Visiting hours today: 9:00 - 20:00

Data protection – GDPR

What is GDPR?


This is a commonly used abbreviation referring to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation / GDPR).

Personal data is any information that may identify you, for example, name and surname, telephone number, e-mail address or address for delivery of purchases made in our store. When we refer to the term “processing” or “processing” in the following document, we mean all activities and operations performed on your personal data

e.g. their storage or use for the purposes for which they were collected.


The following information clause applies to the statutory activities carried out by the Castle Museum in Malbork, for the implementation of which the Museum was established. Detailed information clauses are made available to persons whose personal data are processed by the Museum in individual data processing processes.


1. Who is the Administrator of your personal data?

The administrator of your personal data is the Malbork Castle Museum,
st. Starościńska 1, 82-200 Malbork, phone: +48 55 647 08 02, fax: +48 55 647 08 03,

email:, represented by the Director, hereinafter also referred to as the “Museum”.

2. How to contact us for more information about the processing of your personal data?

You can write to the Personal Data Inspector appointed by the Data Administrator: address, postal address: Data Protection Officer, Malbork Castle Museum,

st. Starościńska 1, 82-200 Malbork.


3. What is the purpose and legal basis for the processing of your personal data by the Administrator?


Purpose: We process your personal data because it is necessary to carry out our statutory activities.

The Statute is available at
Your personal data is processed in the scope of the Museum’s statutory activity

in particular in connection with:

collecting and securing museum exhibits, in particular searching for museum exhibits, purchasing museum exhibits, accepting donated museum items, depositing them, exchanging them, determining their value;
recording museum collections and obtaining information about them (especially about previous owners), including by keeping books and inventory cards, also in electronic form;
carrying out queries in the collections of the Museum;
conducting conservation of exhibits, including collecting historical and technical documentation of objects, conducting conservation expertise and technical documentation of objects;
conducting activities in the field of protection of cultural goods, including through cooperation with scientific and research institutions, antique shops, state organizational units;
conducting scientific activities, including organizing scientific events and participation of Museum employees in external conferences, conventions, symposiums;
conducting exhibition and popularizing activities, including exhibitions organized by the Museum;
conducting educational activities by the Museum, related to conducting museum lessons, cooperation with schools and other educational institutions;
activities undertaken by sponsors for the benefit of the Museum;
maintaining contacts by the Museum with representatives of the media and mass media in order to promote the activities of the Museum;
collecting, developing, recording, sharing archival materials, including materials recorded in the form of a film or recording;
activities related to running an online store by the Museum;
activities related to the running of the Karwan Center by the Museum.

In connection with its statutory activity, depending on its nature, the Museum processes the following personal data: name, surname, contact details – including correspondence address, information on the title or academic degree held, details of the unit/institution/company with which the is a specific person – if applicable, telephone number, e-mail address, data on the specialty of a given person in the related scope
with the substantive aspect of the functioning of the unit/institution/company, type and number of the identity document (if necessary) – access to other data on the identity document to verify the identity of the person; in the case of deceased persons, their data do not constitute personal data within the meaning of the general regulation on the protection of personal data.

The legal basis for the processing of your personal data is:

the relevant provisions of the GDPR, in particular:
article 6 sec. 1 lit. b) – processing is necessary for the performance of a contract to which the data subject is a party or to take action at the request of the data subject prior to entering into a contract;
article 6 sec. 1 lit. c) – processing is necessary to fulfill the legal obligation incumbent on the administrator;
article 6 sec. 1 lit. e) – processing is necessary to perform the task being performed
in the public interest or in the exercise of official authority vested in the administrator.

relevant provisions of national law, in particular:
Act of 21 November 1996 on museums,
Act of 25 October 1991 on organizing and conducting cultural activities,
Act of 23 July 2003 on the protection and care of monuments,
Act of 14 July 1983 on the National Archival Resources and Archives,
implementing regulations issued on the basis of the above.

We may also process your personal data on the basis of your prior consent, e.g. in order to receive an invitation to events organized by us.

You can withdraw your consent to the processing of personal data for purposes other than the implementation of statutory tasks at any time in the same way in which you expressed it. A declaration of withdrawal of consent may be sent to the Administrator’s correspondence address or e-mail address provided above.

4. What categories of recipients do we share your personal data with?

a. The recipients of your personal data will be entities authorized to receive your data on the basis of legal provisions.

b. If necessary, in the manner and in the form specified by the provisions of generally applicable law, we will share your data:

persons authorized by the Museum to process data as part of the performance of their official duties,
entities commissioned by the Museum to perform activities that require data processing,
entities conducting banking, postal and courier activities,
entities providing the Museum with advisory, consulting, auditing, legal and tax assistance services, as well as similar services,
persons conducting queries in the collections of the Museum,
persons conducting scientific and research work with the use of the Museum’s collections.

5. Do we transfer your data to countries outside the European Economic Area?

The Museum, as a rule, does not plan to transfer your personal data to a third country/international organization, although such a necessity may arise, especially as part of the Museum’s international cooperation or querying the Museum’s collections by citizens of these countries.


6. How long do we store your personal data?

We store your personal data for the time specified in detailed legal provisions, and then transfer it to the archive.

Your personal data processed by the Museum in connection with its statutory activities will be stored perpetually.

This is due to the special role of the Museum as an institution collecting cultural goods
and accompanying documentation. The legal grounds for such action result from:

article 5 sec. 1 lit. e) GDPR, which states that personal data must be kept in a form that allows identification of the data subject for no longer than is necessary for the purposes for which the data is processed; personal data may be stored for a longer period, as long as they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 sec. 1, subject to the implementation of appropriate technical and organizational measures required under this Regulation to protect the rights and freedoms of data subjects (“storage limitation”).
In connection with the above, the activity of the Museum as a state cultural institution in the field of personal data processing in the aspect of its statutory activity is subject to archival purposes in the public interest, and is also related to scientific and historical research.

the “Archive Instructions” binding at the Museum, adopted in accordance with the procedure provided for in the Act
of July 14, 1983 on the national archival resources and archives – in agreement
with the General Director of the State Archives. The “Archive Instruction” includes documents related to the statutory activities of the Museum in the “A” archival category, i.e. as perpetually stored.

7. What rights do you have towards the administrator regarding the processed data?

You have the right:

access to the content of your data, on the terms set out in art. 15 of the regulation,
to rectify them, on the terms set out in art. 16 of the regulation,
restriction of processing, on the terms set out in art. 18 of the regulation,
raise an objection, on the terms set out in Article 21 of the Regulation.
The use of the rights of the data subject is carried out on the basis of

o the rules and regulations of the regulation, the Personal Data Protection Act, the Code of Administrative Procedure and sectoral regulations.


8. Information on the right to lodge a complaint with the supervisory authority

If you become aware of the unlawful processing of your personal data by the Administrator, you have the right to lodge a complaint with the President of the Data Protection Office. Address: Office of the President of the Data Protection Office, ul. Stawki 2, 00-193 Warsaw, phone: 22 860 70 86.


9. Do you have to provide us with your personal data?

Providing your personal data (applies to the situation when the Museum obtains this data directly from you) is, as a rule, voluntary, and at the same time necessary to use
from the services of the statutory activities of the Museum – in particular in terms of access to the Museum’s collections, scientific and educational activities. Refusal to provide data will result in the inability to use the services of the statutory activities of the Museum.

10. Where do we get your data from?

We have received them from you in connection with our statutory activities, i.e. they have been made available to us under the law or with your consent.

In a situation where the Museum processes your personal data and it was obtained in a different way than directly from you, the source of this data may be:

publicly available sources, in particular materials posted on websites, social networking sites, publishing houses and publications, as well as contact details placed there;
personal sources, in particular employees of other cultural institutions.
The above applies in particular to the identification data of the person (name, surname, telephone number, e-mail address)

in connection with the search for cultural goods and information about them.


11. Do we process your personal data automatically (including through profiling) in a way that affects your rights?

Your personal data will not be processed in a way that enables automated decision-making, profiled, processed for purposes other than those referred to in the points above.


12. Does the Malbork Castle Museum use video monitoring?

The area of ​​the Castle Museum in Malbork is monitored. The aim is to ensure the protection of property and the safety of people staying on the premises of the Museum. While staying in the area of ​​the Museum, you accept the awareness of the implementation of legal requirements by the Museum in this respect. Monitoring records are stored for a period not longer than 30 days from the date of recording.


Buy tickets online

Opening Hours

  • Mon - Sun:9:00 - 20:00
  • Tue - Sun:9:00 - 19:00


Tourist Information

  • +48 55 647 08 00
  • +48 55 647 09 02
  • +48 55 647 09 78