Privacy policy of the Fort Institute of Photography Foundation

1. Data controller

The data controller is the FORT Institute of Photography Foundation with its registered office in Warsaw (02-634), ul. Władysława Szpilmana 6, entered in the Register of Associations, Other Social and Professional Organisations, Foundations and Independent Public Healthcare Institutions, as well as in the Register of Entrepreneurs of the National Court Register (KRS) under number 0000638516, NIP: 5213749411, REGON: 365493161 (hereinafter referred to as the “Controller” or the “Foundation”).

The Controller has not appointed a Data Protection Officer. In matters related to the processing of personal data, please contact the Controller directly at: biuro@fiff.org.pl.

2. What are personal data

Personal data means any information relating to an identified or identifiable natural person.

The Foundation processes, in particular, the following categories of personal data: first and last name, e-mail address, telephone number, IP address, and, where justified, also data such as residential address, date of birth, bank account number (e.g. in the case of donations) or other data necessary for the conclusion and performance of a contract.

In the case of artistic or curatorial cooperation, the Foundation may also process information concerning artistic achievements, exhibitions, publications or functions held.

3. Legal bases for the processing of personal data

Personal data are processed in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR),
  • the Act of 10 May 2018 on the protection of personal data.

Personal data are processed on the following legal bases:

  • Article 6(1)(a) GDPR – on the basis of the data subject’s consent,
  • Article 6(1)(b) GDPR – for the purpose of concluding or performing a contract or taking steps prior to entering into a contract,
  • Article 6(1)(c) GDPR – for the purpose of fulfilling legal obligations incumbent on the Controller,
  • Article 6(1)(f) GDPR – for the purpose of pursuing the statutory activities of the Foundation, conducting correspondence, and in other cases constituting the Controller’s legitimate interests.

4. Purposes of processing

Personal data are processed in particular for the purpose of:

  • conducting correspondence,
  • concluding and performing cooperation agreements,
  • organising events (including exhibitions, workshops, seminars, webinars),
  • carrying out informational and promotional activities of the Foundation,
  • handling donations,
  • fulfilling accounting, tax and archiving obligations.

5. Rights of data subjects

Data subjects are entitled to the rights provided for in the GDPR, in particular the right to:

  • access their personal data and obtain a copy thereof,
  • rectify personal data,
  • erase personal data,
  • restrict the processing of personal data,
  • data portability – to the extent provided for by law,
  • object to the processing of personal data,
  • withdraw consent at any time, where processing is based on consent.

Data subjects also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland).

6. Contact and exercise of rights

Requests concerning the processing of personal data may be submitted by e-mail to: biuro@fiff.org.pl.

The Controller shall respond without undue delay, no later than within one month of receipt of the request.

7. Recipients of personal data

Personal data may be disclosed to entities cooperating with the Foundation only to the extent necessary to achieve the purposes of processing, in particular to:

  • entities providing IT and hosting services,
  • entities providing accounting, legal or banking services.

Such entities process personal data on the basis of data processing agreements, in accordance with Article 28 GDPR.

Personal data may also be disclosed to public authorities where required by law.

8. Transfer of data outside the EU

As a rule, the Foundation does not transfer personal data outside the European Economic Area.

Where external tools are used, such as social media services (e.g. Facebook, Instagram) or analytical tools (e.g. Google Analytics), personal data may be transferred to third countries in accordance with the principles set out by the providers of those services and applicable law, including on the basis of adequacy decisions or standard contractual clauses.

9. Data retention period

Personal data are stored for the period necessary to achieve the purposes for which they were collected and thereafter for the period required by applicable law or the limitation period for potential claims.

In particular:

  • data related to contracts – for the duration of the contract and thereafter for the period required by law,
  • data processed on the basis of consent – until the consent is withdrawn,
  • data processed for accounting and tax purposes – for the period required by law.

10. Events organised by the Foundation

Where individuals register for events organised by the Foundation (e.g. workshops, training sessions, webinars), personal data are processed for the purpose of organising and conducting the event, on the basis of Article 6(1)(a) or (b) GDPR.

Providing personal data is voluntary, but necessary in order to participate in the event.

11. Newsletter and informational communications

Where the Foundation sends a newsletter or other informational communications, personal data are processed on the basis of the data subject’s consent (Article 6(1)(a) GDPR).

Consent may be withdrawn at any time.

12. Donations

In the case of donations, donors’ personal data are processed to the extent necessary to handle the donation, maintain accounting records and fulfil legal obligations, on the basis of Article 6(1)(c) and (f) GDPR.

13. Obligation or voluntariness to provide data

Providing personal data is voluntary; however, in some cases it is necessary in order to conclude a contract, participate in an event or carry out other activities of the Foundation.

14. Automated decision-making

Personal data are not used for automated decision-making, including profiling, within the meaning of Article 22 GDPR.

15. Final provisions

This Privacy Policy is effective as of 9 January 2026 and may be updated in the event of changes in applicable law or the methods of processing personal data.