Privacy policy – Information regarding the processing of personal data


The controller of your personal data is the National Library, with its seat in Warsaw at 213 Niepodległości Avenue, 02-086 Warsaw.


You can contact our Data Protection Officer by sending a message to the email address or by sending a letter to the address of the National Library of Poland given above.

  • Social media
     The controller has accounts on the social networks Facebook (Meta Platforms Ireland Limited), Instagram (Meta Platforms Ireland Limited), Twitter and YouTube. These accounts are maintained in order to provide information about the activities carried out and to communicate with users of the National Library’s social network pages using the functions provided by the respective services. In addition, personal data will be processed for the purpose of statistical analysis regarding the frequency of and manner of use of social media, which will be carried out using the tools provided by the respective social networking sites. Personal data will be processed for the above-mentioned purposes pursuant to Art. 6 Section 1 letter e GDPR.
    The controller processes the personal data of users of social networking sites who have subscribed to the National Library of Poland’s website, reacted to a post on the National Library’s website or social networking pages, or sent a private message.
    The controller, as the creator of the pages on the above-mentioned social networks provided by the specified entities, is the joint controller of personal data together with Meta Platforms Ireland Limited (headquartered at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland), Google Ireland Limited (headquartered at Gordon House, Barrow Street, Dublin 4, Ireland) Twitter International Company (located at 1 Cumberland St. S, Fenian St, Dublin 2, D02 AX07, Ireland). Each of the above-mentioned joint controllers decides independently on the purposes and means of data processing, albeit each to a different extent. The National Library of Poland is only liable in respect of the personal data it processes.
    Each social network has its own policy regarding the processing and protection of your personal information. In case of doubts or questions regarding the use of personal data by the above-mentioned social networks, please see the applicable privacy policy. Information on data processing by:
    • Our Facebook (Meta Platforms Ireland Limited) can be found at
    • Our Instagram (Meta Platforms Ireland Limited) can be found at:
    • Our YouTube can be found at:
    • Our Twitter can be found at:
  • CCTV
     In order to ensure the safety of people and property on the premises of the Palace of the Commonwealth, the controller uses CCTV. This CCTV covers the external and internal parts of the premises.
    The personal data of persons captured by cameras installed in the Palace of the Commonwealth are processed within the scope of this video surveillance. The processing of personal data is necessary to fulfil the legal obligation incumbent on the controller (Art. 6 Section 1 letter c of the GDPR) and the performance of a task carried out in the public interest (Art. 6 Section 1 letter e GDPR) consisting in the controller’s responsibility to ensure the safety of persons and property. More information on the processing of personal data can be found in the Information on the use of CCTV at the Palace of the Commonwealth.

  • Telephone contact
     If you contact the controller by phone regarding matters related to the controller’s activities, we may request personal data only insofar as it is necessary to handle and settle the matter to which the contact relates pursuant to Art. 6 Section 1 letter e GDPR. In cases where the matter does not concern the controller’s activities, personal data will be processed in order to respond to the inquiry pursuant to Art. 6 Section 1 letter a GDPR (consent).

  • Electronic and paper correspondence
     If correspondence related to the controller’s activity is sent to the controller by electronic or traditional means, personal data contained in this correspondence will be processed only for the purpose of communicating and settling the matter to which this correspondence relates pursuant to Art. 6 Section 1 letter e GDPR. In cases where the matter does not concern the controller’s activities, personal data will be processed in order to respond to the inquiry pursuant to Art. 6 Section 1 letter a GDPR (consent).
    All correspondence is stored in a manner that ensures the security of the personal data and other information contained therein and is disclosed only to authorised persons.

Personal data will be stored for the period of time indicated by the archive category as listed in the National Library’s Uniform Tangible File List, which, pursuant to Art. 6 Section 2 of the Act of 14 July 1983 on the National Archival Resources and Archives (Journal Laws of the Republic of Poland, 2020, item 164), was prepared in consultation with the General Director of State Archives.

If the processing of personal data is based on consent, the data will be processed until consent is withdrawn or the purpose for which it was collected ceases to exist.

The period of data processing may be extended if the processing is necessary to establish, pursue or defend against any claims, and thereafter only if and to the extent required by law. The data are irreversibly deleted or anonymized when the processing period ends.


Personal data are disclosed to external entities – including in particular partner institutions, suppliers responsible for the provision and maintenance of IT systems and equipment, entities providing legal services – in connection with the conduct of activities that require the processing of personal data. In justified cases, personal data may be transferred to a supervisory authority.

The controller reserves the right to disclose selected information concerning the data subject to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.


In connection with the processing of personal data, you have the right to request from the controller:

  • access to the data and a copy of the data subject to processing in accordance with Art. 15 GDPR. If you request a copy of the data, the controller may charge a fee based on the administrative costs. If you as the data subject requests a copy electronically, and unless otherwise indicated, the information will be provided in a commonly used electronic form;
  • the correction of your data if they are incorrect, or the supplementation of incomplete personal data, in accordance with Art. 16 GDPR;
  • the deletion of data – “the right to be forgotten” – in accordance with Art. 17 GDPR;
  • the restriction of processing in accordance with Art. 18 GDPR;
  • the transfer of data to another controller in accordance with Art. 20 GDPR;
  • the objection to processing in accordance with Art. 21 GDPR;

If the processing of personal data is based on your consent, this consent may be withdrawn by you at any time without this affecting the lawfulness of processing activities previously performed.

An application regarding the exercise of the abovementioned rights may be submitted:

  • by letter sent to the following address: Biblioteka Narodowa, al. Niepodległości 213, 02-086 Warsaw
  • to the email address:

The application should, as far as possible, precisely indicate what the request concerns, i.e. in particular:

if the controller is unable to clarify the content of the request or identify the person submitting the request based on the submitted application, it will ask the applicant for additional information.
A response to the request will be provided within one month of its receipt. If it is necessary to extend this period, the controller will inform the applicant about the reasons for such extension.

The response will be provided to the email address from which the application was sent or, in the case of applications sent by post, by mail to the address indicated by the applicant, unless the content of the application indicates the desire to receive feedback to an email address (in this case, the email address must be provided).

In addition, you have the right to lodge a complaint to the President of the Office for Personal Data Protection with its seat in Warsaw at Stawki 2, 00-193 Warsaw, in the event that you consider that the processing of your personal data violates the provisions of the GDPR or other provisions determining the manner of processing and protection of personal data.

1 GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4 May 2016, p. 1, as amended).