Who is the Administrator of my personal data?


The administrator of your personal data is:


ALBA THYMENT limited liability company st. Szkolna 98, 62-002 Suchy Las NIP: 7820026054 REGON: 63251406600000 KRS: 0000152323


The administrator is responsible for the use of personal data in a safe manner and in accordance with applicable law.


Who can I contact in matters related to the processing of my personal data?


In all matters related to the processing of your personal data by the Administrator, you can contact:

  • at the email address: iod@albathyment. com. pl,
  • phone number: 618115407,
  • listing at: ALBA THYMENT sp. z o.o about st. Szkolna 98, 62-002 Suchy Las

  • The administrator has not appointed the Personal Data Protection Inspector or his representative.


    What is the source of my data - where do they come from?


    We obtain personal data directly from you when you contact us in connection with the desire to purchase products offered by ALBA THYMENT sp. z o.o about We obtain your data for various purposes, as well as process it in various scopes and on various legal grounds provided for in the GDPR.
    The time of personal data processing is also different. In order to provide you with the most transparent information, we have grouped this information referring to the purpose of processing your personal data and present it below.


    What is the scope of personal data processed by the Administrator and the purpose of processing?


    1. Customer account registration via website

    2. Description. Personal data is processed in order to enable customers to register via the website.
      Data range. First name, Surname, telephone number, possibly other data that the Customer decides to provide,
      Legal basis. Legalizing premise: Art. 6 sec. 1 lit. b GDPR, i.e. the need to provide personal data in order to register a customer account via the website https://www. albathyment. com. pl/, https://www. alba1913. pl,http://www. alba1913. com,https://www. balsamic. pl/, and https://apothia. en/
      Personal data processing time. Personal data are processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    3. Purchase of goods via www

    4. Description. Personal data is processed in order to enable customers to purchase goods via the website
      Data range. In order to enable the purchase of goods via the website, the following personal data of the Customer are processed: Name, Surname, e-mail address, telephone number,
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject before concluding the contract (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. Personal data are processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    5. Order payment

    6. Description. Personal data is processed in order to enable customers to pay for the order
      Data range. When paying for an order, the following personal data is processed: Name, Surname, bank account number, address of residence,
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject before concluding the contract (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    7. Purchase of goods in a stationary store

    8. Description. Personal data is processed on the occasion of a purchase in a stationary store, if the Customer leaves his personal data to the Seller
      Data range. In case of purchase of products and articles offered by Alba Thyment sp. z o.o about the following personal data is processed in the stationary store: first name, last name, e-mail address, telephone number,
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject before concluding the contract (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    9. Remote purchase of goods or services, inquiry

    10. Description. Personal data is processed in order to enable customers to purchase goods remotely and to respond to inquiries
      Data range. In connection with the remote purchase of goods or services and submitting inquiries, the following personal data are processed: name, surname, e-mail address, telephone number,
      Legal basis. The processing of personal data is necessary to take action, at the request of the data subject, before concluding the contract and for the performance of the contract or the provision of services (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    11. Return

    12. Description. Personal data is processed in order to enable the customer to return the goods
      Data range. In order to enable customers to return the goods, the following personal data is processed: name and surname, e-mail address, telephone number,
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject in order to perform the contract or provide services (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    13. Telephone contact with
    14. customers
      Description. Personal data is processed in order to enable customers to contact the Administrator by phone.
      Data range. For this purpose, the following personal data is processed: name, surname, telephone number.
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject in order to perform the contract or provide services (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years

    15. Email contact with customers

    16. Description. Personal data is processed in order to enable customers to contact the Administrator by e-mail.
      Data range. For this purpose, the following personal data is processed: name, surname, e-mail address.
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject in order to perform the contract or provide services (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years

    17. Contact with clients via FANPAGE on Facebook

    18. Description. Personal data is processed in order to enable customers to contact Alba Thyment via FANPAGE on Facebook
      Data range. For this purpose, the following personal data are processed: name, surname, e-mail address, telephone number, image.
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject in order to perform the contract or provide services, art. 6 sec. 1 lit. b GDPR
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    19. Contact with clients via Messenger

    20. Description. Personal data is processed in order to enable customers to contact via Messenger.
      Data range. Personal data is processed in order to enable customers to contact via Messenger.
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject before concluding the contract (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    21. Contact with clients via WhatsApp

    22. Description. Personal data is processed in order to enable customers to contact via WhatsApp
      Data range. Personal data is processed in order to enable customers to contact via WhatsApp
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject before concluding the contract (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    23. Contact with contractors via the Slack application

    24. Description. Personal data is processed in order to enable the Contractors to contact via the Slack application.
      Data range. In order to enable Contractors to contact via the Slack application, the following personal data is processed: name, surname, address, e-mail address, telephone number, image.
      Legal basis. The processing of personal data is necessary to take action at the request of the data subject before concluding the contract (Art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. Personal data are processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    25. Shipping of ordered goods

    26. Description. Personal data is processed in order to deliver the ordered goods to the Customer.
      Data range. In order to provide the service of shipping the ordered goods, the Administrator processes the following personal data: name, surname, address, telephone number
      Legal basis. The processing of personal data is necessary to perform the sales contract or the provision of services (art. 6 sec. 1 lit. b GDPR)
      Personal data processing time. Personal data is processed for the time needed to manage the purchase of purchased products or services, including possible returns, complaints or claims related to a specific product or service. The data is processed at the latest until the expiry of claims under the concluded sales or service contract.

    27. Complaint for a product purchased via an online store

    28. Description. Personal data is processed in order to enable customers to make complaints about purchased products.
      Data range. In order to enable customers to make complaints about products, the following personal data is processed: name, surname, address, e-mail address, telephone number.
      Legal basis. The processing of personal data is necessary to fulfill the legal obligation incumbent on the Administrator (legalizing premise: art. 6 sec. 1 lit. c GDPR).
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    29. Exercising warranty rights

    30. Description. Personal data is processed in order to enable customers to exercise their rights under the warranty.
      Data range. In order to enable the Clients to use the warranty rights, the following personal data are processed: name, surname, address, e-mail address, telephone number,
      Legal basis. The processing of personal data is necessary to fulfill the legal obligation imposed on the Administrator
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    31. IT support

    32. Description. Personal data is processed in order to enable the provision of IT services tailored to the Customer's needs.
      Data range. In connection with IT services, the Personal Data Administrator processes personal data such as: name, surname, e-mail address, telephone number.
      Legal basis. The basis for the processing of personal data is the Administrator's legitimate interest in ensuring proper IT service (Art. 6 sec. 1 lit. f GDPR).
      Personal data processing time. Personal data are processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    33. Statistics on the use of individual functionalities of the Online Store and facilitating the use of the website on which the online store is located, ensuring IT security of the website

    34. Description. The data is processed in order to:
      - ensuring better customer service and contractors using the Administrator's services,
      - analysis of statistical data and adaptation of websites to the preferences of visitors,
      - administering websites, including an online store.
      Data range. The Administrator processes the following personal data regarding the Customer's activity on the Administrator's websites, including in the online store: visited pages and subpages, the amount of time spent on each of them, as well as data on the search history, IP address, location, ID device and data regarding the browser and operating system.
      Legal basis. The processing of personal data is necessary for the performance of the contract or the provision of services (legalizing premise: art. 6 sec. 1 lit. b GDPR).
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    35. Accounting, accounting

    36. Description. Personal data is processed for the purpose of:
      - keeping accounting (revenue or expense ledger, possibly accounting books),
      - keeping VAT records,
      - preparation of monthly and annual tax returns,
      - preparing reports for the tax and statistical office,
      - preparation of financial statements.
      Data range. For this purpose, the Administrator processes: name, surname, address, business name, tax identification number, business address), bank account number.
      Legal basis. The legal basis for the processing of personal data is the need for the Administrator to fulfill his obligations under the law (Art. 6 sec. 1 lit. c GDPR).
      Personal data processing time. Personal data is processed by the Administrator for the period of storing accounting, accounting, tax, HR and payroll documentation. The issued personal receipts and VAT invoices are stored by the Administrator until the expiry of tax liabilities, i.e. for 5 years, counting from the end of the calendar year in which the tax payment deadline expired.

    37. Determination, investigation and enforcement of claims

    38. Description. Pursuing claims for business activity. Accounting, fulfillment of tax obligations, enforcement of payment for services rendered.
      Data range. In connection with the determination, investigation and enforcement of claims, the following personal data are processed: name, surname, address, telephone number.
      Legal basis. Legitimate interest - pursuing claims and defending rights (art. 6 sec. 1 lit. c GDPR in connection with joke. 74 sec. 2 of the Accounting Act as the so-called legitimate interest of the administrator)
      Personal data processing time. The data is processed for the period of limitation of claims, resulting from the provisions of the Civil Code. We process all data processed for accounting purposes and for tax reasons for 5 years counted from the end of the calendar year in which the tax obligation arose. After the above-mentioned periods, the data is deleted or anonymised.

    39. Contact with the client - consideration of complaints, requests, inquiries

    40. Description. Personal data is processed in order to consider complaints, requests, inquiries.
      Data range. For this purpose, the Administrator processes: name, surname, address, e-mail, telephone number.
      Legal basis. The legal basis for the processing of personal data is art. 6 sec. 1 letter f, the Administrator's legitimate legal interest in improving and increasing the quality of the products and services provided.
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.

    41. Analysis of undesirable side effects of applied cosmetics and pharmaceutical products

    42. Description. Personal data is processed in order to analyze and then eliminate undesirable side effects
      Data range. The Personal Data Administrator processes Customers' personal data, such as: name, surname, address, telephone number, e-mail, possibly sensitive data regarding health.
      Legal basis. The basis for the processing of personal data is art. 6 sec. 1 letter f, the legitimate legal interest of the Administrator consisting in eliminating the undesirable side effects of the products used.
      Personal data storage time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for 5 years.
      Personal data processing time. Personal data is processed for the duration of the natural person's use of the pages provided by the Administrator via Facebook

    43. Use of third party services or purchase of goods from third parties for the purposes of running a current business by ALBA THYMENT sp. z o.o about

    44. Description. In connection with our business activity, we use the supply of goods and services from third parties.
      Data range. For this purpose, we process personal data:
      Contractor's Representative - name, surname, function/position, business e-mail address, business, phone number, name of the company the Representative represents,
      Counterparty (natural person conducting business activity) - name, surname, business name, tax identification number, business address, bank account number.
      Legal basis. Personal data is processed on the basis of art. 6 sec. 1 lit. b GDPR, i.e. in connection with the negotiations, conclusion and performance of the contract for the provision of services concluded between ALBA THYMENT sp. z o.o about and the Counterparty. In addition, the basis for the processing of personal data is art. 6 sec. 1 lit. f GDPR, i.e. the legitimate interest of the Personal Data Administrator, resulting from the necessity to process personal data for the implementation of the Administrator's economic activities and plans (investigation and defense against claims, fraud prevention, ensuring the security of the ICT environment).
      Personal data processing time. Personal data is processed for the duration of business cooperation, for a maximum period of 3 years from the date of the last contact between the Administrator and the Contractor's Representative (and longer only until the expiry of claims under the concluded contract of the parties). Personal data resulting from invoices are processed for the period of storage of VAT invoices required by law, i.e. for 5 years, counting from the end of the calendar year in which the deadline for payment of VAT on the VAT invoice expired.

    45. Complaint of purchased goods by contractor

    46. Description. Personal data of the Contractor's Representatives are processed in order to make complaints about the purchased goods
      Data range. The personal data administrator processes the personal data of contractors, such as: name and surname, job position (and information about the company where the person is employed), business correspondence address, business e-mail address and business telephone number
      Legal basis. The legal basis is the legalizing premise: Art. 6 sec. 1 lit. f GDPR and Art. 6 sec. 1 lit. b GDPR
      Personal data processing time. Personal data of the Contractor's Representatives will be stored for the period of conducting business cooperation, as well as after its completion, when there are reasonable grounds that this cooperation will be resumed or until the claims expire,

    47. Monitoring of the company's headquarters only outside. Processing the image of employees, buyers, including natural persons, collecting purchased goods in person, and contractors

    48. Description. Personal data is processed to ensure the safety of persons and property at the Data Administrator's premises
      Data range. The personal data administrator processes the image
      Legal basis. The legal basis is Legalizing premise: art. 6 sec. 1 lit. f GDPR
      Personal data processing time. The data is processed for the period resulting from the primary purpose for which they were collected, but not longer than for a period of 6 months

    Who is my personal data transferred to?


    The Personal Data Administrator takes care of the confidentiality of your personal data with the utmost care. Due to the need to fulfill contractual obligations and ensure the proper performance of services for our clients, personal data is transferred to the persons indicated below.


    Service Providers

    We also provide your personal data to service providers that we use to run our business. Suppliers provide the Administrator with technical and organizational solutions enabling the provision of services to Customers and organizational management. For example, we transfer data entities providing IT services and IT systems support to the Administrator, e.g. software providers, including providers of servers on which personal data is stored.



    State authorities

    We share your personal data if we are asked to do so by authorized state authorities, in particular organizational units of the prosecutor's office, the Police, the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.
    The administrator transfers personal data outside the European Union, as well as outside the European Economic Area.



    Is it my duty to provide the data?


    Providing certain data is a condition for using particular services offered by the Administrator (obligatory data). Our system automatically marks mandatory data. The consequence of not providing this data is the inability to provide certain services to you. Apart from the data marked as obligatory, providing other personal data is voluntary. Your personal data will not be processed for automated decision making.


    What rights do I have?


    The administrator, in connection with the processing of your personal data, ensures the implementation of your rights related to the processing of personal data, described below. You can exercise your rights by submitting a request to:

  • at the email address: iod@albathyment. com. pl,
  • phone number: 618115407,
  • listing at: ALBA THYMENT sp. z o.o about st. Szkolna 98, Suchy Las 62-002

  • In connection with the processing of your personal data, you have the right to:

  • withdrawal of consent to the processing of personal data,
  • submit an objection to the use of data,
  • requests to delete data (so-called "right to be forgotten"),
  • requests to restrict data processing,
  • data access,
  • requests to rectify data,
  • transferring data to another administrator.

  • When do we meet your request?
    If, in the exercise of the above-mentioned rights, you make a request to us, we comply with this request or refuse to comply with it immediately, but no later than within a month after receiving it. However, if - due to the complexity of the request or the number of requests - we will not be able to meet your request within a month, we will fulfill it within the next two months, informing you in advance about the intended extension of the deadline.


    Right to complain
    If the processing of personal data violates the law, you can submit a complaint to the supervisory authority about the processing of personal data by the Personal Data Administrator. A complaint may be submitted to the President of the Office for Personal Data Protection.