FBA Privacy Policy

Freedom Business Area Foundation (Radom, Poland)

This Privacy Policy (“Policy”) explains how the Freedom Business Area Foundation with its registered office in Radom (the “Controller”, “we”) processes personal data. It applies to personal data collected through the website available at https://fba.ink/ (the “Website”), as well as data obtained through other channels, for example by phone or email.

We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation, “GDPR”).

1. Data Controller

The controller of your personal data is Fundacja Freedom Business Area with its registered office in Radom, at ul. Henryka Sienkiewicza 36/5, 26-600 Radom, Poland, entered in the register of associations, other social and professional organisations, foundations, and independent public healthcare units, and in the register of entrepreneurs of the National Court Register kept by the District Court Lublin–Wschód in Lublin with its seat in Świdnik, 6th Commercial Division of the National Court Register, under KRS number 0000962284, NIP 9482632966, REGON 521560632.

2. How to Contact Us

You can contact us in any of the following ways:

  • by post: ul. Henryka Sienkiewicza 36/5, 26-600 Radom, Poland
  • by email: rodo@fba.ink
  • by phone: +48 737 308 669

3. Why We Process Data, Legal Basis, Retention, and Whether Data Is Required

The purpose of processing, legal basis, retention period, and whether providing data is required depends on the context in which you interact with us. Below we describe the main situations.

3.1. Website use, cookies, and analytics

When you use our Website, we may process information collected through cookies and similar technologies to ensure the Website works correctly and to compile statistics about how users interact with the Website.

  • Legal basis: our legitimate interest (Article 6(1)(f) GDPR), i.e., ensuring the proper functioning of the Website and improving its content and features based on usage analysis.
  • Is providing data required? No. It is voluntary. However, blocking certain cookies may prevent the Website from functioning properly and may limit our ability to analyze interest in Website content.
  • Retention: cookies are stored on your device for the period defined in cookie settings/parameters or until you delete them manually.

Additional details about cookies are provided in our cookie policy.

3.2. Handling claims and defending against claims

We may process personal data to establish, pursue, or defend legal claims related to our activities.

  • Legal basis: our legitimate interest (Article 6(1)(f) GDPR), i.e., protecting our rights and managing disputes.
  • Is providing data required? No. It is voluntary. However, not providing data may make it impossible for us to pursue or defend claims effectively.
  • Retention: until you successfully object to processing or the purpose of processing ceases (whichever happens first).

4. Processing Related to Cooperation, Contracts, and Services

4.1. Beneficiaries, contractors, and service providers who are natural persons

If you are a beneficiary (including a person supported by our charitable activities), a contractor, or a supplier providing services to us as an individual, we may process your personal data:

(a) To take steps before entering into a contract and to perform a contract

This includes activities such as preparing offers, concluding agreements, and properly performing contractual obligations.

  • Legal basis: necessity to perform a contract or to take steps at your request before entering into a contract (Article 6(1)(b) GDPR).
  • Is providing data required? Yes, to conclude and perform the contract. Providing data is voluntary, but not providing it may prevent us from concluding or performing the contract.
  • Retention: for as long as necessary to perform the contract, including the period during which contractual rights may be exercised.

(b) To support and improve cooperation beyond strict necessity

This may include improving how we manage cooperation and communication, for example by:

  • analyzing results of business activity,
  • performing publicly available information checks (“white intelligence”),
  • verifying satisfaction with cooperation (including handling inquiries and complaints),
  • maintaining ongoing contact (email/phone),
  • keeping documentation required by our internal rules and procedures.
  • Legal basis: our legitimate interest (Article 6(1)(f) GDPR), i.e., improving processes connected to the conclusion and performance of contracts and maintaining good cooperation.
  • Is providing data required? No. It is voluntary, but not providing it may limit our ability to improve cooperation and communication.
  • Retention: until you successfully object or the purpose ceases (whichever happens first).

(c) To comply with legal obligations

We may process data to comply with obligations under applicable law, including tax and accounting rules and, where applicable, anti-money laundering and counter-terrorist financing requirements.

  • Legal basis: legal obligation (Article 6(1)(c) GDPR).
  • Is providing data required? Yes, to the extent required by law. Not providing data may prevent us from meeting legal obligations, including settlement and accounting.
  • Retention: for the period required to meet legal obligations. In particular, for accounting and tax purposes, after termination of a contract data may be retained for 5 years from the end of the calendar year in which the relationship ended.

(d) To comply with GDPR-related obligations

We may process data to handle requests and fulfill obligations resulting from personal data protection laws (e.g., responding to requests to exercise your rights).

  • Legal basis: our legitimate interest combined with a legal obligation (Article 6(1)(f) in conjunction with Article 6(1)(c) GDPR).
  • Is providing data required? It is connected with legal requirements. Not providing data may prevent us from fulfilling obligations or handling your request.
  • Retention: until you successfully object or the purpose ceases (whichever happens first), where applicable.

(e) Direct marketing of our own activities and services

We may process your data to conduct direct marketing of our own services and activities, including sending commercial communications electronically (e.g., invitations to events or information about our initiatives), where required based on consent.

  • Legal basis: depending on the form of marketing:
    • our legitimate interest (Article 6(1)(f) GDPR), and/or
    • your consent (Article 6(1)(a) GDPR).
      In some cases, consent may also be required under the Polish Act of 12 July 2024 – Electronic Communications Law.
  • Is providing data required? No. It is voluntary, but not providing it prevents us from carrying out direct marketing to you.
  • Retention:
    • if processing is based on consent: until you withdraw consent or the purpose ceases;
    • if based on legitimate interest: until you object or the purpose ceases.

We may also process data for claims/defense purposes in connection with marketing activities, under the same rules described above.

5. People Representing Our Partners, Contractors, and Suppliers (Business Contacts)

If you act on behalf of (or are otherwise connected with) a beneficiary, contractor, or supplier, we may process your data in connection with cooperation with the organisation you represent or are connected to, including to take steps before concluding an agreement or to improve its performance.

  • Legal basis: our legitimate interest (Article 6(1)(f) GDPR), i.e., ensuring efficient cooperation, communication, and contract performance, including:
    • business analysis of the entity you represent,
    • publicly available information checks (“white intelligence”),
    • verifying satisfaction with cooperation,
    • maintaining ongoing communication,
    • keeping cooperation documentation required by internal rules.
  • Is providing data required? No. It is voluntary, but not providing it may make cooperation and communication more difficult.
  • Retention: until you successfully object or the purpose ceases (whichever happens first).

Data obtained indirectly (Article 14 GDPR)

If we did not obtain your data directly from you, we may process ordinary personal data such as:

  • identification data (e.g., name and surname),
  • contact data (e.g., email, phone number),
  • address data,
  • professional/business data (e.g., job title, function),
  • other data where required by law (e.g., anti-money laundering laws, where applicable).

For members of governing bodies, we may also process a national identification number (PESEL). For authorised representatives, we may also process other data included in a power of attorney.

We may have obtained your data, in particular, from the entity you represent/are connected to, or from publicly available sources such as the Court and Economic Monitor (Monitor Sądowy i Gospodarczy), the National Court Register (KRS), CEIDG, the Central Register of Beneficial Owners, or other domestic/foreign registers.

6. Contacting Us Without a Contract (Questions, Requests, GDPR Rights)

If you contact us without relation to a contract (for example to ask a question, request information, or exercise GDPR rights), we may process your personal data to handle communication via email, phone, contact forms, postal mail, or through our social media profiles.

  • Legal basis: our legitimate interest (Article 6(1)(f) GDPR), i.e., maintaining communication and responding to requests.
  • Is providing data required? No. It is voluntary, but not providing it may prevent us from responding.
  • Retention: until you successfully object or the purpose ceases (whichever happens first).

We may also process data for direct marketing and for claims/defense purposes under the rules described above.

7. Social Media Profiles and Social Plugins

We operate profiles on social media platforms such as Facebook, Instagram, LinkedIn, and TikTok. If you interact with our profiles (e.g., follow, like, comment, message), we may process your personal data to manage these profiles, communicate with you, share marketing content, and build relationships with current or potential partners, clients, and candidates.

  • Legal basis: our legitimate interest (Article 6(1)(f) GDPR), i.e., managing our profiles and communications.
  • Is providing data required? No. It is voluntary and depends on your activity on these platforms.
  • Retention: the retention rules are primarily determined by the relevant platform provider. In practice, we will not process your data longer than until you successfully object, unfollow/unlike, or delete your interaction (e.g., remove a comment), whichever happens first.

We may also process data for claims/defense purposes under the rules described above.

Joint controllership: In connection with running social media profiles and embedding social plugins on the Website, we may be joint controllers (Article 26 GDPR) with the relevant social media providers. Details about how each platform processes personal data are available in their privacy policies.

8. Whistleblowing (Protection of Whistleblowers)

We also implement obligations resulting from the Polish Act of 14 June 2024 on the protection of whistleblowers. Detailed information on how we process personal data of people involved in whistleblowing processes is available on our Website in the “Whistleblowers” section (or an equivalent section) or in attachments to our internal procedure for reporting breaches of law and taking follow-up actions.

9. Recipients of Personal Data

In some cases, we may share your personal data with external recipients when necessary to achieve the purposes described in this Policy. This may include entities that:

  • process data on our behalf under a data processing agreement or another legal instrument (Article 28 GDPR), or
  • process data as independent controllers.

In particular, recipients may include providers of services related to our day-to-day operations, such as:

  • IT/system support providers,
  • accounting, legal, and advisory service providers,
  • marketing service providers,
  • CRM system providers,
  • payment service providers.

We may also disclose personal data to authorised public bodies or third parties who request access, provided they have a valid legal basis and the request complies with applicable law. This may include tax authorities, law enforcement agencies, prosecutors, courts, or arbitration bodies.

10. Transfers Outside the EEA

Where justified, especially in connection with cooperation with foreign providers and the use of tools such as Microsoft Office 365, we may transfer personal data outside the European Economic Area (EEA). If we do so, we ensure appropriate safeguards and an adequate level of protection by using one of the GDPR transfer mechanisms, such as:

  • transfers to countries recognised by the European Commission as providing adequate protection, or
  • Standard Contractual Clauses approved by the European Commission or another valid mechanism, or
  • other legal bases permitted under the GDPR.

If a transfer occurs, you may request a copy of the documents used to safeguard such transfers.

11. Your Rights

In connection with our processing of your personal data, you have the rights provided by the GDPR, including:

  • the right to access your data and obtain a copy (Article 15 GDPR),
  • the right to rectify inaccurate data (Article 16 GDPR),
  • the right to erase data and the right to restrict processing, where applicable (Articles 17–18 GDPR),
  • the right to data portability (Article 20 GDPR), including the right to receive your data in a structured, commonly used, machine-readable format and to request transmission to another controller,
  • the right to object to processing based on our legitimate interest, including on grounds relating to your particular situation (Article 21 GDPR),
  • the right to lodge a complaint with a supervisory authority.

In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland. You may contact UODO by post at this address or via the electronic inbox available on the UODO website.

Please note that these rights are not absolute and do not apply in every situation. Detailed rules are set out in Articles 15–21 GDPR. To exercise your rights or obtain more information, contact us using the details in Section 2.

12. Automated Decision-Making

We do not make decisions about you based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

13. Changes to This Policy

We may update this Policy from time to time. Changes may result from updates in applicable law (including data protection, electronic communications, or consumer rules), or from implementing new or updated technical and technological solutions.

Skip to main content