Privacy policy

Privacy policy – information on the processing of your personal data by “HERBAPOL-LUBLIN” S.A.

Thank you for your interest in data protection on our website. As a responsible company operating in an ethical manner, we respect the right to protection of personal data of our collaborators, counterparties and partners. Therefore, we would like to provide you with information on the principles of personal data protection in force at “HERBAPOL – LUBLIN” S.A. with its registered office in Lublin.

Personal data is information that is directly or indirectly assigned or assignable to a specific individual. The legal basis for data protection is, in particular, the Personal Data Protection Regulation (GDPR). Before commencing the processing of personal data, “HERBAPOL- LUBLIN” S.A. each time identifies the purpose of and legal basis for its processing and defines the data retention period.

Who is the Controller of Personal Data?

In accordance with Article 13 and 14 of the General Personal Data Protection Regulation of 27 April 2016 (GDPR), we inform that the Controller of your personal data, when you provide your data, is “HERBAPOL- LUBLIN” S.A. with its registered office in Lublin (postal code 20-471) at ul. Diamentowa 25, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Lublin-Wschód in Lublin seated in Świdnik, 6th Commercial Division of the National Court Register under KRS No 0000027463, share capital of PLN 691,365.00 – paid-up in full; Tax ID No (NIP): 712-015-53-64, Statistical ID No (REGON): 430723174.

The Controller has appointed a Data Protection Officer, who can be contacted via e-mail at, by telephone at 81 748 82 19 or by letter at the following address: HERBAPOL-LUBLIN S.A. ul. Diamentowa 25, 20-471 Lublin.

What is the purpose, scope and legal basis for data processing?

We process your personal data on various legal bases and for purposes adequate to circumstances and mutual relations, in particular:

  1. If you give relevant consent to the storage of cookies and other similar technologies on your device and to access to them (more details can be found in our Cookie Policy), we can commence the processing of your personal data, including information on your activity on the website. This allows for better tailoring of displayed or transmitted content to your individual preferences and interests. The legal basis for the above data processing is Article 6(1)(f) of the GDPR.
  2. In order to adjust the content of our websites to user preferences and to continuously optimise them, pursuant to Article 6(1)(f) of the GDPR, we use Google Analytics, an analytical service provided by Google Inc. (“Google”). Our legitimate interest arises from the purposes set out below. In this context, pseudonymised user profiles are created and cookies are used. A cookie generates the following information on the use of this website: browser type/version, operating system used, URL address (last site visited), time of sending an enquiry to the server. This information is used to analyse the use of our websites, to compile reports on activities on the websites and to provide other services related to the use of the websites and in order to conduct market research and adjust the content of the websites to user preferences. IP addresses are anonymised, so that they cannot be associated with the user (the so-called “IP-masking”). You can prevent the installation of cookies by appropriately setting your browser; however, please be informed that in such a case you will not be able to use all the functions available on this website. More information on data protection in relation to Google Analytics can be found at Google Analytics website. The information generated in cookies is transmitted to a Google server in the USA and stored there. In no event will your IP address be linked to other Google data.
  3. Where we have asked you for an offer of cooperation or we have received an offer from you, we will process your data such as: names, surnames, identification numbers, address and contact details for the purpose of performing preparatory activities necessary for the conclusion of an agreement, the conclusion of the agreement and then for complying with the mutual obligations of a party to the agreement (legal basis – Article 6(1)(b) of the GDPR),
  4. If you conduct economic activity consisting in running a retail outlet, we will process your data such as: names, surnames, identification numbers, address and contact details for the purpose of contacting you (e-mail, mail or telephone correspondence), establishing cooperation, ensuring delivery of goods from our commercial offer and preparing a marketing offer tailored to the needs of customers of your retail outlets, which constitutes a legitimate interest of the Controller (legal basis – Article 6(1)(f) GDPR),
  5. If you represent your employer (principal) in contractual relationships with our Company, we will process your personal data such as: names, surnames, telephone number, address and e-mail address for the purpose of contacting you and complying with mutual obligations of the parties, which constitutes a legitimate interest of the Controller (legal basis – Article 6(1)(f) GDPR),
  6. In the event of purchase of goods and/or services, we will process your personal data such as: names, surnames, business name, identification numbers, address and contact details for the purpose of issuing or settlement, and then storage, of an invoice (bill), as well as other documents evidencing the delivery of goods or performance of a service, which constitutes both the fulfilment of legal requirements to which the Controller is subject as a taxpayer (legal basis – Article 6(1)(c) GDPR) and implementation of legitimate interests pursued by the Controller (legal basis – Article 6(1)(f) GDPR),
  7. If you have contacted us to name advantages or disadvantages of our products (also, if you have lodged a complaint), we will process your data such as: names, surnames, number, address and contact details for the purpose of contacting you and preparing a response to the complaint and, if the complaint is accepted, for the purpose of sending you a defect-free product, which constitutes a legitimate interest pursued by the Controller (legal basis – Article 6(1)(f) GDPR),
  8. If you consent to the use of your data for the purpose of promotion and marketing of our products, including e.g. contests, promotions, lotteries, receipt of a newsletter or other activities (legal basis – Article 6(1)(a) GDPR) – “consent”. In such a case, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; refusal of consent or its withdrawal will result in the Company being unable to process your data for the purposes indicated in the consent. If you wish to withdraw consent or express an objection, please send an e-mail or a letter by mail to the address of the Controller or the Data Protection Officer.
  9. In the event of defence or exercise of claims. If this is the case, the processing of your personal data will be based on our legitimate interest consisting in the right to defend or exercise claims (Article 6(1)(f) GDPR) and in the case of archiving of documents. The legal basis for processing in this case is the fulfilment of a legal obligation to which the Controller is subject (Article 6(1)(c) GDPR).
  10. If you are applying for a job at HERBAPOL- LUBLIN S.A. or have already become an employee, the purposes, legal bases, scope of data processing and data retention periods will be communicated to you as part of the recruitment process and/or conclusion of the agreement.

How long do we process your data?

The period of data processing by the Controller depends on the nature of the business functions and the purpose of processing. The processing period may result from regulations, if they are the basis for the processing. If data processing is based on a legitimate interest of the Controller, data is processed for a period enabling implementation of the interest or submitting an effective objection to the processing of data. If processing is based on consent, data is processed until the consent is withdrawn Where processing is based on its necessity for the conclusion and performance of an agreement, data will be processed until the agreement is terminated.

The data processing period may be extended where processing is necessary for the establishment, exercise or defence of claims (if any), and thereafter only if and to the extent that legal provisions so stipulate. After the end of the processing period, data is irretrievably erased.

Statistically developed data is removed from Google Analytics after a maximum of 50 months. Reports made on the basis of Google Analytics contain no reference to any individual whatsoever.

Who do we entrust your data to?

Personal data obtained from you may be, as part of its processing for the purposes listed above, made available to external entities, including in particular vendors responsible for the provision and maintenance of IT systems and hardware, providers of banking, legal, accounting, auditing, consulting, freight forwarding and transport services and to postal operators, couriers, marketing and recruitment agencies, as well as to entities and institutions that are entitled to obtain the information under the law.

The Controller reserves the right to disclose selected information regarding a data subject to the competent authorities or third parties which have requested such information, on the basis on relevant legal grounds and in accordance with the provisions of applicable law.

Do you have to provide your personal data?

Data obtained from you is processed by the Controller on a voluntary basis, however, refusal to provide the data may prevent the performance of actions requested by you or offered by you.

Processing of personal data by automated means

Personal data will not be processed by automated means (including in the form of profiling) in such a way that the automated processing would entail any decision-making, cause any legal effects or would otherwise significantly affect our customers, counterparties and their employees / collaborators.

Transfer of data to third countries (outside the EEA)

The level of protection of personal data outside the European Economic Area (“EEA”) is different from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only if this is necessary and ensuring an adequate level of protection, in particular by: cooperation with processors of Personal Data in the countries for which the European Commission has issued an adequacy decision regarding Personal Data; the application of standard contractual clauses issued by the European Commission; the application of binding corporate rules approved by the competent supervisory authority; in the case of transferring data to the USA – cooperation with participants in the Privacy Shield Framework approved by a decision of the European Commission.

The Controller shall always communicate its intention to transfer Personal Data outside the EEA at the stage of its collection.

What are your rights?

In the cases and on the terms and conditions provided for in regulations on the protection of personal data, you have the right:


a.) of access to your Personal Data (Article 15 of the GDPR),

b.) to rectification of your Personal Data which is incorrect or incomplete (Article 16 of the GDPR),

c.) to erasure of all or some of your Personal Data (Article 17 of the GDPR),

d.) to restriction of use of Personal Data (Article 18 of the GDPR),

e.) to Personal Data portability to a User or other designated entity, in a commonly used, machine-readable format, if we are using the User's personal data on the basis of consent or for the purpose of performing an agreement (Article 20 of the GDPR),

f.) to withdraw consent to the use of Personal Data at any time – if the User’s Personal Data is processed on the basis of consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Article 7 of the GDPR),

g.) to submit an objection, on grounds relating to the User’s particular situation, to the processing of his/her Personal Data on the basis of legitimate interests of “HERBAPOL – LUBLIN” S.A. Following an objection, “HERBAPOL – LUBLIN S.A” will consider whether – on grounds of the User’s particular situation – the protection of his/her interests, rights and freedoms prevails over the interests that we implement using the User's Personal Data. If the User's objection proves to be reasonable and there is no other legal basis for the use of such data, Personal Data will be erased (Article 21(1) of the GDPR).

Notwithstanding the foregoing, you also have the right to lodge a complaint with the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.

Personal data security

In order to ensure the integrity and confidentiality of data, the Controller - “HERBAPOL-LUBLIN” S.A. has implemented procedures to allow access to personal data only by authorised persons and only to the extent necessary for the performance of their tasks. The Controller applies organisational and technical measures to ensure that all operations on personal data are carried out by authorised persons only. The Controller carries out an ongoing risk analysis and monitors the adequacy of applied data safeguards to identified risks. If necessary, the Controller implements additional measures aimed at increasing the security of data

If you have any questions or doubts regarding the protection of your Personal Data, please contact us.