1.1. Administrator - "Herbapol-Lublin" S.A. based in Lublin
You can contact the Administrator via e-mail at firstname.lastname@example.org or via letter sent to the following address "Herbapol-Lublin" S.A., ul. Diamentowa 25 (20-471 Lublin).
1.2 At the same time "Herbapol-Lublin" S.A. based in Lublin would like to inform that a personal data protection inspector has been appointed, whose contact details are: email@example.com , Tel. no. +48817488219.
1.3. Personal data - all information about an individual identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, Internet identifier and information collected using cookies and similar technology.
1.5. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.6. Shop - online shop operated by the Administrator at www.e-herbapol.com.pl
1.7. Client - any individual visiting the online shop.
DATA PROCESSING CONNECTED WITH USING THE SHOP
2.1. In connection with the Client's use of the shop, the Administrator collects data to the extent necessary to provide services, as well as information about the Client's activity in the shop. The detailed rules and purposes of processing personal data collected when using the online shop by the Client have been described below.
PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING ON THE WEBSITE
USE OF THE ONLINE SHOP WWW.E-HERBAPOL.COM.PL
3.1. Personal data of all persons using the Website (including IP address or other identifiers and information collected via cookies or other similar technologies) and who are not registered Clients (i.e. persons who do not have a profile in the Shop) are processed by the Administrator:
3.1.1. in order to handle purchases made without registration in the Shop - in this case the legal grounds for processing is the necessity of processing to execute the agreement (art. 6, para. 1 letter b of the GDPR);
3.1.2. in order to handle complaints - in this case the legal grounds for processing is the necessity of processing to execute the agreement (art. 6, para. 1 letter b of the GDPR);
3.1.3. for analytical and statistical purposes - in this case the legal grounds for processing is the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR) consisting in conducting analyses of the Clients’ activity, as well as their preferences in order to improve the functionalities and services provided;
3.1.4. in order to potentially establish and pursue claims or defend against them - the legal grounds for processing is the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR) consisting in the protection of the Administrator's rights;
The Client's activity in the Shop, including their personal data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide services by the Administrator). The information collected in the logs is processed in connection with the provision of services. The administrator also processes such information for technical purposes, in particular, the data may be temporarily stored and processed to ensure the security and proper functioning of IT systems, e.g. in connection with creating back-up copies, testing changes in IT systems, detecting irregularities or protecting against frauds and attacks.
REGISTRATION IN THE WWW.E-HERBAPOL.COM.PL SHOP
3.2. Users who register in the Shop are asked to provide the data necessary to create and operate an account. The data necessary to create and operate an account includes: First name, surname, home address (street, building number, zip code, city), telephone number and e-mail address. In order to facilitate the service, the Client may provide additional data, thereby giving their consent to process the same. Such data can be deleted at any time by logging in to your account, clicking the "My Data" and then "Deleting account” tab. Providing data marked as obligatory is required in order to create and operate an account, and failure to do so results in the inability to create an account. Providing other data is voluntary.
3.3. Personal data is processed:
3.3.1. in order to provide services related to the operation and handling of an account in the Shop - the legal grounds for processing is the necessity of processing to execute the agreement (art. 6, para. 1 letter b of the GDPR), and with regard to the optionally provided data - the legal grounds for processing is the consent (art. 6, para. 1 letter a of the GDPR);
3.3.2. for analytical and statistical purposes - in this case the legal grounds for processing is the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR) consisting in conducting analyses of the Clients’ activity in the Shop and their manner of using the account, as well as their preferences in order to improve the functionalities used;
3.3.3. in order to potentially establish and pursue claims or defend against them - the legal grounds for processing is the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR) consisting in the protection of the Administrator's rights;
3.3.4. for marketing purposes (sending the Newsletter) of the Administrator - the grounds for processing is the client's consent to subscribe to the newsletter (art. 6, para. 1 letter a of the GDPR). The consent may be revoked at any time, for example, via the link provided at the end of each newsletter and by sending an unsubscribe request to the e-mail address: firstname.lastname@example.org
3.4. If the User provides any personal data of other people in the Shop (including their name, address, telephone number or e-mail address), they may do so only if they do not violate the applicable law and personal rights of such people.
3.5. Placing an order (purchasing goods) by the Client in the Shop involves processing of their personal data. Providing data marked as obligatory is required in order to accept and process an order, and failure to do so results in the inability to execute the same. The data necessary to place an order includes: First name, surname, home address (street, building number, zip code, city), delivery address (if other than the home address), telephone number and e-mail address. The Client may provide additional data, thereby giving their consent to process the same. Providing other data is voluntary.
3.6. Personal data is processed:
3.6.1. in order to execute a placed order - the legal grounds for processing is the necessity of processing to execute the agreement (art. 6, para. 1 letter b of the GDPR), and with regard to the optionally provided data, the legal grounds for processing is the consent (art. 6, para. 1 letter a of the GDPR);
3.6.2. in order to fulfil the statutory obligations imposed on the Administrator, resulting in particular from tax and accounting regulations - the legal grounds for processing is the legal obligation (art. 6, para. 1 letter c of the GDPR);
3.6.3. for analytical and statistical purposes - in this case the legal grounds for processing is the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR) consisting in conducting analyses of the Clients’ activity in the Shop, as well as their preferences in order to improve the functionalities used;
3.6.4. in order to potentially establish and pursue claims or defend against them - the legal grounds for processing is the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR) consisting in the protection of the Administrator's rights.
4.1. The administrator processes Clients’ personal data in order to carry out marketing activities, which may include:
4.1.1. displaying marketing content to the Clients that is not tailored to their preferences (keyword advertising);
4.1.2. sending e-mail notifications about interesting offers or content - Newsletter,
4.2 If the Client agrees to receive the newsletter, the Administrator starts processing of personal data in the form of an e-mail address. The grounds for data processing is the client's consent to subscribe to the newsletter (art. 6, para. 1 letter a of the GDPR). The consent may be revoked at any time, for example, via the link provided at the end of each newsletter and by sending an unsubscribe request to the e-mail address: email@example.com.
4.3. KEYWORD ADVERTISING AND COOKIES
If you accept the storage of cookies and other similar technology on your device and access to it (more information on this in our Information about cookies), we may start processing of your personal data, including information about your activity on the website ( e.g. website areas you visit, links that you use, etc.) for advertising purposes, including remarketing activities. Thanks to automatic data processing, we evaluate selected factors in order to analyse your behaviour or to create a forecast for the future. This allows for better matching of the displayed or transmitted content to your individual preferences and interests. The legal grounds for the aforementioned data processing is art. 6, para 1, letter f of the GDPR.
4.4 The Administrator processes the Clients' personal data for marketing purposes in connection with directing keyword advertising to the Clients (i.e. advertising that does not match the Client's preferences). In this case the personal data is processed in connection with the pursuit of the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR).
COOKIES AND SIMILAR TECHNOLOGIES
Cookies collect information that facilitates the use of the website - e.g. by remembering the Client's visits in the Shop and the activities performed by them. In this case the personal data is processed in connection with the pursuit of the legitimate interest of the Administrator (art. 6, para. 1 letter f of the GDPR).
5.2.1. cookies with data entered by the Client (session ID) for the duration of the session (user input cookies);
5.2.2. authentication cookies used for services that require authentication for the duration of the session;
5.2.3. cookies used to ensure security, e.g. used to detect authentication frauds (user centric security cookies);
5.2.4. cookies used to remember the contents of the shopping cart for the duration of the session (shopping cart cookies);
5.2.5. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyse how the Client uses the Shop, to create statistics and reports concerning Shop operation). Google does not use the collected data to identify the Client and does not combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
By default, web browsers or other software installed on a computer or other user's device connected to the Internet allow for storing of certain types of "cookies" on such a device. Such settings can be changed to block cookies in the web browser settings or alert the user each time they are sent to the user's device. In this way, the consent given to use this technology may be modified or revoked at any time (blocking the cookies in the future).
It is also possible to block third party cookies with the simultaneous acceptance of "cookies" coming directly from www.e-herbapol.com.pl
To learn more about the possibilities and ways to manage cookies, please refer to your software (browser) settings.
DURATION OF PERSONAL DATA PROCESSING
6.1. Duration of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, the data is processed for the duration of providing a service or executing an order, until the consent is withdrawn or an effective objection to data processing is raised in cases where the legal grounds for data processing is the legitimate interest of the Administrator.
6.2. The data processing period may be extended if the processing is necessary to establish and pursue any potential claims or defend against them, and after that time only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymised.
7.1. The data subjects have the following rights:
7.1.1. The right to information about personal data processing - based on this the Administrator provides information about personal data processing to the requesting party, including in particular about the purposes and legal grounds for processing, the scope of data possessed, entities to whom personal data is disclosed and the planned date of their erasure;
7.1.2. The right to obtain a copy of the data - based on this the Administrator provides a copy of the processed data relating to the person making the request;
7.1.3. The right to rectify - based on this the Administrator removes any inconsistencies or errors regarding the personal data being processed, completes or updates it if it is incomplete or has changed;
7.1.4. The right to erase data - based on this you can request the erasure of the data the processing of which is no longer necessary to achieve any of the purposes for which it was collected;
7.1.5. The right to limit processing - based on this the Administrator ceases to perform operations on personal data, with the exception of operations to which the data subject has agreed and their storage, in line with the adopted retention rules, or until the reasons for limiting data processing (e.g. a decision of the supervisory authority will be issued, allowing for further data processing) cease to exist;
7.1.6. The right to transfer data - based on this, to the extent the data is processed in connection with the concluded agreement or expressed consent, the Administrator provides data provided by the data subject in a format that can be read by a computer. It is also possible to request that this data be sent to another entity - provided, however, that there are technical possibilities in this regard, both on the part of the Administrator and that other entity;
7.1.7. The right to object to data processing for marketing purposes - the data subject may at any time object to personal data processing for marketing purposes, without the need to justify their objection;
7.1.8. The right to object to other purposes of data processing - the data subject may at any time object to personal data processing on the basis of the Administrator's legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property). The objection in this respect should be accompanied by a justification and is subject to the Administrator's assessment;
7.1.9. The right to withdraw consent - if the data is processed based on the expressed consent, the data subject has the right to withdraw the consent at any time, which, however, does not affect the lawfulness of the processing performed before the consent was withdrawn;
7.1.10 Right to complaint - if it is found that personal data processing violates the provisions of the GDPR or other provisions concerning personal data protection, the data subject may lodge a complaint to the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa
7.2. A request regarding the exercise of the rights of data subjects may be submitted:
7.2.1. in writing to the following address: "Herbapol-Lublin" S.A., ul. Diamentowa 25 (20-471 Lublin);
7.2.2. by e-mail to the following address: firstname.lastname@example.org or email@example.com
7.3. The request should, if possible, precisely indicate its subject, i.e. in particular:
7.3.1. what right the person submitting the request wants to exercise (e.g. the right to receive a copy of the data, the right to erase the data, etc.);
7.3.2. what processing process the request concerns (e.g. use of a specific service, activity on a specific website, receiving a newsletter containing commercial information to a specific e-mail address, etc.);
7.3.3. what processing purposes the request relates to (e.g. marketing purposes, analytical purposes, etc.).
7.4. If the Administrator is unable to determine the subject of the request or identify the requesting person based on the submitted request, they will ask the requesting party to provide additional information.
7.5. The reply to a request will be provided within 31 days from its receipt. If it is necessary to extend this period, the Administrator will inform the requesting party about the reasons for such an extension.
7.6. The reply will be sent to the e-mail address from which the request was sent, and in the case of requests sent by letter, by ordinary mail to the address indicated by the requesting person, unless the letter indicates the will to receive a reply to the e-mail address (in this case, please provide e-mail address).
8.1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting, legal, auditing, consulting services, couriers (in connection with the implementation of the order), marketing agencies (with regard to marketing services).
8.2. If the Client expresses consent, their data may also be made available to other entities for their own purposes, including marketing purposes.
8.3. The Administrator reserves the right to disclose selected information concerning Clients to the competent authorities or third parties that submit a request for providing such information, based on relevant legal grounds and in line with the provisions of the applicable law.
TRANSFER OF DATA OUTSIDE THE EEA
9.1. At present, we do not transfer Clients' personal data outside the EEA. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by the European law. For this reason, if the Administrator decides to transfer personal data outside the EEA, it will only take place if necessary and with an adequate level of protection, primarily by:
9.1.1. cooperation with entities processing personal data in the countries for which a relevant decision of the European Commission has been issued;
9.1.2. use of standard contractual clauses issued by the European Commission;
9.1.3. following binding corporate rules approved by the competent supervisory authority;
9.1.4. in the event of data transfer to the USA - cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.
9.2. The Administrator will always inform about the intention to transfer personal data outside the EEA at the moment of collecting such data.
PERSONAL DATA SECURITY
10.1. The Administrator performs a risk analysis on an ongoing basis to ensure that personal data is processed in a safe manner - ensuring, above all, that only authorised persons have access to the data and only to the extent that it is necessary due to the tasks they perform. The Administrator makes sure that all operations on personal data are recorded and performed only by authorised employees and cooperating entities.
10.2. The Administrator takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the use of appropriate security measures each time they process personal data at the Administrator's request.
11.1. The policy is reviewed on an ongoing basis and updated if necessary.