Privacy notice

 

SD KFT. (Registered office:1037 Budapest, Farkastorki lejtő 42/a, Complaint handling address: 1301 Bp., Pf.1. Tax number: HU27833494, Company registration number: 01-09-399782 Electronic mail address: info@sdkft.hu, (hereinafter referred to as the Service Provider, Data Controller) is subject to the following information.

 

According to Article 20 § (1) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, the data subject (in this case the webshop user, hereinafter referred to as the “user”) must be informed before the processing starts whether the processing is based on consent or whether it is mandatory.

 

The data subject shall be informed clearly and in detail of all facts relating to the processing of his or her data, in particular the purpose and legal basis of the processing, the person who is authorised to process the data and the duration of the processing, before the processing starts.

 

The data subject shall also be informed, pursuant to Article 6 § (1) of the Info Act, that personal data may also be processed if obtaining the data subject’s consent would be impossible or would involve disproportionate costs and the processing of the personal data would necessary for compliance with a legal obligation to which the controller is subject, or is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and the pursuit of those interests overrides the legitimate interest of the controller in the protection of personal data is proportionate to the restriction of the right to the protection of personal data.

 

The information should also cover the rights and remedies of the data subject in relation to the processing.
Where it would be impossible or disproportionate to provide personal information to data subjects (such as in the present case in an online shop), the information may be provided by disclosing the following information:

 

1. a) the fact of collection,
2. b) the identity of the data subjects,
3. c) the purpose of the data collection,
4. d) the duration of the data processing,
5. e) the identity of the potential controllers who have access to the data,
6. f) a description of the data subjects’ rights and remedies with regard to the processing

Amendments to this notice will enter into force upon publication at the above address. The legal reference will also be displayed behind each heading of the notice.

Definitions (§ 3)

Data Subject/User: any natural person who is identified or can be identified, directly or indirectly, on the basis of specific personal data;

personal data: data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, and the inference which can be drawn from the data concerning the data subject;

consent: a freely given and freely given indication of the data subject’s wishes, based on adequate information, by which he or she signifies his or her unambiguous agreement to the processing of personal data relating to him or her, whether in full or in part;

objection: a declaration by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the data processed;

data manager: a natural or legal person or an unincorporated body which, alone or jointly with others, determines the purposes for which the data are processed, takes and executes decisions regarding the processing (including the means used) or has them executed by a processor on its behalf;

data managing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of further use, taking of photographs, sound recordings or images and physical features which permit identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

data transmission: making data available to a specified third party;

 

data disclosure: making the data available to any person;

 

date erasure: rendering data unrecognisable in such a way that it is no longer possible to retrieve it;

 

data marking: the marking of data with an identification mark to distinguish them;

 

data blocking: the marking of data with an identification mark for the purpose of limiting their further processing permanently or for a limited period of time;

 

data destruction: the total physical destruction of a data medium containing data;

 

data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to carry out the operations and the place of application, provided that the technical task is performed on the data;

 

data processor: a natural or legal person or unincorporated body which processes data on the basis of a contract with a controller, including a contract concluded pursuant to a legal provision.

 

Legal basis for processing (5 to 6 §)

Personal data may be processed where

 

• the data subject consents, or
• it is required by law or, on the basis of a statutory authorisation and within the scope specified therein, by a decree of a local authority for a purpose in the public interest. Personal data may also be processed if obtaining the data subject’s consent would involve an impossible or disproportionate effort and the processing of the personal data

 

 

1. a) necessary for compliance with a legal obligation to which the controller is subject; or b) necessary for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data.

If the data subject is unable to give his or her consent because of incapacity or for other reasons beyond his or her control, the personal data of the data subject may be processed to the extent necessary to protect his or her vital interests or those of another person or to prevent or protect against an imminent danger to the life, physical integrity or property of a person, as long as the obstacles to consent persist.

 

The consent or subsequent approval of the legal representative is not required for the validity of a legal declaration of consent by a minor aged 16 or over.

 

Where the processing based on consent is intended to implement a contract concluded in writing with the controller, the contract must contain all the information which the data subject needs to know in order to process the personal data, in particular the specification of the data to be processed, the duration of the processing, the purposes for which the data are to be used, the fact of the transfer of the data, the recipients of the data, the use of a processor. The contract must unambiguously state that the data subject, by signing it, consents to the processing of his or her data as provided for in the contract.

 

Where the personal data have been collected with the consent of the data subject, the controller shall, unless otherwise provided by law,

 

for the purpose of complying with a legal obligation to which he is subject, or

 

• for the purposes of the legitimate interests pursued by the manager or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data

Purpose limitation of processing (§ 4 [1]-[2])

 

Personal data may only be processed for specified purposes, for the exercise of a right or the performance of an obligation. At all stages of processing, the purpose of the processing must be fulfilled and the collection and processing of data must be fair and lawful.

 

Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.

 

Other principles of processing (§ 4 [3]-[4])

 

The personal data shall retain this quality during the processing for as long as the relationship with the data subject can be re-established. The link with the data subject may be re-established if the controller has the technical conditions necessary for such re-establishment.

 

The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.

 

Data processing related to the operation of the webshop

 

Pursuant to Article 20§(1) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the following shall be defined as data processing in the context of database building related to the operation/operation of the webshop:

 

1. a) the fact of data collection,
2. b) the scope of the data subjects,
3. c) the purpose of the data collection,
4. d) the duration of the data processing,
5. e) the identity of the potential controllers entitled to access the data,
6. f) a description of the rights of the data subjects in relation to the processing.

the fact of collection, the scope of the data processed:

 

Personal data Purpose of processing

 

User name Identification, to enable registration.

 

Password To provide secure access to the user account.

 

Surname and first name Necessary for contacting, making purchases and issuing a correct invoice.

 

Contact name Contact.

 

E-mail address Contact.

 

Telephone number To contact you, for better coordination of billing or delivery issues.

 

Delivery name and address To issue a proper invoice, as well as to create, define the content of, modify, monitor the performance of, invoice the charges arising from, and claim for any related claims.

 

Billing name and address Enable home delivery.

 

Date of purchase/registration Carrying out a technical operation.

 

IP address at time of purchase/registration Perform technical operation.

 

Neither the username nor the e-mail address need to contain personal data.

 

Data subjects.

 

Duration of data processing, deadline for deletion of data. Except in the case of accounting records, since pursuant to Article 169 § (2) of Act C of 2000 on Accounting, these data must be kept for 8 years.

 

The accounting documents (including general ledger accounts, analytical or detailed records) directly and indirectly supporting the accounting accounts must be kept for at least 8 years in a legible form, retrievable by reference to the accounting records.

 

Potential controllers of the data: personal data may be processed by the controller’s staff, in compliance with the principles set out above.

 

Description of data subjects’ rights in relation to data processing. The data subject may request the deletion or modification of personal data by the following means:

 

by post to 1301 Bp. Pf.: 1.

 

by e-mail at info@vertim.hu.

 

The data controller does not use a data processor (hosting provider) for the processing.

 

The legal basis for data processing: the consent of the User, the Infotv. Article 5 § (1) of the Act on Electronic Commerce Services and Certain Aspects of Information Society Services of 2001 (hereinafter referred to as “Elker Act”), Article 13/A § (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.

 

Our Principles of Functional Data Processing (Article 13/A of the Elker Act)

 

The service provider may process natural person identification data, address, and data relating to the time, duration and place of use of the information society service for the purpose of invoicing the fees arising from the contract for the provision of the information society service.

 

The provider may process personal data which are technically necessary for the provision of the service. The service provider must, other conditions being equal, choose and in any case operate the means used to provide the information society service in such a way that personal data are processed only to the extent strictly necessary for the provision of the service and for the fulfilment of the other purposes laid down in the Elker Act, but even in this case only to the extent and for the duration necessary.

 

The service provider may process data relating to the use of the service for any other purposes, in particular to improve the efficiency of its service, to deliver electronic advertising or other addressed content to the user, to conduct market research, only with the prior specification of the purpose of the processing and with the consent of the user.

 

The recipient must be given the possibility to object to the processing prior to and throughout the use of the information society service.

 

The processed data must be erased after the non-conclusion of the contract, the termination of the contract and after invoicing. The data must be deleted when the purpose of the processing ceases to exist or when the user so requests. Unless otherwise provided by law, the deletion shall be carried out without delay.

 

The service provider must ensure that the recipient of the information society service is informed, before and at any time during the use of the service, of the types of data processed by the service provider for which purposes, including the processing of data which cannot be directly linked to the recipient.

 

Processing of cookies (cookie)

 

Pursuant to Article 20 § (1) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the following shall be defined in the context of the cookie processing of the webshop website:

 

1. a) the fact of data collection,
2. b) the data subjects,
3. c) the purpose of the data collection,
4. d) the duration of the processing,
5. e) the identity of the potential controllers who have access to the data,
6. f) a description of the data subjects’ rights in relation to the processing.

 

Cookies specific to webshops are so-called “password-protected session cookies”, “shopping cart cookies” and “security cookies”, the use of which does not require the prior consent of the data subject.

Fact of processing, scope of data processed: unique identifier, dates, times

 

Data subjects: all data subjects visiting the website.

 

Purpose of the processing: to identify users, to register the “shopping cart” and to keep track of visitors.

 

Duration of data processing, time limit for deletion of data: the duration of data processing in the case of session cookies is until the end of the visit to the websites.

 

The personal data may be processed by the staff of the controller, in compliance with the principles set out above.

 

Legal basis for processing: consent from the data subject is not required where the sole purpose of the use of cookies is to provide a communication over an electronic communications network or where it is strictly necessary for the service provider to provide an information society service explicitly requested by the subscriber or user.

 

Using Google Analytics

 

1. a) This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site you have visited.
2. b) The information generated by the cookie about the website you use is usually transmitted to and stored by Google on servers in the United States. By activating the IP anonymisation on the website, Google will previously shorten the User’s IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area.
3. c) Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage.
4. d) Google Analytics will not associate the IP address transmitted by the User’s browser with any other data held by Google. The storage of cookies may be prevented by the User by means of the appropriate browser settings, but please note that in this case not all functions of this website may be fully functional. You may also prevent Google from collecting and processing information about your use of this website (including your IP address) by means of cookies by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter, DM activity

 

Pursuant to Article 6 § of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity, the User may expressly consent in advance to being contacted by the Service Provider with advertising offers and other mailings at the contact details provided at the time of registration.

 

In addition, the Customer may, subject to the provisions of this information, consent to the processing of personal data by the Service Provider necessary for sending advertising offers.

 

The Service Provider shall not send unsolicited commercial communications and the User may unsubscribe from receiving such communications free of charge, without any restriction and without giving any reason. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User may unsubscribe from advertising by clicking on the link in the message.

 

Pursuant to Article 20 § (1) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, the following shall be specified in the cookie processing of the webshop website:

 

1. a) the fact of data collection,
2. b) the data subjects concerned,
3. c) the purpose of the data collection,
4. d) the duration of the processing,
5. e) the identity of the potential controllers who have access to the data,
6. f) a description of the data subjects’ rights in relation to the processing.

The fact of processing, the data processed: name, e-mail address, date, time.

 

Data subjects: all data subjects who subscribe to the newsletter.

 

Purpose of the processing: to send electronic messages containing advertising to the data subject, to provide information on current information, products, promotions, new features, etc.

 

Duration of processing, deadline for deletion of data: until the consent is withdrawn, i.e. until unsubscription.

 

Potential data controllers who may access the data: personal data may be processed by the controller’s staff, in compliance with the principles set out above.

 

Description of the data subject’s rights in relation to data processing.

 

Free of charge…

 

Legal basis for processing: the data subject’s voluntary consent, in accordance with the Infotv. Voluntary consent of the data subject shall be provided by the data subject.

 

Data transmission

 

Pursuant to Article 20 § (1) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the following shall be defined in the scope of the data transfer activities of the webshop website:

 

1. a) the fact of data collection,
2. b) the data subjects concerned,
3. c) the purpose of the data collection,
4. d) the duration of the data processing,
5. e) the identity of the potential controllers who have access to the data,
6. f) a description of the data subjects’ rights in relation to the processing.

the fact of processing, the scope of the data processed. The scope of the data transmitted in order to carry out the delivery: name, address, telephone number, name of the product, amount to be paid.

 

Stakeholders: all stakeholders who request a home delivery.

 

Purpose of data processing.

 

Duration of processing, deadline for deletion of data.

 

Possible controllers of the data: the personal data may be processed by the following, in compliance with the principles set out above:

 

Express One Hungary Korlátolt Felelősségű Társaság.

 

Customer service.

 

+36 1 8 777 400 Fax: +36 1 8 777 499

 

E-mail: ugyfelszolgalat@expressone.hu

 

Privacy Policy: https://expressone.hu/public/Express_One_Hungary_Kft_Adatkezelesi_tajekoztato.pdf

 

The data subject may request the data controller of the home delivery service provider to delete his/her personal data as soon as possible.

 

The data subject shall provide his/her consent to the use of the data, Article 5 § (1) of the Act on Information Society Services and Certain Aspects of Electronic Commerce Services and Information Society Services of 2001 (CVIII of 2001), Article 13/A § (3).

 

Customer relations and other data processing

 

If the data subject has any questions or problems when using our services, he or she may contact the data controller by the means indicated on the website (telephone, e-mail, social networking sites, etc.).

 

The data controller will delete the received e-mails, messages, data provided by telephone, Facebook, etc., together with the name and e-mail address of the interested party and other personal data voluntarily provided by the interested party, after a maximum of 2 years from the date of the communication.

 

Any processing not listed in this notice will be notified at the time the data is collected.

 

In exceptional cases, the Service Provider is obliged to provide information, data or documents in response to a request from a public authority or other bodies authorised by law.

 

In such cases, the Service Provider shall only disclose personal data to the requesting party – provided that the latter has indicated the precise purpose and scope of the data – to the extent and to the extent that is indispensable for the purpose of the request.

 

Data security (§ 7)

 

The controller shall design and implement the processing operations in such a way as to ensure the protection of the privacy of data subjects.

 

The data controller shall ensure the security of the data (password protection, anti-virus protection), take the technical and organisational measures and establish the procedural rules necessary to enforce the Info Act and other data protection and confidentiality rules.

 

The controller shall take appropriate measures to protect the data, in particular

 

unauthorised access,

 

alteration,

 

transmission,

 

disclosure,

 

erasure or destruction,

 

accidental destruction or damage,

 

inaccessibility resulting from changes in the technology used.

 

The controller shall ensure, by appropriate technical means, that the data stored in the records cannot be directly linked and attributed to the data subject.

 

The controller shall take measures to prevent unauthorised access to, alteration of, and unauthorised disclosure or use of personal data:

 

the establishment and operation of an appropriate IT and technical environment,

 

the controlled selection and supervision of its staff involved in the provision of services,

 

the establishment of detailed operating, risk management and service provision procedures.

 

On the basis of the above, the service provider shall ensure that the data it processes

 

is available to the right holder,

 

its authenticity and verification,

 

its integrity can be verified.

 

The IT system of the controller and its hosting provider shall protect, inter alia

 

computer fraud,

 

espionage,

 

computer viruses,

 

spam,

 

hacks

 

and other attacks.

 

Rights of data subjects (§ 14-19)

 

The data subject may request the Service Provider to provide information on the processing of his/her personal data, request the rectification of his/her personal data and request the erasure or blocking of his/her personal data, except for mandatory processing.

 

At the request of the data subject, the controller shall provide information about the data of the data subject processed by the controller or by a processor to whom the controller or the processor has delegated the processing, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy it, and, in the case of the transfer of the data subject’s personal data, the legal basis and the recipient of the transfer.

 

The controller shall, where it has an internal data protection officer, through the internal data protection officer, keep a register for the purpose of monitoring the measures taken in relation to the personal data breach and informing the data subject, which shall include the scope of the personal data concerned, the number and type of data subjects affected by the personal data breach, the date, circumstances, effects and measures taken to remedy the personal data breach and other data specified in the legislation providing for the processing.

 

For the purposes of monitoring the lawfulness of the transfer and informing the data subject, the controller shall keep a record of the transfer, including the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.

 

Upon the User’s request, the Service Provider shall provide information on the data processed by it, their source, the purpose, legal basis and duration of the processing, the name and address of any data processor and its activities related to the processing, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer. The service provider shall provide the information in writing and in an intelligible form within the shortest possible time from the date of the request, but not later than 25 days. The information shall be provided free of charge.

 

If the personal data is inaccurate and the correct personal data is available to the controller, the service provider shall correct the personal data.

 

Instead of deleting the personal data, the Service Provider shall block the personal data if the User requests this or if, on the basis of the information available to it, it can be assumed that deletion would harm the legitimate interests of the User. Blocked personal data may be processed only for as long as the processing purpose that precluded the deletion of the personal data persists.

 

The Service Provider shall delete the personal data if its processing is unlawful, the User requests it, the processed data is incomplete or incorrect – and this situation cannot be lawfully remedied – provided that deletion is not excluded by law, the purpose of the processing has ceased to exist, or the statutory period for storing the data has expired, or the court or the National Authority for Data Protection and Freedom of Information has ordered it.

 

The controller shall mark the personal data that it processes if the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.

 

Rectification, blocking, marking and erasure shall be notified to the data subject and to all those to whom the data were previously disclosed for processing. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purposes of the processing.

 

If the controller does not comply with the data subject’s request for rectification, blocking or erasure, it shall, within 25 days of receipt of the request, provide in writing the factual and legal reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.

Remedies

 

You may object to the processing of your personal data if.

 

1. a) the processing or transfer of the personal data is necessary solely for the performance of a legal obligation to which the Service Provider is subject or for the purposes of the legitimate interests pursued by the Service Provider, the data recipient or a third party, unless the processing is required by law;
2. b) the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes;
3. c) in other cases specified by law.

The service provider shall examine the objection within the shortest possible period of time from the date of the request, but not more than 15 days, and shall decide whether the objection is justified and inform the applicant in writing of its decision. If the Service Provider establishes that the objection of the data subject is justified, it shall terminate the processing, including further recording and transmission of data, and block the data, and shall notify the objection and the measures taken on the basis of the objection to all those to whom it has previously transmitted the personal data concerned by the objection and who are obliged to take action to enforce the right to object.

 

If the User does not agree with the decision of the Service Provider, the User may appeal against it to a court within 30 days of its notification. The court shall act out of turn.

 

Complaints against possible infringements by the data controller may be lodged with the National Authority for Data Protection and Freedom of Information:

 

National Authority for Data Protection and Freedom of Information 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Postal address: 1530 Budapest, P.O. Box 5.

 

Phone: +36 -1-391-1400

 

Fax: +36-1-391-1410

 

E-mail: ugyfelszolgalat@naih.hu

 

Judicial Enforcement (§ 22)

 

The controller shall prove that the processing is in compliance with the law. It is for the recipient to prove the lawfulness of the transfer.

 

The tribunal shall have jurisdiction to hear the case. The action may also be brought, at the option of the data subject, before the courts for the place where the data subject resides or is domiciled.

 

A person who does not otherwise have legal capacity may be a party to the proceedings. The Authority may intervene in the proceedings in order to ensure that the person concerned is successful.

 

If the court upholds the application, the controller shall be ordered to provide the information, rectify, block or erase the data, annul the decision taken by automated processing, take account of the data subject’s right to object or disclose the data requested by the data subject.

 

If the court rejects the data subject’s request, the controller shall erase the personal data of the data subject within 3 days of the notification of the judgment. The controller shall also be obliged to delete the data if the data subject does not apply to the court within the time limit.

 

The court may order the publication of its judgment, with the publication of the controller’s identification data, if the interests of data protection and the protected rights of a larger number of data subjects so require.

 

Compensation and damages (Article 23)

 

Where the controller infringes the data subject’s right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the controller.

 

The controller shall be liable to the data subject for the damage caused by the processor and the controller shall also pay the data subject the damages due to the data subject in the event of a personal data breach caused by the processor. The controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject’s personality rights was caused by an unavoidable cause outside the scope of the processing.

 

No compensation shall be due and no damages shall be payable where the damage or injury to the personality rights of the data subject was caused by the intentional or grossly negligent conduct of the data subject.

Closing words

 

The following legislation has been taken into account in the preparation of this leaflet:

 

– Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Infotv.”)

 

– Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (in particular Article 13/A)

 

– Act XLVII of 2008 – on the Prohibition of Unfair Commercial Practices against Consumers;

 

– Act XLVIII of 2008 – on the basic conditions and certain restrictions on commercial advertising (in particular § 6)

 

– Act XC of 2005 on Freedom of Electronic Information

 

– Act C of 2003 on Electronic Communications (specifically § 155)

 

– Opinion No 16/2011 on best practice in behavioural online advertising

 

on the EASA/IAB Recommendation on best practice in advertising