Privacy policy

This Privacy Policy sets out the rules for the processing and protection of personal data of users of the agrena.pl website (hereinafter: the “Website”) and persons contacting the controller in commercial matters. The document has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and with the Polish Act of 18 July 2002 on the Provision of Services by Electronic Means.

1. Data Controller

The Controller of your personal data is AGRENA Sp. z o.o., with its registered office in Łąka Prudnicka, ul. Różana 1, 48-200 Prudnik, Poland, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court in Opole, 8th Commercial Division of the National Court Register, under KRS number 0001081835, NIP (Tax ID): 7551942552, REGON: 527468212.

Contact with the Controller:

  • e-mail: biuro@agrena.pl
  • telephone: +48 537 161 438 (Damian Skoczeń) or +48 502 005 423 (Wojciech Bieszczad)
  • correspondence address: ul. Różana 1, Łąka Prudnicka, 48-200 Prudnik, Poland

The Controller has not appointed a Data Protection Officer, as the circumstances requiring such appointment under Article 37 of the GDPR do not apply.

2. Scope of Data Collected

In connection with the operation of the Website and its commercial activities, the Controller may process the following categories of personal data:

  • identification data (first name, surname, company name, NIP/tax ID, REGON, KRS number)
  • contact data (e-mail address, telephone number, correspondence address, farm address)
  • commercial data (content of inquiries, information on crops, quantities and quality parameters of goods, preferred commercial conditions)
  • technical data (IP address, browser identifier, device data, time and manner of use of the Website, data collected via cookies — see the Cookies Policy for details)
  • data voluntarily provided in messages addressed to the Controller

The Controller does not process special categories of data (so-called sensitive data) or data concerning criminal convictions and offences.

3. Purposes and Legal Bases of Processing

Your personal data is processed for the following purposes and on the following legal bases under the GDPR:

  • a) conclusion and performance of a commercial agreement and conducting pre-contractual negotiations — legal basis: Article 6(1)(b) of the GDPR (necessity for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract);
  • b) compliance with legal obligations to which the Controller is subject, in particular those arising from tax law, accounting law and regulations on agricultural commodities trade — legal basis: Article 6(1)(c) of the GDPR;
  • c) pursuit of the legitimate interests of the Controller, including: the establishment, exercise or defence of legal claims; preservation of commercial documentation for evidence purposes; direct marketing of the Controller’s own products and services; ensuring the security of the Website and protection against abuse – legal basis: Article 6(1)(f) of the GDPR;
  • d) sending commercial information by electronic means and conducting marketing using telecommunications terminal equipment – legal basis: Article 6(1)(a) of the GDPR (consent of the data subject), in connection with the Polish Act on the Provision of Services by Electronic Means and the Telecommunications Law.

4. Retention Period

Personal data is retained for the period necessary to achieve the purposes for which it was collected:

  • data processed in connection with the conclusion and performance of a contract — for the duration of the contract and until the expiry of the limitation period for claims arising therefrom (in accordance with the Polish Civil Code) or until the expiry of the limitation period for public law liabilities (in particular tax liabilities — generally 5 years counted from the end of the calendar year in which the tax payment deadline expired), whichever is longer
  • data processed for negotiations that did not result in the conclusion of a contract — for a period of 5 years from the last contact regarding the conclusion of the contract
  • data processed on the basis of consent — until the consent is withdrawn or the purpose for which the consent was given is fulfilled
  • data processed for direct marketing purposes — until effective objection to processing is raised
  • data collected via cookies — in accordance with the periods specified in the Cookies Policy

5. Recipients of Data

Your personal data may be transferred to the following categories of recipients, only to the extent necessary to achieve the purposes of processing:

  • entities providing IT services to the Controller (hosting, e-mail services, analytical tools, Website maintenance)
  • entities providing accounting services
  • entities providing legal services
  • banks, to the extent necessary for the execution of payments
  • postal operators and courier companies
  • transport companies, to the extent necessary for the collection of goods
  • commercial partners of the Controller (mills, oil presses, processing plants, exporters), only to the extent necessary for the execution of a specific transaction
  • state authorities and supervisory bodies, on the basis of applicable laws

All entities processing data on behalf of the Controller are bound by appropriate data processing agreements concluded in accordance with Article 28 of the GDPR.

6. Transfer of Data Outside the European Economic Area

As a rule, the Controller does not transfer personal data to countries outside the European Economic Area (EEA) or to international organisations.

In case the Website uses tools of external providers (e.g. the TradingView widget), certain technical data may be processed by these entities in accordance with their own privacy policies. Details of these data flows are described in the Cookies Policy.

If a transfer of data outside the EEA were necessary, it would only take place using appropriate safeguards provided for in Chapter V of the GDPR (e.g. standard contractual clauses approved by the European Commission).

7. Your Rights

In connection with the processing of personal data, you have the following rights:

  • right of access to your data and to obtain a copy thereof (Article 15 GDPR)
  • right to rectification of incorrect data or completion of incomplete data (Article 16 GDPR)
  • right to erasure of data – the “right to be forgotten” (Article 17 GDPR)
  • right to restriction of processing (Article 18 GDPR)
  • right to data portability – with regard to data processed on the basis of consent or contract by automated means (Article 20 GDPR)
  • right to object to the processing of data – in particular to processing for direct marketing purposes (Article 21 GDPR)
  • right to withdraw consent at any time – without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal (Article 7(3) GDPR)
  • right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland

To exercise the above rights, please contact us at: biuro@agrena.pl or in writing to the registered address of the Controller.

8. Voluntary Nature of Providing Data

Providing personal data is voluntary, but in some cases may be a necessary condition for achieving a specific purpose:

  • in the case of concluding a contract — providing data is a condition for its conclusion and performance
  • in the case of issuing an invoice — providing identification data is a requirement of tax law
  • in the case of receiving commercial information by electronic means — providing an e-mail address and granting consent is a condition for receiving such information

9. Automated Decision-Making and Profiling

Your personal data is not used for automated decision-making, including profiling, within the meaning of Article 22 of the GDPR.

10. Data Security

The Controller applies appropriate technical and organisational measures to ensure the protection of processed personal data, including in particular:

  • encryption of electronic communication with the Website (HTTPS protocol)
  • control of access to IT systems (logins and passwords, authentication)
  • data backups
  • antivirus and firewall protection
  • staff training in data protection
  • physical protection of premises where data is processed
  • procedure for reporting and handling security incidents

The full data security principles are set out in the internal Information Security Policy in force at the Controller.

11. Cookies

The Website uses cookies and similar technologies. Detailed information on the types of cookies used, the purposes for which they are used, their retention periods and how to manage them is provided in the Cookies Policy.

12. Changes to the Privacy Policy

The Controller reserves the right to make changes to this Privacy Policy, in particular in the event of changes in the law or changes in the way the Website operates. The current version of the Privacy Policy is always available at agrena.pl/polityka-prywatnosci.