Skip to content

Accessibility

Font size
Contrast

Privacy policy

Privacy policy

Effective date: 26 April 2026

§ 1. Preliminary provisions and legal basis

  1. This document (the "Policy") sets out the principles for the processing of personal data in connection with the operation of the website at wetlina.bernardyni.pl (the "Service") and the privacy protection rules for data subjects.
  2. The Policy fulfils the information obligation under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR").
  3. For pastoral and sacramental activity, special rules apply pursuant to Article 91 GDPR, in particular the General Decree of the Polish Bishops' Conference on the protection of natural persons with regard to the processing of personal data in the Catholic Church of 13 March 2018 (the "KEP Decree") and the 1983 Code of Canon Law.

§ 2. Data Controller

  1. The data controller (the "Controller") is the Bernardine Monastery in Wetlina - Roman Catholic Parish of Divine Mercy, registered office: Wetlina 40a, 38-608 Wetlina, Subcarpathian Voivodeship, Poland.
  2. The Controller may be contacted regarding personal data:
    • by e-mail: bernardyni.wetlina@wp.pl,
    • by telephone: +48 452 415 506,
    • by post: Wetlina 40a, 38-608 Wetlina, Poland.
  3. The Controller has not appointed a Data Protection Officer within the meaning of Article 37 GDPR. All data protection enquiries should be addressed directly to the Controller.

§ 3. Purposes, legal bases and retention

  1. Handling of electronic correspondence and the contact form - scope: name, e-mail address, message content and any data voluntarily provided. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in handling enquiries). Retention: until the purpose ceases, no longer than 12 months from the last contact, or until applicable limitation periods expire.
  2. Service security - scope: IP address, session identifier, browser and operating system information, timestamp, requested resources (server logs). Legal basis: Art. 6(1)(f) GDPR (security of the IT system). Retention: up to 30 days.
  3. Anonymous statistics - scope: anonymised traffic data. Legal basis: Art. 6(1)(f) GDPR. Retention: up to 26 months.
  4. Cookies and similar technologies - addressed in detail in the separate Cookies Policy.
  5. Pastoral and sacramental activity - processing of parish registers, mass intentions, marriage banns and other data relating to the administration of sacraments is governed by the KEP Decree and canon law. Data on administered sacraments are not subject to deletion (Article 14 KEP Decree).

§ 4. Recipients and processing entrustment

  1. Personal data may be disclosed to:
    • hosting and Service-maintenance providers - under data processing agreements compliant with Article 28 GDPR;
    • e-mail service providers - to the extent necessary to handle correspondence;
    • competent ecclesiastical authorities (Metropolitan Curia in Przemyśl, Church Inspector for Personal Data Protection) - to the extent and on the terms required by canon law;
    • public authorities entitled to receive data under generally applicable laws.
  2. The Controller does not transfer personal data to third countries or international organisations within the meaning of Articles 44 et seq. GDPR.
  3. The Controller does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect the data subject (Article 22 GDPR).

§ 5. Rights of data subjects

  1. Where processing is governed by the GDPR, the data subject has the right to:
    1. access (Article 15 GDPR);
    2. rectification (Article 16 GDPR);
    3. erasure ("right to be forgotten" - Article 17 GDPR);
    4. restriction of processing (Article 18 GDPR);
    5. data portability (Article 20 GDPR);
    6. object to processing based on legitimate interest (Article 21 GDPR);
    7. withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal (Article 7(3) GDPR);
    8. lodge a complaint with the supervisory authority - President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl (Article 77 GDPR).
  2. Where processing is governed by the KEP Decree, the data subject has the right to:
    1. request rectification of data (Article 12 KEP Decree);
    2. request supplementation or annotation in the registry (Article 13 KEP Decree);
    3. request deletion - except data on administered sacraments or canonical status (Article 14 KEP Decree);
    4. lodge a complaint with the Church Inspector for Personal Data Protection, Skwer Kard. Stefana Wyszyńskiego 6, 01-015 Warsaw, e-mail: kiod@episkopat.pl (Article 41 KEP Decree).
  3. Requests are submitted in writing or electronically. The Controller responds without undue delay and in any event within one month of receipt (Article 12(3) GDPR).

§ 6. Voluntary nature and consequences of refusal

  1. Provision of data in the contact form and in correspondence is voluntary but necessary to handle the enquiry. Failure to provide data prevents a response.
  2. Provision of data in connection with the administration of sacraments or other canonical actions is required by canon law and the KEP Decree.

§ 7. Technical and organisational measures

  1. The Controller applies technical and organisational measures appropriate to the risks (Article 32 GDPR), including:
    • encrypted data transmission (HTTPS/TLS);
    • protection against CSRF and XSS attacks;
    • regular software updates;
    • role-based access control and multi-factor authentication for administrative accounts;
    • backups stored in a way that prevents unauthorised access.
  2. In the event of a personal data breach, the Controller notifies the supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR), unless the breach is unlikely to result in risk.

§ 8. Amendments

  1. The Controller reserves the right to amend the Policy in case of changes in law, technical conditions of electronic services, or the scope of processing.
  2. Material amendments will be announced in the Service at least seven days in advance.
  3. The current version is available at /en/privacy.

§ 9. Final provisions

  1. Matters not regulated herein are governed by the GDPR, the Polish Act of 10 May 2018 on personal data protection, the Polish Act of 18 July 2002 on the provision of electronic services, and the KEP Decree.
  2. The Policy enters into force on the date of publication in the Service.

© 2026 Bernardine Monastery in Wetlina. All rights reserved.

Terms of Use Privacy Policy Cookie Policy
News Masses Contact Donate