From the Piwowar's Library

Privacy policy

This Privacy Policy applies to websites and mobile applications ("Website") of Browar Zamkowy Cieszyn ("Browar"), on which the Brewery collects certain personal data. Please read this Privacy Policy carefully as it contains important information to help you understand our practices with regard to any personal information you provide to us and information that we collect other than in the context of the Website.

We respect your privacy and are committed to maintaining the security and management of your Personal Data in accordance with the legal obligations imposed on us under applicable data protection laws.

Most of the resources on our Websites can be used without providing us with any Personal Data. Certain services and purposes of the Website require you to provide us with Personal Data so that we can process your inquiries or send you newsletters or other information.

In order to better understand our Privacy Policy, please refer to the definitions indicated below:

  1. Data Administrator - an entity that independently or jointly with others sets the purposes, scope and methods of processing personal data,
  2. Personal data - information about an identified or identifiable natural person ("data subject"), where an identifiable natural person is understood as a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname , identification number, location data, internet identifier or one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person,
  3. Information Security Manager or KBI - a person appointed by the Data Administrator, coordinating activities related to ensuring the security of IT systems, including also responsible for supervising the protection of personal data processed in IT systems used by the Data Administrator,
  4. Personal Data Security Officer or OBDO - a person appointed by the Data Administrator, coordinating the processes related to compliance with the principles of personal data protection as part of the personal data processing processes taking place in the Data Administrator's structure,
  5. Supervisory authority - an independent public authority established to protect the fundamental rights and freedoms of natural persons in relation to the processing and to facilitate the free flow of personal data in the Union, established in each EU Member State, whose primary task is to monitor the application of the GDPR,
  6. Third country - a country not belonging to the European Economic Area.
  7. Processor (processor) - a natural or legal person, public authority, unit or other entity that processes personal data on behalf of the Data Administrator,
  8. Processing - an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, browsing, using, disclosing by sending, distributing or otherwise sharing, adjusting or combining, limiting, deleting or destroying,
  9. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general regulation on the protection of data),
  10. Act - the applicable Act on the Protection of Personal Data.


Who is the Administrator of your personal data?

The administrator of your personal data is Browar Zamkowy Cieszyn Sp. z o. o., a company that is part of the Żywiec Capital Group (see the full list below).

We operate as a Group, having common procedures for the protection of personal data and a common Personal Data Security Officer .

We operate as a Group of Companies, however, the flows of personal data between individual administrators take place only in certain situations, in accordance with the provisions of the GDPR.

When you provide us with your personal data in accordance with applicable law, you will receive an information clause that will indicate to you which specific company will be the administrator of your personal data. In the case of this Website, the personal data administrator is Browar Zamkowy Cieszyn.

Below you will find information about individual data administrators belonging to the Żywiec Capital Group:

(I) Grupa Żywiec SA with its seat in Żywiec, at ul. Browarna 88, 34-300 Żywiec, a company entered in the Register of Entrepreneurs of the National Court Register kept by the District Court in Bielsko Biała, 8th Commercial Division of the National Court Register, under KRS number: 0000018602, NIP: 5530007219, REGON: 070511111;

(II) Żywiec Sprzedaż i Dystrybucja Sp. z o. o. with its seat in Żywiec, at ul. Browarna 88, 34-300 Żywiec, a company entered in the Register of Entrepreneurs of the National Court Register kept by the District Court in Bielsko Biała, VIII Commercial Division of the National Court Register, under the KRS number: 0000004429, NIP: 5532198703, REGON: 072391763;

(III) Browar Zamkowy Cieszyn Sp. z o. o. with its seat in Cieszyn (43-400), ul. Drogaowa 2, registered by the District Court in Bielsko-Biała, VIII Commercial Division of the National Court Register under the number KRS 0000527259; NIP 5482667738, REGON 243693785,


When can we process your personal data?

There are different situations and processes in which we process personal data.

Each of the processing processes is monitored by us and analyzed in terms of the existence of the so-called the premises of legality (Article 6 of the GDPR), allowing us to process your personal data.

The most common situations when we process your personal data are: marketing purposes, in particular contests and lotteries that we organize on websites or social networks; contact forms; data related to contracts for the distribution of our products.

In the online environment, we use cookies that may collect certain information about individuals. The exact method of using cookies is described in Cookies Policy .

We do not use the so-called Qualified profiling, consisting in making automated decisions that cause legal effects to you or that may significantly affect you.


How do we protect your personal data?

We will use appropriate technical, physical and organizational measures to protect the Personal Data we collect against misuse, accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.

The security methods we use comply with applicable laws and regulations regarding privacy and data security. However, please note that no website can be 100% secure and we cannot be held responsible for any unauthorized or unintended access that occurs independently of us.

Our Website may contain links to other websites. We are not responsible for the privacy practices, content, or safeguards employed by these other sites. The Privacy Policy in question does not regulate the rules for the processing of personal data on linked websites. We always recommend that you read the privacy policies of other websites carefully.

As a Group, for many years we have attached great importance to the protection of your privacy:

  • We have appointed a Personal Data Security Officer , whose task is to maintain an appropriate level of respect for the right to privacy,
  • We train all our employees who may process your personal data. We build a sense of respect for your personal data within our organization,
  • We have implemented special internal procedures (Data Protection Policy) to ensure the processing of personal data in accordance with applicable law (including the GDPR),
  • We are subject to cyclical internal audits aimed at detecting possible irregularities or threats to your privacy,
  • We take care of our ICT infrastructure, striving to ensure that its protection measures are at the highest possible level.


Children's privacy

We do not knowingly collect Personal Data from persons under the age of 18. The Website is not intended for persons under the age of 18.


How can you contact the Data Administrator?

If you have any questions regarding your privacy, you can contact us at the following e-mail address:


Personal Data Security Officer in the Group

In order to maintain the highest level of personal data protection in the group, we appointed a Personal Data Security Officer .

You can contact the Personal Data Security Officer via the dedicated email address provided above.


Who do we share your personal data with?

Your personal data may be shared by us only in exceptional cases. In particular, the legal basis for disclosure may be legal provisions that allow public authorities to access personal data.


Who do we entrust your personal data to?

According to Art. 28 GDPR, external entities may support us in the processing of your personal data. For example, in order to run a competition, we may use the services of an external company that will collect personal data from you.

These entities may be located in Poland, other countries in the European Economic Area or elsewhere in the world. If Personal Data is stored by us outside the EEA, we will ensure an appropriate level of security of the transferred data. We require service providers to apply appropriate confidentiality protection measures and protect Personal Data.

The processor may not use your personal data for its own use. Processing is limited by the conditions described in the contract for entrusting the processing of personal data.

We monitor all processes under which your personal data is processed by external entities on an ongoing basis. The current register of such operations is available in the Register of Processing Activities maintained by us.

Processing entities are subject to audit procedures, as part of which we examine the security of the personal data entrusted to them.


What are your rights?

The provisions of the GDPR guarantee a wide range of rights to protect your privacy.

Remember that not all of the rights listed below apply in every situation.

On our part, we will do our best to exercise your rights.


Right to withdraw consent (Article 7 GDPR)

  1. In a situation where data processing is based on the consent of the data subject, this person has the right to withdraw it at any time.
  2. The effect of the withdrawal of consent is the inability to process personal data with reference to this basis of data processing in the future.
  3. Withdrawal of consent does not affect the lawfulness of the processing which was carried out on the basis of consent before its withdrawal.


Right to access data (Article 15 of the GDPR)

  1. The right to access data gives the data subject the right to:
    - obtaining from the Data Administrator confirmation as to whether personal data concerning him is being processed, and if so, also additional information regarding this processing (e.g. in terms of the purpose of processing, categories of data processed, categories of recipients of his personal data, etc.),
    - obtain a copy of the personal data subject to processing.
  2. The data subject may, at his discretion, although within the closed catalog specified in Art. 15 of the GDPR, shape the scope of obtained information or data provided in the form of copies. When exercising the powers granted, it may request the transfer of both each and all of the indicated in Art. 15 GDPR, as well as to request a copy or access to selected or all data.
  3. The exercise of the right to access personal data should result in providing the data subject with the information he or she requests.
  4. As a result of exercising the right to access personal data, the data subject may obtain a copy of the personal data in the format indicated by him. However, if it does not reserve this format in its request, the information should be provided using the same means of communication used by the data subject to submit his request to the Data Administrator.


The right to rectify data (Article 16 of the GDPR)

  1. The data subject has the right to:
    - rectification of incorrect personal data,
    - supplementing incomplete personal data.
  2. The data subject, with his request, should demonstrate that his request is in fact justified, ie the Data Administrator processes incorrect or incomplete data.
  3. Only after fulfilling the condition set out in point 2, the Data Administrator will be obliged to immediately correct incorrect data or to supplement incomplete data.
  4. According to Art. 19 GDPR, the Data Administrator informs each recipient to whom personal data has been disclosed about the rectification, unless it proves impossible or will require a disproportionate effort.


The right to delete data (Article 17 of the GDPR)

  1. The right to delete data consists of two partial rights:
    - the possibility of requesting the removal of personal data by the Data Administrator,
    - the possibility of requesting that the Data Administrator informs other data controllers to whom he has disclosed the personal data that the data subject requires these administrators to remove all links to this data, copies of this personal data or their replications (the so-called right to be forgotten) .
  2. The possibility of exercising the right to request the deletion of data by other administrators depends on the possibility of using the request to delete personal data by the original Data Administrator.
  3. The data subject may request the deletion of his personal data as indicated in art. 17 sec. 1 GDPR in cases, i.e. in a situation where her personal data are no longer necessary for the purposes for which they were processed, she withdrew her consent to the processing of data, objected to such processing, or her data were processed unlawfully.
  4. Deletion of personal data should be understood as complete destruction of data (including the media on which they were stored) or such modification that will not allow the identification of the data subject (the so-called data anonymization). The effect of the Data Administrator's actions should be the inability to further perform any operations on this data.
  5. In the case of the right to be forgotten, we are dealing only with the information obligation of the Data Administrator towards other administrators. The Data Administrator is not obliged to ensure that the data are actually deleted by these administrators. In addition, the scope of the obligation to inform other administrators is limited by: the available technology, the cost of fulfilling the obligation to inform, the appeal to take reasonable steps to fulfill this obligation.


Right to restriction of processing (Article 18 of the GDPR)

  1. The data subject has the right to request the restriction of the processing of personal data. Limiting the processing of personal data consists in the necessity to limit the processing of data only to their storage.
  2. The Data Administrator is obliged to limit data processing if there is one of the ones indicated in art. 18 GDPR, i.e. the data subject:
    - questions the correctness of personal data (processing restriction occurs automatically for a period allowing the Data Administrator to check the correctness of this data),
    - opposes the deletion of unlawfully processed personal data,
    - requests the application of a restriction of processing to data that should be removed, but which are necessary for her to establish, assert or defend her claims,
    - objected to the processing of personal data (processing restriction occurs automatically, for a period allowing the Data Administrator to determine whether the objection is justified).
  3. Examples of processing restrictions are:
    - temporary transfer of selected personal data to another processing system,
    - preventing users from accessing selected data,
    - temporary deletion of published data from the website.
  4. In any event, data for which processing has been restricted should be clearly distinguished from other data and may not be subject to further processing or modification.
  5. We will take reasonable steps to destroy or remove the identifying elements of the Personal Data that we hold when they are no longer needed for the purposes stated above or after the specified retention period.


Right to data portability (Article 20 GDPR)

  1. The data subject has the right to transfer data, which consists of two rights:
    - the right of the data subject to receive, in a structured, commonly used, machine-readable format, personal data concerning him, which he provided to the Data Administrator,
    - the right of the data subject to send personal data concerning him, which he provided to the Data Administrator, another administrator, without any obstacles on the part of the administrator to whom the personal data was provided.
  2. The rights referred to in point 1 may be exercised independently of each other and irrespective of the right to obtain a copy of the personal data being processed.
  3. The data subject may exercise the right to transfer personal data if two conditions are jointly met:
    - data processing is based on consent or for the performance of a contract, and
    - data processing is carried out in an automated manner (the right to transfer data does not include the so-called paper files).
  4. The right to data portability includes personal data relating to the person exercising that right, which that person has knowingly and actively provided . However, it does not include data inferred by the Data Administrator in the process of their processing.


Right to object (Art.21 GDPR)

  1. The data subject has the right to object to the processing of their personal data:
    - based on the public interest or legitimate interests, including profiling based on these provisions, for reasons related to its particular situation,
    - for direct marketing purposes,
    - for scientific or historical research purposes or for statistical purposes on grounds relating to her particular situation.
  2. In the event of receiving an effective objection to the processing of personal data, the Data Administrator should immediately stop processing the data in the scope covered by this objection.
  3. If the Data Administrator deems the objection to be groundless, in particular for the reason that, in his opinion, there is no special situation justifying the objection, a possible order to consider the objection may be issued by the supervisory authority as a result of a complaint lodged by the interested person.


social media

You can share the information on our Website via social media such as Facebook. This means that the information shared, including your name and preferences, will be visible to visitors to your personal pages. We recommend that you carefully read the privacy policies of entities running social media, as they relate to the processing of your Personal Data by these entities.



All the necessary information regarding cookies can be found in our cookie policy, available here .



This Privacy Policy will be reviewed by us and we will update it from time to time. Any changes to this Privacy Policy will be posted on our Website and communicated to you to the appropriate and possible extent.

If you intend to exercise any of your rights listed in our policy, please contact us via a dedicated email address. You also have the right to lodge a complaint with a supervisory authority.

As part of our website, we use cookies to collect information that helps us improve the website experience, adapt our advertising to your preferences and improve our products and services. By agreeing, you accept the privacy and cookie policy of this website. You can change cookie settings (including their blocking) in your browser settings at any time. Here you will find detailed information about the cookie policy and privacy policy .