Used for internal analysis by the website operator.
_ga	Analytical / Statistical	desa.pl	25 months	Records a unique identifier used to generate statistical data on how the visitor uses the website.
ga#	Analytical / Statistical	desa.pl	25 months	Used by Google Analytics to collect data on the number of user visits, as well as first and last visit dates.
_gat	Analytical / Statistical	desa.pl	1 day	Used by Google Analytics to limit the number of requests.
_gid	Analytical / Statistical	desa.pl	1 day	Records a unique identifier used to generate statistical data on how the visitor uses the website.
_hjAbsoluteSesyjnyInProgress	Analytical / Statistical	desa.pl	1 day	This cookie counts how many times the site was visited by different users by assigning an identifier to avoid double counting.
_hjFirstSeen	Analytical / Statistical	desa.pl	1 day	This cookie determines whether the user has visited the site before or is a new visitor.
hjIncludedInSesyjnySample#	Analytical / Statistical	desa.pl	1 day	Collects statistics about visitor sessions, such as number of visits, average time spent, and pages viewed.
hjSesyjny#	Analytical / Statistical	desa.pl	1 day	Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.
hjSesyjnyUser#	Analytical / Statistical	desa.pl	1 year	Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.
_livechat_has_visited	Analytical / Statistical	cdn.livechatinc.com	Permament	Identifies visitors across devices and visits to optimize chat functions on the website.
c.gif	Analytical / Statistical	c.clarity.ms	Session	Collects data on user navigation and behavior for statistical reports and heatmaps for the site owner.
vuid	Analytical / Statistical	vimeo.com	2 years	Collects data about user visits on the site, such as pages viewed.
_fbp	Marketing	desa.pl	3 months	Used by Facebook to deliver a range of advertising products such as real-time bidding from external advertisers.
_gcl_au	Marketing	desa.pl	3 months	Used by Google AdSense to experiment with advertising effectiveness on websites using their services.
_uetsid	Marketing	bing.com	Permament	Tracks visitors across multiple websites to present relevant ads based on visitor preferences.
_uetsid	Marketing	desa.pl	1 day	Collects data on visitor behavior across multiple websites to deliver more relevant ads and limit repeated ad views.
_uetsid_exp	Marketing	bing.com	Permament	Contains the expiration date for the related _uetsid cookie.
_uetvid	Marketing	bing.com	Permament	Tracks visitors across multiple websites to present relevant ads based on visitor preferences.
_uetvid	Marketing	desa.pl	1 year	Tracks visitors across multiple websites to present relevant ads based on visitor preferences.
_uetvid_exp	Marketing	bing.com	Permament	Contains the expiration date for the related _uetvid cookie.
pagead/landing	Marketing	doubleclick.net	Session	Collects data on visitor behavior across multiple websites to present more relevant ads and limit repeated ad views.

3.7. Cookie Mechanism

The cookie mechanism is safe for Your device. It does not allow viruses or other unwanted software to enter Your device. However, You can limit or disable cookies in your browser settings. If You do so, You will still be able to use the Service, although some features that require cookies may be unavailable.

3.8. Changing Cookie Settings

Below are instructions on how to change cookie settings in popular web browsers:

a) Internet Edge;

b) Mozilla Firefox browser;

c) Chrome browser;  

d) Safari browser;  

e) Opera browser. 

4. Personal Data Processing Period

The period of processing Your personal data depends on it's type, purpose, and the legal basis for processing. We store the data:

in the case of processing based on legitimate interest (e.g., protection against or pursuit of claims) – for the time necessary to fulfill that interest (e.g., for monetary claims – until the statute of limitations), unless you successfully object to the processing earlier;
when the basis for processing is the necessity to conclude and perform a contract – for the duration of that contract;
when processing is required by applicable legal regulations – for the time specified by those regulations (e.g., tax documentation is usually kept for 5 years from the end of the year in which the tax payment was due);
when data is processed based on consent – until the consent is withdrawn, unless the data is no longer needed for the purpose for which the consent was given.

The period of processing your personal data may be extended if processing is necessary to establish, pursue, or defend against potential claims, or when necessary to comply with our legal obligations. After this period, the data is deleted or irreversibly anonymized.

Personal data provided in comments on our social media fanpages will be stored until deleted by the author. The retention period for any data related to the use of our social media fanpages is determined by the operators of those platforms.

5. Rights of Data Subjects

In accordance with Articles 15–22 of the GDPR, each user has the following rights:

Right of access to data (Article 15 GDPR): The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the data. In accordance with Article 15, the controller shall provide a copy of the personal data undergoing processing.
Right to rectification (Article 16 GDPR): The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay.
Right to erasure (“right to be forgotten") (Article 17 GDPR): The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing.

Right to restriction of processing (Article 18 GDPR): The data subject has the right to obtain from the controller restriction of processing where:

a) the accuracy of the data is contested – for a period enabling the controller to verify the data;

b) the data subject has objected to processing pursuant to Article 21(1) – pending verification whether the controller's legitimate grounds override those of the data subject;

c) the processing is unlawful and the data subject opposes the erasure of the data and requests restriction of their use instead.

Right to data portability (Article 19 GDPR)

Right to object: If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.
Right to lodge a complaint with a supervisory authority: If you believe that your personal data is being processed unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office.

When exercising your rights described above, we may verify your identity.

6. Data Recipients

As part of operating the website, we use the services of third parties (our subcontractors or providers). Therefore, the recipients of Your personal data will include IT service providers (e.g., hosting), entities such as banks and payment operators, companies providing accounting services (in connection with issuing invoices/receipts), and the operator of the auction management platform/application used by DESA Unicum (Auction Mobility), to the extent that it acts as a data processor – in accordance with Article 28 of the GDPR. In such cases, we process users' personal data (e.g., auction participants) solely based on documented instructions from the data controller, in order to enable the handling of the sales process via our auction system. The processing is carried out in accordance with a data processing agreement and the data is not used by us for any other purpose.

Due to the use of external cookies, the data collected by these cookies – including information that may constitute personal data – is collected by the third-party providers of those cookies (details can be found in point 3 of the privacy policy regarding cookies).

7. Transfer of Data Outside the EEA

The level of protection for personal data outside the European Economic Area (EEA) differs from that guaranteed by European law. For this reason, we ensure that Your personal data will only be transferred outside the EEA when it is necessary and with appropriate safeguards in place.

Due to our use of certain tools provided by companies headquartered in the USA (e.g., services from Google, Meta), user data (such as cookie identifiers) may be transferred to servers located in the United States. According to the European Commission's decision of July 10, 2023, the USA has been recognized as a country ensuring an adequate level of personal data protection for companies participating in the EU–U.S. Data Privacy Framework. Companies such as Google LLC and Meta Platforms Inc. are part of this program. In the case of Auction Mobility LLC, which is not part of the program, the transfer of personal data is based on the Standard Contractual Clauses approved by the European Commission. More details about these standard clauses can be found here: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847.

8. Security

To ensure the security of Your personal data, we regularly conduct risk assessments and apply appropriate organizational and technical measures. We ensure that all operations involving personal data are logged and carried out exclusively by authorized employees and collaborators. When transmitting personal data through the website, we provide a secure and encrypted connection to our server.

We take all necessary steps to ensure that our subcontractors and other cooperating entities also implement appropriate security measures when processing Your personal data on our behalf.

9. Our Contact Details and Data Protection Officer

You can contact us by mail at the following address: DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, Poland.

We have appointed a Data Protection Officer (DPO or IOD in Polish). Our DPO is Krzysztof Pawelec. You may contact him regarding matters related to the processing of your personal data by sending a letter to: DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, or via email to: rodo@desa.pl, with the subject line “IOD" (“DPO").

10. Changes to the Privacy Policy

We regularly review our privacy policy and update it when necessary. If the changes are significant, we will make every effort to inform you through available communication channels (e.g., via email).

The current version of the privacy policy has been in effect since 28th/October/2025

Withdrawing consent to the processing of personal data

Dear Sir or Madam,

you have the right to withdraw your consent to the processing of your personal data or exercise your other rights in connection with the processing of personal data at any time. For this purpose, please download the form below, print it, fill in, and sign it, and send it back by e-mail to: biuro@desa.pl or by post to the following address: DESA Unicum S.A., Piękna 1A, 00-477 Warszawa.

PRIVACY POLICY

1. Definitions and General Information

The following key terms have the following meanings:

TERM	EXPLANATION
Data Controller or We	The Data Controller is the entity that determines the purposes and means of processing personal data and is also responsible, among other things, for ensuring an appropriate level of data protection and for exercising the rights of individuals whose data is being processed. The controller of Your Personal Data collected in connection with Your use of the website is us, that is: DESA Unicum S.A. headquartered in Warsaw (str. Piękna 1A, 00-477 Warsaw)
Personal Data	Any information about an identified or identifiable natural person (i.e., a living human being); an identifiable person is one who can be identified directly or indirectly, for example, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Privacy Policy	this document
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
website	The website available at www.desal.pl, allowing users to access the services offered through it.
You or user	Any natural person visiting the website.

2. Purposes and Legal Basis for the Processing of Personal Data

AREA	PURPOSE AND LEGAL BASIS
USE OF THE WEBSITE	We use cookies or similar technologies within the website. Therefore, as the Data Controller, we process information that may be considered Personal Data (e.g., IP address, online identifiers, device data, activity data within the website). We process this information for the following purposes: To provide you the website access – legal basis: necessity for the performance of a service (Art. 6 (1) (b) GDPR); Analytical and statistical purposes – legal basis: our legitimate interest (Art. 6 (1) (f) GDPR), which involves analyzing user activity and preferences to improve functionality and services, subject to Your consent to use analytical and statistical cookies or similar technologies. More information about cookies can be found later in this Privacy Policy. Your activity within the service is recorded in so-called system logs (a special program used to store chronological records of events and actions related to our IT system/service). These logs may contain Personal Data (e.g., IP address, device data). This information is primarily processed for technical and administrative purposes (e.g., error detection), to ensure the security of our IT system/service (e.g., detecting cyberattacks), and for analytical/statistical purposes – the legal basis being our legitimate interest (Art. 6(1)(f) GDPR), aimed at ensuring the proper functioning of the website and it's improvement, as well as protecting our economic interests.
CONTACT FORM, HELPLINE, E-MAIL	We offer various communication channels, such as an online contact form, helpline, email, and social media (Facebook, Instagram, LinkedIn, YouTube). When You contact us, we may process Your Personal Data. When using our contact form on our website, You will be asked to provide necessary Personal Data (e.g., name, email address). This data is required to handle Your inquiry and establish communication. Providing the data is voluntary, but the form cannot be submitted without it. When contacting us through available channels, we process Your Personal Data to identify the sender and handle the inquiry. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR), which is to respond and support users. In some cases (e.g., complaint submission), Your data may also be processed for the establishment, exercise, or defense of claims. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR), aimed at protecting our rights and property interests, resolving any potential dispute with You, and responding to Your complaint.
REGISTRATION FOR ONLINE AUCTIONS (THROUGH DESA UNICUM PLATFORM/APP)	You can sign up for online auctions via the DESA Unicum auction management platform/application (Auction Mobility). If you choose to use this option, after selecting the appropriate interactive button on the website (“Register"), You will be redirected to the platform (or, where applicable, to the application) at https://bid.desa.pl/, where in order to register, You will need to either log in to Your account on that platform/application or provide the Personal Data required for registration (e.g. first name, last name, email address). As part of this auction management process, the controller of Your Personal Data is the owner of the bid.desa.pl platform/application – Auction Mobility LLC (192 South St., Suite 600, Boston, MA 02111). Detailed information on data processing can be found in the following document: https://bid.desa.pl/privacy-policy/?#/contact-us. Podanie danych niezbędnych do rejestracji jest dobrowolne, ale brak ich podania uniemożliwi Ci wzięcie udziału w aukcji. Podane przez Ciebie dane będziemy przetwarzać w następujących celach: Contract execution – legal basis: necessity to perform a contract or take pre-contractual steps (Art. 6(1)(b) GDPR); Contacting You via Your e-mail address for purposes related to the provision of services, including coordination of Your participation in the auction (e.g., reminders about the auction date, confirmation of participation, information about organizational changes affecting the provision of the service) – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), which consists in ensuring efficient service for auction participants; Fulfilling our legal obligations related to receiving a payment from You, such as issuing an invoice or receipt – the legal basis for processing is our legal obligation (Article 6(1)(c) of the GDPR) in connection with relevant tax and accounting regulations; The possible establishment, exercise, or defense of legal claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR), consisting in handling claims, striving to resolve disputes, and protecting our economic interests.
COMPANY PROFILE ON SOCIAL MEDIA	If You visit our profile on social media platforms like Facebook (https://www.facebook.com/DESAUnicumWarszawa), Instagram (https://www.instagram.com/desa_unicum), LinkedIn (https://www.linkedin.com/company/desa-unicum), YouTube (https://www.youtube.com/@DesaUnicum) and interact with us (e.g., follow, comment, like), we process Your Personal Data. The scope of Personal Data we process includes data You provide to us yourself, as well as data obtained by us from the operator of a given platform, including data such as Your identifier on a social media platform (e.g., your first and last name or profile name), profile picture/avatar, etc. Providing this data is voluntary, but without providing it, You will not be able to use certain functions of the social media platform (e.g., add comments, send us messages). Independently of us, the platform operator processes Your Personal Data to provide You with the services of that platform, in accordance with it's terms and conditions of use. Please familiarize yourself with the terms of service and privacy policy/data processing information applicable on the platform You use. When browsing our website, You will find links directing to our profiles (company accounts/pages) on social media platforms. By clicking such a link, You will be redirected to our profile (company account/page) maintained on the selected platform. After being redirected to such a platform, the operator of that platform is also the controller of Your Personal Data, and may use the collected information for their own purposes (e.g., they may use information that You have moved from our service to the social media platform for advertising purposes, market research, or gathering information about your preferences). We have no influence over the processing of Personal Data carried out by the platform operator independently from us, as a separate controller. Detailed information about the processing of Personal Data by social media platforms can be found in their privacy policies: Facebook: https://www.facebook.com/privacy/policy/?entry_point=comet_dropdown Instagram: https://privacycenter.instagram.com/policy LinkedIn: https://pl.linkedin.com/legal/privacy-policy YouTube: https://policies.google.com/privacy?hl=pl Facebook, Instagram, LinkedIn, YouTube If you use our profile (company page) on these platforms or content associated with it, we process Your Personal Data. The data we process may include: username; comments posted on our company page; messages sent to us; activity on our company page (using the “Audience Insights" service we utilize), such as visits to our company page, posts, average video view duration, information about the country and city of visitors, statistics regarding visitors' gender; other information necessary to fulfill requests or to uniquely identify visitors. The operator of the Facebook and Instagram platforms is Meta Platforms Ireland Limited (Serpentine Avenue, Block J, Dublin 4, Ireland - hereinafter “Meta"). Meta processes Your Personal Data in accordance with its privacy policy, which is available at https://www.facebook.com/privacy/policy/ (Facebook) and https://privacycenter.instagram.com/policy (Instagram). Co-management with Meta We use statistical information related to the use of our profile (company page) on Facebook and Instagram, which Meta provides to us in anonymized form, including through the “Audience Insights" service. This service does not allow the information to be linked to individual users or access their personal profiles. More information about company page statistics on Facebook and Instagram can be found at: https://www.facebook.com/legal/terms/information_about_page_insights_data. We are joint controllers of Your Personal Data together with the operators of the Facebook and Instagram platforms - Meta (Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland) - in relation to data processing for page statistics (data for statistical purposes). The co-management includes aggregate analysis of data to display statistics on the activity of users on our profile. Meta's responsibilities regarding data processing in the co-management include: having the legal basis for processing data for page statistics purposes; ensuring the rights of data subjects are respected; reporting data breaches to the supervisory authority and notifying affected individuals; · providing appropriate technical and organizational measures to ensure the security of your data. Our responsibilities regarding data processing in the co-management include: having the legal basis for processing data for statistics purposes; fulfilling information obligations regarding the processing purposes carried out by us. The main supervisory authority for the joint data processing is the Irish Data Protection Commission. Detailed information about the mutual arrangements between the joint controllers is available at: https://www.facebook.com/legal/terms/page_controller_addendum. In connection with managing profiles (company pages) on the platforms, we may process Your Personal Data for purposes based on our legitimate interest (Article 6(1)(f) of the GDPR), consisting of: managing the profile on the social media platform under the terms set by the platform operator; conducting marketing campaigns on the website; informing via our profile about our business activities; building and strengthening relationships with potential and current customers through communication via the social media platform; performing analyses and statistics regarding the functioning, popularity, and usage of our profile; establishing, pursuing, and defending against any claims related to the use of the profile.
NEWSLETTER	If You want to receive information about our auctions, You can use our free newsletter service (newsletter subscription). To do this, we will ask You to provide Your e-mail address. This is voluntary but necessary to use the newsletter. By subscribing to the newsletter, you agree to receive commercial information, including information about auctions and other marketing content related to Desa Unicum. Your consent also includes the use of systems for automatic newsletter delivery. The legal basis for processing Your Personal Data for the newsletter is your consent (Article 6(1)(a) of the GDPR). You can unsubscribe newsletter (withdraw Your consent) at any time. Simply click the special link at the end of each message or send us an e-mail requesting to unsubscribe. Withdrawal of consent does not affect the lawfulness of the processing of Your Personal Data based on consent before it's withdrawal.
MARKETING AND INFORMATION ABOUT OUR ACTIVITIES	We conduct marketing activities in compliance with applicable legal regulations, including respecting restrictions or bans on advertising and promotions. Sending Marketing Content You may optionally agree to receive from us, via Your chosen communication channel (e.g., email, SMS/MMS, or similar electronic means), our offers, information about auctions, and similar marketing content related to us and our activities. The legal basis for processing is your consent (Art. 6(1)(a) GDPR). Internet Marketing We may also - within the limits allowed by law - inform You about our activities using internet marketing tools (e.g., banners on other websites). For this purpose, we may use information collected when you use our website (e.g., the fact that You are a client/visited the webiste can help us optimize our online campaigns). The legal basis for such processing is our legitimate interest in informing You about our activities and services (Art. 6(1)(f) GDPR). We use marketing partners such as Meta (Facebook) to display our campaigns tailored based on information collected during Your use of the website, including through cookies, if You have consented to their use. The legal basis for this processing is Your consent (Art. 6(1)(a) GDPR). More information can be found in the cookie section of our privacy policy.

3. Cookies and Similar Technologies

We use cookies and similar technologies primarily for:

· ensuring proper website functioning;

· analytical and statistical purposes - to better understand user behavior and improve the website;

· marketing purposes (e.g., for internet campaign data collection).

3.1. Essential Cookies

Some cookies are necessary for the service's correct and secure operation. Their use does not require Your consent under applicable laws (Art. 398 of the Electronic Communications Law).

3.2. Analytical and Statistical Cookies

3.3. Marketing Cookies

All marketing activities comply with applicable advertising restrictions and bans relevant to our business.

3.4. External Providers' Tools

Google Analytics

More information about Google Analytics can be found at: https://support.google.com/analytics/answer/6004245?hl=en and in Google's Privacy Policy: www.google.com/policies/privacy/partners/.

Google Marketing Tools

Meta

The process of collecting and processing data is carried out jointly with Meta Platforms Ireland Limited (joint controllership). This includes the following purposes:

creating personalized or relevant advertisements and optimizing them;
providing commercial and transactional information (e.g., via Messenger).

Joint controllership does not include the following processes:

processes that occur after data is collected and transmitted to Meta (these are solely the responsibility of Meta);
preparation of reports and analyses in aggregated and anonymized form, carried out by Meta as a data processor, which falls under our responsibility.

HotJar

3.5. Consent to Use Cookies

In the case of third-party cookies, giving consent for their use also means consenting to the transfer of your data collected via those cookies to an external provider (another company).

Please note that blocking necessary cookies may cause the service to malfunction for technical reasons.

3.6. List of Cookies Used on the Website

Name	Cathegory	Provider	Duration	Description
__cf_bm	Essential	vimeo.com	1 day	This cookie, set by Cloudflare, is used to manage Cloudflare Bot Management.
CookieConsent	Essential	desa.pl	1 year	Stores the user's cookie consent state for the current domain.
csrftoken	Essential	desa.pl	1 year	Helps prevent CSRF (Cross-Site Request Forgery) attacks.
SESS#	Essential	desa.pl	14 days	Maintains user states between page requests.
test_cookie	Essential	doubleclick.net	1 day	Used to check if the user's browser supports cookies.
__lc_cid	Analytical / Statistical	accounts.livechatinc.com	400 days	Necessary for the chat function to operate on the website.
__lc_cst	Analytical / Statistical	accounts.livechatinc.com	400 days	Necessary for the chat function to operate on the website.
__oauth_redirect_detector	Analytical / Statistical	accounts.livechatinc.com	1 day	Allows the website to recognize the user to optimize chat functionality.
django_language	Analytical / Statistical	desa.pl	1 year	Specifies the visitor's preferred language. Enables the website to set the preferred language on return visits.
_clck	Analytical / Statistical	desa.pl	1 year	Collects data on user navigation and behavior on the website. Used to create statistical reports and heatmaps for the site owner.
_clsk	Analytical / Statistical	desa.pl	1 day	Records statistical data on user behavior on the website. Used for internal analysis by the website operator.
_cltk	Analytical / Statistical	clarity.ms	Session	Records statistical data on user behavior on the website. Used for internal analysis by the website operator.
_ga	Analytical / Statistical	desa.pl	25 months	Records a unique identifier used to generate statistical data on how the visitor uses the website.
ga#	Analytical / Statistical	desa.pl	25 months	Used by Google Analytics to collect data on the number of user visits, as well as first and last visit dates.
_gat	Analytical / Statistical	desa.pl	1 day	Used by Google Analytics to limit the number of requests.
_gid	Analytical / Statistical	desa.pl	1 day	Records a unique identifier used to generate statistical data on how the visitor uses the website.
_hjAbsoluteSesyjnyInProgress	Analytical / Statistical	desa.pl	1 day	This cookie counts how many times the site was visited by different users by assigning an identifier to avoid double counting.
_hjFirstSeen	Analytical / Statistical	desa.pl	1 day	This cookie determines whether the user has visited the site before or is a new visitor.
hjIncludedInSesyjnySample#	Analytical / Statistical	desa.pl	1 day	Collects statistics about visitor sessions, such as number of visits, average time spent, and pages viewed.
hjSesyjny#	Analytical / Statistical	desa.pl	1 day	Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.
hjSesyjnyUser#	Analytical / Statistical	desa.pl	1 year	Collects statistics about user sessions, including number of visits, average time on site, and pages viewed.
_livechat_has_visited	Analytical / Statistical	cdn.livechatinc.com	Permament	Identifies visitors across devices and visits to optimize chat functions on the website.
c.gif	Analytical / Statistical	c.clarity.ms	Session	Collects data on user navigation and behavior for statistical reports and heatmaps for the site owner.
vuid	Analytical / Statistical	vimeo.com	2 years	Collects data about user visits on the site, such as pages viewed.
_fbp	Marketing	desa.pl	3 months	Used by Facebook to deliver a range of advertising products such as real-time bidding from external advertisers.
_gcl_au	Marketing	desa.pl	3 months	Used by Google AdSense to experiment with advertising effectiveness on websites using their services.
_uetsid	Marketing	bing.com	Permament	Tracks visitors across multiple websites to present relevant ads based on visitor preferences.
_uetsid	Marketing	desa.pl	1 day	Collects data on visitor behavior across multiple websites to deliver more relevant ads and limit repeated ad views.
_uetsid_exp	Marketing	bing.com	Permament	Contains the expiration date for the related _uetsid cookie.
_uetvid	Marketing	bing.com	Permament	Tracks visitors across multiple websites to present relevant ads based on visitor preferences.
_uetvid	Marketing	desa.pl	1 year	Tracks visitors across multiple websites to present relevant ads based on visitor preferences.
_uetvid_exp	Marketing	bing.com	Permament	Contains the expiration date for the related _uetvid cookie.
pagead/landing	Marketing	doubleclick.net	Session	Collects data on visitor behavior across multiple websites to present more relevant ads and limit repeated ad views.

3.7. Cookie Mechanism

3.8. Changing Cookie Settings

Below are instructions on how to change cookie settings in popular web browsers:

a) Internet Edge;

b) Mozilla Firefox browser;

c) Chrome browser;  

d) Safari browser;  

e) Opera browser. 

4. Personal Data Processing Period

The period of processing Your personal data depends on it's type, purpose, and the legal basis for processing. We store the data:

in the case of processing based on legitimate interest (e.g., protection against or pursuit of claims) – for the time necessary to fulfill that interest (e.g., for monetary claims – until the statute of limitations), unless you successfully object to the processing earlier;
when the basis for processing is the necessity to conclude and perform a contract – for the duration of that contract;
when processing is required by applicable legal regulations – for the time specified by those regulations (e.g., tax documentation is usually kept for 5 years from the end of the year in which the tax payment was due);
when data is processed based on consent – until the consent is withdrawn, unless the data is no longer needed for the purpose for which the consent was given.

5. Rights of Data Subjects

In accordance with Articles 15–22 of the GDPR, each user has the following rights:

Right of access to data (Article 15 GDPR): The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the data. In accordance with Article 15, the controller shall provide a copy of the personal data undergoing processing.
Right to rectification (Article 16 GDPR): The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay.
Right to erasure (“right to be forgotten") (Article 17 GDPR): The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing.

Right to restriction of processing (Article 18 GDPR): The data subject has the right to obtain from the controller restriction of processing where:

a) the accuracy of the data is contested – for a period enabling the controller to verify the data;

b) the data subject has objected to processing pursuant to Article 21(1) – pending verification whether the controller's legitimate grounds override those of the data subject;

c) the processing is unlawful and the data subject opposes the erasure of the data and requests restriction of their use instead.

Right to data portability (Article 19 GDPR)

Right to object: If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.
Right to lodge a complaint with a supervisory authority: If you believe that your personal data is being processed unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office.

When exercising your rights described above, we may verify your identity.

6. Data Recipients

7. Transfer of Data Outside the EEA

8. Security

We take all necessary steps to ensure that our subcontractors and other cooperating entities also implement appropriate security measures when processing Your personal data on our behalf.

9. Our Contact Details and Data Protection Officer

You can contact us by mail at the following address: DESA Unicum S.A., str. Piękna 1A, 00-477 Warsaw, Poland.

10. Changes to the Privacy Policy

The current version of the privacy policy has been in effect since 22th/May/2025.

Withdrawing consent to the processing of personal data

Dear Sir or Madam,

Contact form

Download

(*the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)

Who is the controller of your personal data?

The controller of your personal data is Desa Unicum S.A. with the registered office in Warsaw at Piękna 1A (hereinafter referred to as "We", "Desa", or "Company") running the Desa Unicum Auction House and the website located at the following URL: www.desa.pl.

Contact regarding the processing of your personal data by Desa

In order to provide information regarding the processing of your personal data by Desa, you can contact us by letter, e-mail, and telephone, our contact details are provided below:

Piękna 1A
00-477 Warszawa
Phone no.: +48 22 163 66 00
fax +48 22 163 67 99
biuro@desa.pl

How did we receive your data?

We received the data from you upon concluding a commission contract, concluding a gallery sales contract, concluding a contract for conservation services, or contract for providing other services, submitting the item for valuation, via the contact form, during personal or online registration for our auctions, or you provided them to us by e-mail.

For what purpose and on what legal grounds do we process your personal data?

Processing your personal data is necessary to perform the contract concluded with you, including:

performance of contracts for sale, conservation services, framing, or commissioned sale;
handling complaints if you submit a complaint;
handling requests that you send to us (e.g. via the contact form);
contacting you, included in cases related to the performance of contracts, making and receiving payments.

In addition, the law requires us to process your data for:

tax and accounting purposes;
keeping a record book of monuments accepted or offered for sale;
counteracting money laundering and terrorist financing.

Your data is also processed by Desa in pursuance of our legitimate interest, for the purposes indicated below:

conducting marketing activities towards you, including conducting direct marketing regarding goods and services offered by Desa;
contacting you, including for purposes related to authorized marketing activities, through available communication channels, in particular and upon your consent - via e-mail and telephone;
handling your requests, in particular, the requests sent to the Customer Service Center and via the contact form in the cases when they are not directly related to the performance of the contract;
debt collection; conducting legal proceedings, arbitration and mediation proceedings;
storing data for archiving purposes and accountability (proving that we act in compliance with the obligation arising from applicable law).

Our website desa.pl applies Google Ads features, such as remarketing or conversion tracking, we use the consent of our customers from the European Economic Area and the United Kingdom for cookies or personal data for personalized advertisements (in the case of remarketing).

If you give your consent, we process your personal data in order to save data in cookies and collect data from websites.

You can withdraw your consent to the processing of personal data in any manner, at any time. We shall process your personal data until you withdraw your consent or until our duty to process your data, imposed on Desa by generally applicable law, expires.

Do you need to provide us your personal data?

For the purposes of performing the obligations arising from the contract concluded between you and us, as well as to comply with the requirements of generally applicable law, it is necessary that you provide the following personal data:

name and surname;
home address or address for correspondence;
Identification number PESEL or the number of your identity document;
e-mail address;
phone number;
bank account number.

If for some reason you do not provide your personal data (not including your bank account number), unfortunately we will not be able to conclude a contract with you.

If required by law, we may require you to provide other data necessary e.g. for accounting or tax purposes. Apart from these cases, providing your data is voluntary.

What are your rights related to the processing of personal data by Desa

You have the following rights related to the processing of personal data:

the right to withdraw consent to data processing,
the right of access to your personal data,
the right to demand rectification of your personal data,
the right to demand erasure of your personal data,
the right to demand restriction of processing of your personal data,
the right to object to the processing of your personal data resulting from your particular situation - cases in which we process your data in pursuance of our legitimate interest,
the right to data portability, that is to receive from your us the personal data you provided in a commonly used structured machine-readable format. You can send this data to another data controller or request that we send your data to another data controller. However, we shall send the data only if it is technically possible. The right to data portability applies only to the data which is processed on the basis of the contract concluded with you and upon your consent,

If you wish to exercise the above rights, contact us via the form available on the website www.desa.pl or at the reception desk at our headquarters.

You can exercise these rights in the following cases:

regarding the request for data rectification: you noticed that your data is incorrect or incomplete;
regarding the erasure of your data: the Company no longer needs your data for the original reason we collected or used it for; you have withdrawn your consent to data processing; have objected to the use of your data; your data have been used unlawfully; we have a legal obligation to erase your data or the data was collected from you as a child for an online service;
regarding the request to restrict data processing: you have noticed that your data is incorrect - you can request to restrict the processing of your data for a period that allows us to check whether your data is correct; your data have been used unlawfully, but you do not want your data to be erased; we no longer need your data, but you may need it to the defending or seeking legal claims; or you exercise your right to object to data processing - pending determining whether our legitimate grounds override the grounds for your objection;
regarding your request to transmit your data: the processing of your data takes place upon your consent or on the basis of the contract concluded with you, as well as when data processing takes place automatically.

You have the right to submit a complaint regarding the processing of your personal data by us to the supervisory body, which is the Inspector General for the Protection of Personal Data (address: Generalny Inspektor Ochrony Danych Osobowych, Stawki 2, 00-193 Warszawa).

In what situations can you object to the processing of your data by Desa?

You have the right to object to the processing of your personal data in the following cases:

the processing of your personal data is carried out on the basis of a legitimate interest or for statistical purposes and the objection is justified by your particular situation,
your personal data is processed for the purposes of direct marketing, including profiling.

Remember that you can exercise your right to object from 25 May 2018.

With whom do we share your personal data?

We share your personal data with entities supporting us in bookkeeping, running the website, IT systems, and providing consulting and auditing services. Entities authorized to process your personal data perform their tasks on the basis of a contract concluded with us and only in accordance with our instructions. The contracts for data processing concluded by us contain contractual clauses approved by the European Commission. In addition, we have the right to share your personal data with public authorities involved in countering fraud and abuse.

For how long do we store your personal data?

We store your personal data for the duration of the contract concluded with you and after its termination for:

seeking legal claims in connection with the performance of the contract,
performing duties resulting from legal provisions, including, in particular, for tax and accounting purposes,
preventing abuse and fraud,
statistical and archiving purposes,

a maximum of 10 years from the date of contract termination or for the period specified by law that requires us to process your data.

We store your personal data for marketing purposes for the duration of the contract or until you object to such processing, whichever occurs first.

Do we transfer your data to countries outside the European Economic Area?

Your personal data are transferred outside the European Economic Area to Google LLC based on appropriate legal safeguards, that is contractual clauses for the protection of personal data, approved by the European Commission.

Do we process your personal data automatically (including profiling) in a way that affects your rights

Your personal data will be processed in an automated manner, without the use of automated profiling. It shall not have any legal effects on you or materially affect your legal situation.

Withdrawing consent to the processing of personal data

Dear Sir or Madam,

Privacy Policy

PRIVACY POLICY

PRIVACY POLICY

Add object

Featured objects

Print settings