GDPR
GDPR — Information Clause
In accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation — hereinafter “GDPR”), we hereby inform you about the rules for the processing of your personal data by AGRENA Sp. z o.o.
1. Data Controller
The Controller of your personal data (hereinafter: the “Controller”) is:
AGRENA Sp. z o.o.ul. Różana 1, 48-200 Prudnik, Poland
NIP (Tax ID): 7551942552
REGON: 527468212,
KRS: 0001081835
The register files are held at the District Court in Opole, 8th Commercial Division of the National Court Register.
Kontakt z Administratorem we wszelkich sprawach dotyczących przetwarzania danych osobowych:
- e-mail: biuro@agrena.pl
- telephone: +48 537 161 438 (Damian Skoczeń) or +48 502 005 423 (Wojciech Bieszczad)
- correspondence address: ul. Różana 1, Łąka Prudnicka, 48-200 Prudnik, Poland
Contact with the Controller in all matters relating to the processing of personal data:
2. Purposes and legal bases of data processing
The Controller processes your personal data for the following purposes and on the following legal bases:
- conclusion and performance of a commercial agreement (including negotiations for the conclusion of a contract, preparation of offers, invoicing, organisation of goods collection, payment settlement, complaint handling) legal basis: Article 6(1)(b) of the GDPR — necessity for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract;
- compliance with legal obligations of the Controller, arising in particular from the Accounting Act, tax law (including the VAT Act), regulations on the trade of agricultural commodities and requirements of the GMP+ FSA and KZRiNG certification systems (in the scope of supplier identification and raw material traceability) legal basis: Article 6(1)(c) of the GDPR;
- pursuit of the legitimate interests of the Controller, which are: the establishment, exercise or defence of any claims, preservation of commercial documentation for evidence purposes, direct marketing of the Controller’s own products and services (including sending a weekly market report) and management of relations with business partners legal basis: Article 6(1)(f) of the GDPR;
- sending commercial information by electronic means and conducting marketing using telecommunications terminal equipment legal basis: Article 6(1)(a) of the GDPR (consent of the data subject), in connection with the Polish Act of 18 July 2002 on the Provision of Services by Electronic Means and the Polish Telecommunications Law of 16 July 2004.
3. Categories of data processed
The Controller processes the following categories of your personal data:
- identification data: first name, surname, company name, NIP/tax ID, REGON, KRS number, agricultural holding register number
- contact data: address of the company or farm, correspondence address, e-mail address, telephone number
- commercial data: information on the goods offered (type, quantity, quality parameters), commercial terms, transaction history
- banking data: bank account number (to the extent necessary for the execution of payments)
- tax data: tax status (active VAT taxpayer or flat-rate farmer), tax declarations
- data resulting from certification: information required by the GMP+ FSA and KZRiNG standards
The Controller does not process special categories of data (Article 9 GDPR) or data concerning criminal convictions (Article 10 GDPR).
4. Source of data
The Controller obtains your personal data:
- directly from you — during the first contact, in the course of negotiations, when concluding a contract, when executing transactions
- from publicly available registers (National Court Register, Central Register and Information on Economic Activity, Central Register of VAT Taxpayers — the so-called “white list”)
- from the Controller’s business partners — with regard to the data of persons indicated as contact persons on the partner’s side
- from commercial industry databases (e.g. databases of agricultural producers), where this is lawful and necessary to establish commercial contact
5. Retention period
Your personal data is retained for the period necessary to achieve the purposes for which it was collected:
- data collected for the purpose of concluding a contract – for the period of negotiating the terms of the contract and, if the contract has not been concluded, for a period of 5 years from the last contact regarding the conclusion of this contract
- data collected for the performance and settlement of the contract — until the end of the limitation period for claims that may arise from this contract or until the end of the limitation period for public law liabilities (in particular tax liabilities, generally 5 years counted from the end of the calendar year in which the tax payment deadline expired) — whichever is longer
- data processed for direct marketing purposes — until effective objection to such processing is raised or consent is withdrawn (if processing was based on consent)
- data required by the GMP+ FSA and KZRiNG quality certification standards — for the period required by these certification standards
After expiry of the retention periods, data is permanently deleted or anonymised.
6. Recipients of personal data
Your personal data may be transferred to the following categories of recipients, only to the extent necessary to achieve the purposes of processing:
- entities providing IT services (server hosting, e-mail services, analytical tools)
- entities providing accounting services
- entities providing legal services
- banks – for the execution of payments
- postal operators and courier companies
- transport companies – for the collection of goods from the farm
- commercial partners of the Controller (mills, oil presses, processing plants, exporters) – only to the extent necessary for the execution of chain transactions
- certification and control bodies in the scope of GMP+ FSA and KZRiNG certification
- state authorities, courts, law enforcement bodies and public administration bodies — on the basis of and to the extent specified by applicable laws
All entities to which the Controller entrusts the processing of personal data on its behalf are bound by data processing agreements concluded in accordance with Article 28 of the GDPR.
As a rule, your personal data is not transferred to third countries (outside the European Economic Area) or to international organisations within the meaning of the GDPR.
7. Rights of the data subject
To the extent provided for by the GDPR, you have the following rights:
- right of access to data (Article 15 GDPR) — the right to obtain confirmation from the Controller as to whether or not your personal data is being processed, and if so, to obtain access to such data and information on the processing;
- right to rectification of data (Article 16 GDPR) — the right to request the immediate rectification of inaccurate data and the completion of incomplete data;
- right to erasure of data — the “right to be forgotten” (Article 17 GDPR) — the right to request the immediate erasure of data in the cases specified in the GDPR;
- right to restriction of processing (Article 18 GDPR) — the right to request restriction of processing in the cases specified in the GDPR;
- right to data portability (Article 20 GDPR) — the right to receive data in a structured, commonly used and machine-readable format and the right to have such data transmitted to another controller;
- right to object to processing (Article 21 GDPR) — the right to object to the processing of data based on the legitimate interests of the Controller, including against direct marketing;
- right to withdraw consent (Article 7(3) GDPR) — in cases where processing is based on consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal;
- right to lodge a complaint with the supervisory authority — if you consider that the processing of data violates the provisions of the GDPR, you have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland.
To exercise the above rights, please contact us at: biuro@agrena.pl or in writing to the registered address of the Controller.
8. Voluntary nature of providing data
Providing personal data by you is voluntary, however it is a necessary condition for:
- concluding and performing a commercial agreement with the Controller
- issuing an invoice and settling the transaction
- fulfilling obligations arising from the GMP+ FSA and KZRiNG certification systems
- receiving commercial information by electronic means (on the basis of the consent granted)
Failure to provide data in the above cases may prevent the establishment of commercial cooperation.
9. Automated decision-making and profiling
Your personal data is not subject to automated decision-making, including profiling, within the meaning of Article 22 of the GDPR.
10. Data security
The Controller ensures an appropriate level of security of your personal data by applying technical and organisational measures appropriate to the type of data processed and the risk of its processing, including in particular:
- restricting access to data only to persons authorised by the Controller
- securing IT systems with passwords and authentication
- encryption of data carriers and electronic communication
- regular creation of backups
- use of antivirus software and firewall
- physical protection of premises where data is processed
- staff training in personal data protection
- regular updating of the security measures applied
Detailed security principles are set out in the Information Security Policy in force at the Controller.
11. Changes to the information clause
The Controller reserves the right to make changes to this information clause in the event of changes in the law or changes in the way data is processed. The current version of the clause is always available at agrena.pl/rodo.