1.  Introduction

XY kft.,(registered office: CÍM; registration number: SZÁM; register keeping body: BM, tax number: ADÓSZÁM) (hereinafter referred to as the “Data Controller“) shall pay special attention to the protection and security of personal data, compliance with the mandatory legal provisions, safe and fair data processing, and compliance with the principles and obligations of the law.

The Data Controller shall in all cases process the personal data provided to it in compliance with the applicable Hungarian and European legislation and ethical requirements, and shall in all cases take the technical and organisational measures necessary for the proper and secure processing of the data.

These rules are based on the following legislation in force:

– Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

– the relevant provisions of Act XCII of 2011 on the Right to Information Self-Determination and Freedom of Information.

The controller reserves the right to change the privacy policy, in particular in the event of a change in legislation, in which case the amended policy will be published publicly 15 days before it enters into force.

2. LEGAL BASES FOR DATA PROCESSING

The processing of the data of visitors to the website and subscribers to the newsletter is based on their voluntary consent to browse (Article 6(a)(a) GDPR). The data of customers (including customers of the webshop) are processed by the Data Controller on the basis of a contract (Article 6(b) GDPR). There are cases where the legal basis for processing is the legitimate interest of the Data Controller, which is specified in the individual data processing notices. For example, in the case of business partners, the legitimate interest of the controller is the continuity of business, the maintenance of business relations. The collection and transmission of data for invoicing purposes to the tax authorities is based on the Accounting Act in order to fulfil a legal obligation (Article 6(c) GDPR).

3. Scope and purpose of the data processed

Website visitors’ data:IP address, for data security reasons and to provide possible convenience services. IP addresses are not recorded for visitors (browsers).

The html code of the websites operated by the Data Controller may contain independent links from and to external servers for web analytics purposes. The measurement also includes tracking of conversions. The web analytics provider does not process personal data, only browsing-related data that cannot be used to identify individuals. Currently, the web analytics services are provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, as part of the Google Analytics service.

The Data Controller runs remarketing ads through the Facebook and Google AdWords advertising systems. These providers may collect or receive data from the Controller’s website and other internet sites through the use of cookies, web beacons and similar technologies. They use this data to provide measurement services or to target advertisements. Such targeted ads may appear on additional websites in the Facebook and Google partner network. Remarketing lists do not contain any personal data of the visitor and are not personally identifiable.

The user can delete the use of cookies from his/her own computer or prevent their use in his/her browser. These options vary depending on the browser, but are typically available in the Settings / Privacy menu.

For more information about Google and Facebook’s privacy policies, please visit http://www.google.com/privacy.html and https://www.facebook.com/about/privacy/

Newsletter subscription

The Data Controller delivers direct marketing messages to subscribers to newsletters on the websites it operates (e.g. online newsletters containing news, news and offers, usually monthly but no more than once a week, and by electronic or postal mail). To subscribe to the newsletter, you must provide your name and e-mail address, which is essential for the delivery of the messages.

The data will be processed for as long as the data subject does not request their deletion, but for a maximum of 2 years. The possibility to unsubscribe is provided by a direct link in each newsletter.

Purpose of the processing: marketing

Data on customers

In the case of a purchase, the name, address, delivery address, products purchased, contact details are recorded, and in the case of an invoice request, the data required for issuing the invoice.

Purpose of processing: the establishment and performance of a contract.

Payment is made through Barion Financial Solutions, whose privacy policy is available at the link below:

https://www.barion.com/hu/adatvedelmi-tajekoztato/

5. SECURITY OF DATA PROCESSING

The Controller will use the personal data you have provided to.

TÁRHELY CÉGNÉV
(CÍM
TELSZÁM
EMAIL CÍM)

stored on servers. The Data Controller will take all necessary steps to ensure the security of the personal data provided by Users, both during network communication and during storage. Access to personal data is strictly limited

In particular, the Data Controller shall protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction and against accidental destruction or accidental damage. The Data Controller, together with the server operators, shall ensure the security of the data by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with the processing.

6. RIGHTS OF DATA SUBJECTS

A. The data subject’s right to information

1. General information about the controller and its processing is set out in this Privacy Notice.

The controller shall reply in writing within 30 days to the contact details(s) indicated in the Notice. The data subject may submit his/her request once per calendar year, in principle free of charge.

2. The controller shall, at the request of the data subject, provide mandatory information on.

a) the purpose of the processing;

b) categories of personal data;

(c) the source of the personal data and, where applicable, whether the data originate from publicly available sources;

(d) the legal basis for processing;

(e) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

(f) where applicable, the envisaged duration of the storage of the personal data or, if this is not possible, the criteria for determining that duration;

(g) the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data relating to him or her and to object to the processing of personal data;

(h) the right to lodge a complaint with a supervisory authority;

(i) where the data have not been collected from the data subject, any available information about their source;

3. The exercise of the right to information may be refused only in the cases provided for in Article 14(5) of the GDPR, stating the exact grounds for refusal.

B. Right of access of the data subject

1. The controller shall, at the request of the data subject, provide feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, access to the personal data and the following information:

a) the purposes of the processing;

b) categories of personal data;

(c) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

(d) where applicable, the envisaged duration of the storage of the personal data or, if this is not possible, the criteria for determining that duration;

(e) the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the data have not been collected from the data subject, any available information on their source;

(h) the fact of automated decision-making, including profiling, and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.

2. The data controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise. The right to request a copy should not adversely affect the rights and freedoms of others. If personal data are transferred to a third country, the data subject has the right to be informed of the safeguards applicable to the transfer.

C. The data subject’s right to rectification and erasure (forgetting)

1. At the request of the data subject, the controller shall, without undue delay, correct inaccurate personal data relating to the data subject and, taking into account the purposes of the processing, ensure that incomplete personal data are completed, including by means of a supplementary declaration, if the data subject so requests.

2. The controller shall delete personal data relating to the data subject without undue delay at the data subject’s request if.

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

(c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing or objects to the use of his or her data for direct marketing purposes;

(d) the processing of the personal data concerned is unlawful;

(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

f) the personal data were collected in connection with the provision of information society services to children.

The controller shall inform each recipient of any rectification or erasure to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request, the controller shall inform the data subject of those recipients.

D. Data subject’s right to restriction of processing

1. At the request of the data subject, the controller shall restrict processing if.

(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the controller to verify the accuracy of the personal data

(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use

(c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims

(d) objected to processing based on the legitimate interests of the data subject or for reasons of public interest, in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override those of the data subject.

The controller shall inform each recipient to whom or with which the personal data have been disclosed of any restriction on processing, unless this proves impossible or involves a disproportionate effort. Upon request, the controller shall inform the data subject of those recipients.

E. Data subject’s right to data portability

1.The data subject shall have the right to receive personal data relating to him or her provided to the controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller where the processing is based on consent or a contract as a legal basis under the GDPR and the processing is carried out by automated means.

2. The rules of the GDPR shall apply to exclude and restrict the application of the right to data portability. This is the case if the data subject also has access to the same data without difficulty.

F. The data subject’s right to object

1. The data subject may object at any time, on grounds relating to his or her particular situation, to processing for reasons of public interest or legitimate interest, including profiling. In such a case, the controller may no longer process the personal data, unless he or she can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2.Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.

G. Automated decision-making, profiling

1. The controller shall not make a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject.

H. Remedies   

The controller shall ensure the possibility to submit claims for legal remedies provided for by law, where the data subject duly proves his or her identity and the link with the personal data, either by the controller or by a means specified by law.

2. Any data subject may, in the event of an alleged violation of rights in relation to the processing of his or her personal data, also apply to the competent court (contact details here: https://birosag.hu/torvenyszekek), the Metropolitan Court of Budapest (1055 Budapest, Markó u. 27.) or initiate an investigation at the National Authority for Data Protection and Freedom of Information (President: Dr. Attila Péterfalvi, 1055 Budapest, Falk Miksa u. 9-11., ugyfelszolgalat@naih.hu, +36-1-3911400, www.naih.hu).

Effective date: 2024.03.22.