Privacy policy
Privacy Policy
Privacy and data management notice
1. Introduction
The purpose of this Privacy Policy and Data Management Notice (hereinafter referred to as the "Notice") is to provide clear guidelines regarding the privacy policy principles of odustore.hu (hereinafter referred to as the "Online Store or Website"). The Notice aims to ensure that Customers are properly informed about how Odu Store Kft processes and manages their data. (hereinafter referred to as the "Service Provider") and the data processors employed by them. It includes information about the source, purpose, legal basis, and duration of data management, as well as the name and address of any other data processors involved in the processing. Additionally, it covers other activities related to data processing and, if applicable, the legal basis and recipient of any data transmission involving the data subject's data.
2. Applicable legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information;
Act V of 2013 on the Civil Code (hereinafter: Civil Code);
Act C of 2000 on Accounting (hereinafter: Accounting Act);
Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities;
Act CXIX of 1995 on the processing of name and address data for research and direct marketing;
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers,
Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.
Act CL of 2017 on the Rules of Taxation (hereinafter: Art.)
3. Definitions
The definitions in this Notice comply with the interpretative definitions set out in Article 4 of the GDPR, in particular:
Personal Data: any information about an identified or identifiable natural person ("Data Subject"), who can be identified, directly or indirectly, by reference to an ID such as a name, phone number, location data, an online ID, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Data Analysis: activities involved in the processing of personal data, regardless of whether they are performed manually or by automated means. These tasks encompass various operations and procedures, and they can be carried out using different methods and tools, without being limited to a specific location of application. The key criterion for categorizing a task as a technical one is that it pertains to the manipulation or handling of data itself;
Processor: a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller;
Data Processing: a range of activities conducted on personal data or sets of personal data, irrespective of whether they are automated or performed manually. These operations encompass various actions such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other means of making the data available. Additionally, the operations include alignment or combination of data, restriction of data processing, as well as the erasure or Deletion of data. These activities collectively define the scope of actions involved in processing personal data;
Controller: a natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, Union or Member State law may also determine the specific criteria for the controller or the designation of the controller;
Transfer: the transfer of processed personal data to other controllers for non-processing purposes;
Data Breach: a breach of security that results in the accidental or unlawful deletion, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Pseudonymization: in other words, de-identification is the process of processing personal data in a way that makes it impossible to identify the individual to whom the data relates, without additional information. To achieve this, the additional information is kept separately, and suitable technical and organizational measures are implemented to prevent any association with identified or identifiable natural persons.
Data Subject's Consent: consent refers to the voluntary, informed, and unambiguous expression of the data subject's wishes. It signifies their agreement to the processing of their personal data, which can be conveyed through a statement or an unambiguous affirmative action;
Recipient: the natural or legal person, public authority, agency, or any other body, whether or not a third party, to whom or with whom the personal data are disclosed. Public authorities that may have access to personal data in the context of an individual investigation by Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules for the processing;
Third Party: a natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, or the persons who, under the direct authority of the controller or processor, are authorized to process personal data;
Special Categories of Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data and biometric data revealing the identity of natural persons, health data, and personal data concerning the sex life or sexual orientation of natural persons;
Profiling: any form of automated processing of personal data in which personal data are used to evaluate certain personal aspects relating to a natural person, to analyze or predict characteristics associated with that person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
In case of any disparities between the definitions provided in the official General Data Protection Regulation (GDPR) and the definitions outlined in this Notice, the definitions stated in the legislation (GDPR) shall take precedence and prevail.
4. Principles of data management
4.1. Legality, fairness, and transparency
The processing of personal data must conform to the principles of lawfulness, fairness, and transparency about the data subject. For the processing to be considered lawful, it must rely on either the explicit consent of the data subject or another lawful basis established by applicable legal provisions
The processing of personal data is permissible only when it is necessary and there are no viable alternatives to achieve the intended purpose. In essence, if there are no reasonable alternatives available to achieve the desired objective, the processing of personal data may be deemed necessary.
Information and communication regarding the processing of personal data should be readily accessible, easily understandable, and conveyed through clear and straightforward language. It is essential to use clear and plain sentences to ensure that individuals can easily comprehend the information provided about the processing of their personal data.
To ensure fair and transparent data processing, the Data Subject must be informed of the fact and circumstances of the processing.
When the Service Provider collects personal data directly from the Data Subject, it is essential to inform the Data Subject about whether the provision of personal data is mandatory or voluntary. Additionally, the consequences of not providing the data should be clearly communicated. This information must be provided to the Data Subject at the time of collection of their personal data.
When personal data is collected from a source other than the Data Subject, the Data Subject must be informed within a reasonable time. If the personal data may be lawfully disclosed to another recipient, the Data Subject must be notified at the first disclosure. Transparency and timely communication are key in such cases.
The obligation to provide information to the Data Subject may be exempted under certain circumstances as permitted by law. These exemptions encompass situations where the Data Subject already possesses the requisite information, when the recording or disclosure of personal data is expressly mandated by legal provisions, or when it would be impracticable or disproportionately burdensome to provide the requested information.
The Data Subject retains the right to access, rectify, erase, and object to the processing of their personal data by the Service Provider, without any associated charges. The Data Controller is under the obligation to promptly respond to the Data Subject's requests, ensuring a maximum response time of 25 days (twenty-five days). If the Data Controller fails to fulfill the Data Subject's request, clear reasons for refusal must be provided transparently.
4.2. The purpose limitation principle
Personal data should only be collected for specific, explicit, and legitimate purposes. It is prohibited to process personal data in a manner that is incompatible with these stated purposes.
The processing of personal data for purposes other than the ones initially collected is permissible only if it is compatible with the original purposes. When assessing compatibility, factors such as the relationship between the original and intended purposes, the circumstances of data collection, and the nature of the personal data should be considered. This examination is essential to ensure that any secondary processing aligns with the principles of data protection.
4.3. Data conservation principle
The processing of personal data must be adequate and relevant to the purposes for which it was collected. Moreover, the processing should be limited to the minimum necessary extent required to fulfill those purposes. Adhering to these principles allows data controllers to avoid unnecessary or excessive processing of personal data, thereby promoting privacy and data protection.
To effectively uphold this principle, the Data Controller must establish suitable technical and organizational measures. These measures include the implementation of pseudonymization techniques during both the determination and execution of data processing methods. By integrating these measures, the Data Controller ensures the incorporation of necessary safeguards and adherence to data protection principles, thereby safeguarding the rights of the Data Subjects.
The Data Controller shall implement technical and organizational measures to ensure that only personal data that are necessary for the specific purpose of the processing are processed. This obligation relates to the amount of personal data collected, the extent to which they are processed, the duration of their storage, and their availability.
4.4. Principle of accuracy
Personal data collected, stored, and processed by the Data Controller must be accurate and, where necessary, kept up to date. The Controller shall take all reasonable steps to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay.
To enforce the principle of accuracy, the Data Controller is obliged to verify the accuracy of the data upon the Data Subject's request (right to rectification, erasure), and, if necessary, to modify or delete the personal data.
4.5. Storage limitation
To uphold the principle of purpose limitation, it is essential to restrict the storage of personal data to the shortest duration possible. To ensure this, the Controller should establish time limits for erasure or periodic review of the stored personal data. By setting such limits, data controllers can effectively manage the storage of personal data and ensure that it is retained only for as long as necessary.
Personal data should be stored in a format that allows the identification of the Data Subject only for the duration required to achieve the purposes of data processing. Extended storage of personal data is permissible only if the processing is carried out for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. In such cases, appropriate safeguards should be in place to protect the rights and privacy of the Data Subjects.
4.6. Integrity and confidentiality
Personal data must be processed with adequate measures to ensure a sufficient level of security and confidentiality. This includes preventing unauthorized access to and unauthorized use of personal data, as well as safeguarding the methods employed to process such data. By implementing appropriate security measures, data controllers can protect personal data from unauthorized access or misuse, thereby preserving the privacy and integrity of the data.
To implement this, the Data Controller must apply technical or organizational measures in the processing of personal data in such a way that the security of personal data is adequate at all times. This should include protection against unauthorized or unlawful processing, accidental loss, Deletion, or damage.
4.7. Accountability of the Data Controller
The Data Controller must comply with the principles detailed above when processing personal data and must be able to demonstrate compliance.
5. data subject's rights
The Data Subject may exercise their rights in the following ways:
E-mail: ugyfelszolgalat@odustore.hu
Mail: 1124 Budapest, Apor Vilmos tér 11-12.
5.1. Right to access personal information
Upon the Data Subject's request, the Data Controller is obliged to provide information regarding the ongoing processing of their personal data. If the processing is indeed taking place, the Data Controller must grant the Data Subject access to their personal data, allowing them to review and examine the relevant information. This ensures transparency and enables Data Subjects to exercise their rights related to their personal data.
5.2. Right to rectification
At the Data Subject's request, the Data Controller shall correct inaccurate personal data concerning the Data Subject or complete incomplete data without undue delay.
5.3. Right to deletion
Upon the Data Subject's request, the Controller must promptly delete the relevant personal data if any of the following grounds are applicable:
- if the purpose of the processing has ceased or the statutory time limit has expired;
- if the Data Subject withdraws their consent and there is no other legal basis for the processing;
- if the Data Subject objects to the processing and there is no overriding legitimate ground;
- if the processing is unlawful;
- if the personal data is incomplete or inaccurate and this situation cannot be lawfully remedied;
- is required by law to be deleted;
- if ordered by a public authority or a court.
If the Data Controller has disclosed the personal data that is required to be deleted based on the aforementioned grounds, it is obligated to take all reasonable measures within its capabilities, considering technical feasibility and implementation costs, to inform other Data Controllers about the obligation to delete the data. This ensures that all relevant parties are aware of the requirement to remove personal data from their systems or records.
Even in the case of the above grounds for erasure, the personal data need not be erased if the processing is necessary for one of the following reasons:
- to exercise the right to freedom of expression and information;
- to comply with a legal obligation to which the Data Controller is subject, to fulfill a task assigned to the Data Controller in the public interest;
- for reasons of public interest relating to public health, health data as defined by law cannot be erased;
- processing is carried out for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes and erasure would render the processing unlikely or seriously jeopardize it;
- necessary for the establishment, exercise, or prosecution of a legal claim.
5.4. Right to restriction
At the Data Subject's request, the Controller will restrict the processing of their data if one of the following conditions is met:
- the Data Subject contests the accuracy of their data (in which case the restriction applies for the period that allows the Controller to verify the accuracy of the personal data);
- the Data Controller no longer needs the Data Subject's data, but the Data Controller nevertheless requires them for the establishment, exercise, or defense of legal claims;
- the Data Subject has objected to the processing, in which case the restriction shall apply for a period that allows the Controller to assess whether the legitimate interests of the Controller override the legitimate grounds of the Data Subject.
- the restriction of processing entails preventing any further processing operations from being carried out on personal data. While processing is restricted, the Controller may only engage in activities other than the storage of personal data with the explicit consent of the Data Subject or in situations where processing is necessary for the establishment, exercise, or defense of legal claims by the Controller, protection of the rights of another individual or entity, or important public interests of the European Union or a Member State.
In the event of restriction of processing, the Data Controller shall inform the Data Subject in advance.
5.5. Right to object
The Data Subject has the right to object, at any time, to the processing of their personal data by the Data Controller if the legal basis for such processing is the exercise of public interest or the exercise of official authority vested in the Data Controller, or if it is based on the legitimate interests of the Data Controller or a third party. The Data Subject may also exercise the right to object by automated means, using technical specifications such as unsubscribing from a newsletter. This ensures that individuals have control over the processing of their personal data and can express their objections when applicable legal grounds are in place.
5.6 Right to Data Portability
The Data Subject possesses the right to obtain their personal data, which they have provided to a Data Controller, in a structured, commonly used, and machine-readable format. Furthermore, they have the right to transmit this data to another Data Controller without obstruction from the original Data Controller. This empowers individuals to have control over their personal data and facilitates the seamless transfer of their information between different entities, promoting data portability and user autonomy.
5.7. Right to withdraw
The Data Subject has the right to withdraw their consent to the processing of their data by the Controller at any time. Withdrawal of consent shall not affect the lawfulness of the processing based on consent before its withdrawal. Following the withdrawal of consent, the Controller shall delete the personal data processed based on the consent.
5.8. Right to petition
In the event of a complaint about the processing, if you have any requests or questions about the processing, you may send your request by mail to the Data Controller's headquarters or electronically to the e-mail address indicated in the contact details of the Data Controller. Our replies will be sent to the address you have requested without delay but within a maximum of 30 days.
The Data Subject shall have the right to complain with the National Authority for Data Protection and Freedom of Information, without prejudice to other administrative or judicial remedies, if they believe that the Controller has infringed the law in the processing of their data, for example, unlawful processing, disagreement with a decision or information relating to the processing of the Data, delayed provision of data by the Controller, or failure to provide data by the Controller.
National Authority for Data Protection and Freedom of Information
Mailing address: 1363 Budapest, PO Box 9.
Address: 1055 Budapest, Falk Miksa utca 9-11.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://naih.hu
Individuals have the right to seek judicial recourse by appealing to the courts in response to a decision made by the supervisory authority.
The Data Subject retains the right to initiate legal proceedings in court if the Data Controller fails to process their personal data under the applicable law. In cases of unlawful processing, the Data Controller is obliged to provide compensation to the Data Subject for any pecuniary and non-pecuniary damages incurred. Data protection cases fall under the jurisdiction of the courts. The Data Subject has the option to file a lawsuit before the competent court either at their place of residence or domicile, providing them with flexibility in choosing the appropriate legal forum for seeking a petition.
The list of courts - name, contact details - and the jurisdiction search service are available at www.birosag.hu.
In the event of a violation of the rights of the Data Subject about content that is offensive to minors, hateful, exclusionary, corrective, the rights of a deceased person, or the violation of reputation, the Data Subject may contact the National Media and Infocommunications Authority.
National Media and Communications Authority
Mailing address: 1525 P.O. Box 75.
Address: 1015 Budapest, Ostrom utca 23-25.
Phone: +36-1-457-7100
Fax: +36-1-356-5520
E-mail: info@nmhh.hu
Website: http://nmhh.hu
If the Data Controller infringes the Data Subject's right to privacy by unlawful processing of the Data Subject's data or by breaching the requirements of data security, the Data Subject may claim damages from the Data Controller.
6. Data controller and contact details
The Controller shall implement appropriate technical and organizational measures to ensure and demonstrate that the processing of personal data is carried out by data protection law, taking into account the nature, scope, context, and purposes of the processing and the varying degrees of risk to the rights and freedoms of natural persons. At all stages of processing, the purposes of the processing and the relevant legal provisions must be complied with.
The technical and organizational measures taken to ensure lawful processing shall be reviewed and, where necessary, updated by the Controller.
In the context of the data provided by the data controller:
name: Odu Store Kft.
1124 Budapest, Apor Vilmos tér 11-12.
company registration number: 01 09 388165
Tax number: 27198298-2-43
represented by Ráhel Orbán, Managing Director
e-mail address: ugyfelszolgalat@odustore.hu
7. Data processor and contact details
7.1 Data processors
|
Name |
Headquarters |
|
Terms of reference |
|
|
E-mail service provider |
Microsoft Outlook |
USA, Washington State, Seatle - Redmond One Microsoft Way |
Information collected will be used for communication purposes with registrants. |
|
|
Repository |
Shopify International Ltd. |
2nd Floor 1-2 Victoria Buildings |
Website domains are stored within this system. |
|
|
IT service provider |
Gergely Rácz sole proprietor |
1123 Budapest, Ráth György utca 6. |
They are responsible for managing and performing various administrative tasks related to our NAS system. |
|
|
Courier service |
GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. |
2351 Alsónémedi, GLS Európa u. 2. |
They handle the delivery of ordered products, ensuring they are delivered to the desired location as requested by the customers. |
|
|
Accounting |
A.H. Audit Audit and Tax Advisory Ltd. |
office: 6200 Kiskőrös, Petőfi tér 10-11. |
Provides accounting services to the Service Provider. |
|
|
Online payment system |
OTP Mobil Kft. |
1143 Budapest, Hungária körút 17-19. |
Used to settle the total amount of the order. |
|
|
Invoicing program |
Billingo Technologies Zrt. |
1133 Budapest, Árbóc utca 6., I. floor |
The electronic invoicing process is facilitated through this system. |
|
|
Providing a webshop and contributing to the newsletter |
Odu Store Kft. |
1124 Budapest, Apor Vilmos tér 11-12. |
They are the proprietor of the online store and also participate in the distribution of newsletters. |
|
|
Conversion tracking, creating individual audiences |
Facebook Ireland Ltd. |
4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland |
Facebook is used to track conversions and create custom audiences. |
|
|
Conversion tracking |
Google Analytics (Google LLC.) |
1600 Amphitheatre Parkway Mountain View, CA 94043 |
Google is used to track conversions and create custom audiences. |
8. Data Protection Officer and contact details
The Data Controller is not obliged to appoint a Data Protection Officer under Article 37 of the GDPR.
9. Process of data processing
The Data Controller's employees may process the data only to the extent strictly necessary for the performance of their tasks if the Data Controller employs staff. If no staff is employed, the Data Controller's representative shall process the data.
Please be informed that the Data Controller does not perform any data management activities in connection with the functions called via the icons of external service providers (Facebook, Twitter, LinkedIn, Instagram) on the website, in these cases the data controller is the external company providing the service.
9.1. Data processed when using the Website
|
Data managed |
Is it mandatory? |
Purpose of processing (what is the data for)? |
Legal basis for processing |
Who can see the data? |
Duration of data processing |
How can the data be deleted? |
|
Name |
mandatory |
registration, identification |
in the case of registration and newsletter, the data subject's consent Article 6(1)(a) GDPR and the legal requirement of Article 6(1)(a) GDPR |
authorised staff of the controller, authorised staff of the processors |
until the registration is cancelled or unsubscribing from the newsletter |
In the case of a newsletter, you can revoke your consent by utilizing the unsubscribe link provided within the newsletter. |
|
E-mail address |
mandatory |
registration, contact |
performance of the contract Article 6(1)(b) GDPR; in the case of a newsletter, the consent of the data subject Article 6(1)(a) GDPR and the legal requirement of Article 6(1)(a) GDPR |
authorised staff of the controller, authorised staff of the processors |
until the registration is cancelled or unsubscribing from the newsletter |
By e-mail or in the case of a newsletter, you can revoke your consent by utilizing the unsubscribe link provided within the newsletter |
|
Username |
mandatory |
identification |
consent of the data subject Article 6(1)(a) GDPR |
authorised staff of the controller, authorised staff of the processors |
until the registration is cancelled |
By e-mail |
|
Password |
mandatory |
identification |
consent of the data subject Article 6(1)(a) GDPR |
authorised staff of the controller, authorised staff of the processors |
until the password is changed, but no later than the registration is deleted |
By e-mail |
|
Data related to the secure technical operation of the website |
automatic, compulsory |
During the website operation, technical data such as the IP address, approximate geographical location, operating system type and version number, browser type and version number, website activity, and the type and version number of the user's computer or mobile device are processed. |
legitimate interest of the controller under Article 6(1)(f) of the GDPR |
authorised staff of the controller, authorised staff of the processors |
1 year |
automatically deleted at the end of the data processing period |
|
Conversion tracking, data related to the creation of custom audiences |
optional |
Share or like certain content, products, promotions or the website itself on facebook.com |
consent of the data subject Article 6(1)(a) GDPR |
authorised staff of the controller, authorised staff of the processors |
the duration of data processing, the method of data processing, and the possibilities for deleting and modifying data are governed by the facebook.com community site: |
|
9.2. Data processed in connection with the order
|
Data managed |
Is it mandatory? |
Purpose of processing (what is the data for)? |
Legal basis for processing |
Who can see the data? |
Duration of data processing |
How can the data be deleted? |
|
Name / Company name |
mandatory |
identification, invoicing |
on order performance of the contract Article 6(1)(b) GDPR and a legal requirement under Article 6(1)(a) of the GDPR |
authorised staff of the controller, authorised staff of the processors |
Required under the Accounting Act and Art. 8 years |
Deletion by the Data Controller |
|
Address / Place of residence |
mandatory |
identification, invoicing |
on order performance of the contract Article 6(1)(b) GDPR and a legal requirement under Article 6(1) GDPR |
authorised staff of the controller, authorised staff of the processors |
Required under the Accounting Act and Art. 8 years |
Deletion by the Data Controller |
|
Tax number |
Mandatory for businesses |
identification, invoicing |
on order performance of the contract Article 6(1)(b) GDPR and a legal requirement under Article 6(1) GDPR |
authorised staff of the controller, authorised staff of the processors |
Required under the Accounting Act and Art. 8 years |
Deletion by the Data Controller |
|
Delivery address |
mandatory |
identification, delivery performance |
on order performance of the contract Article 6(1)(b) GDPR and a legal requirement under Article 6(1) GDPR |
authorised staff of the controller, authorised staff of the processors |
Required under the Accounting Act and Art. 8 years |
Deletion by the Data Controller |
|
Phone number |
mandatory |
identification, delivery performance |
on order performance of the contract Article 6(1)(b) GDPR |
authorised staff of the controller, authorised staff of the processors |
in relation to an invoice Required under the Accounting Act and Art. 8 years in other cases The general limitation period under the Civil Code is 5 years |
Deletion by the Data Controller |
|
Order related data |
mandatory |
identification, contract performance |
on order performance of the contract Article 6(1)(b) GDPR |
authorised staff of the controller, authorised staff of the processors |
Required under the Accounting Act and Art. 8 years |
Deletion by the Data Controller |
|
Other information provided when ordering |
optional |
identification, contract performance |
consent of the data subject Article 6(1)(a) GDPR |
authorised staff of the controller, authorised staff of the processors |
The general limitation period under the Civil Code is 5 years |
Deletion by the Data Controller |
|
Data provided in the anonymous customer satisfaction questionnaire (answers to individual questions in the questionnaire) |
optional |
You can help us to improve the quality of our work and your professional service by completing this questionnaire to give us feedback on the quality of our work and your satisfaction with it. |
consent of the data subject Article 6(1)(a) GDPR |
authorised staff of the controller, authorised staff of the processors |
The general limitation period under the Civil Code is 5 years |
Deletion by the Data Controller |
9.3. Newsletter and direct marketing activities, social media sites
Subscription to the newsletter is based on voluntary consent.
|
Name, description and purpose of the processing |
Send newsletter Please be aware that when subscribing to the newsletter, we may not be able to verify the authenticity of the contact details or ascertain whether they belong to an individual or a company. In the event of business-related communication, the corresponding entity will be treated as a customer partner.
The purpose of processing data is to send professional brochures, promotional emails, informational content, and newsletters. You have the freedom to unsubscribe at any time without any adverse consequences. Unsubscribing is also possible if your business ceases to exist, you no longer participate in the business, or someone else has provided us with your contact information.
If you provide your explicit consent, expressed through the completion of your name, email address, and consent checkbox during registration or newsletter subscription, we may send you newsletters and promotional offers via the email address you provided. By giving your consent, you allow us to process the necessary personal data for this purpose. It is important to note that if you wish to receive the newsletter, providing the required data is mandatory. Failure to provide this information will prevent us from sending you the newsletter. |
|
|
Who is affected |
Newsletter subscribers. |
|
|
Legal basis for processing |
Your consent. |
|
|
Scope and purpose of the data processed |
Last name |
identification, contact, newsletter |
|
First name |
identification, contact, newsletter |
|
|
E-mail address |
identification, contact, newsletter |
|
|
Duration of data processing and erasure of data |
The data will be processed until consent is withdrawn. The data will be deleted when consent to processing is withdrawn. You can withdraw your consent to data processing at any time by using the unsubscribe link in the newsletters sent to you. |
|
|
Who has access to personal data? |
|
|
|
|
|
|
How the data is stored |
electronic |
|
9.4. Complaints handling
Making a complaint is based on voluntary consent, but it is mandatory under the data processing legislation - Act CLV of 1997.
|
Name, description and purpose of the processing |
Complaints handling You can make a complaint about a service, product or the behavior, actions or omissions of the Data Controller in writing (by mail, e-mail). The purpose of the processing of the data is to identify the data subject and the complaint, to record the data required to be recorded by law, to enable the complaint to be well-communicated and to enable contact to be maintained. |
|
|
Scope of beneficiaries |
Any natural person who wishes to make a complaint in writing about a service or about the conduct, activity or omission of a data controller. |
|
|
Legal basis for processing |
The complaint handling process starts on the basis of voluntary consent, but in the case of a complaint, data processing is mandatory by law - Act CLV of 1997. |
|
|
Scope and purpose of the data processed |
Complaint ID |
identification |
|
Place, time and method of receipt of complaint |
identification |
|
|
Your e-mail address |
identification, contact |
|
|
Personal data provided by email |
identification |
|
|
Last name |
identification |
|
|
First name |
identification |
|
|
Mailing address |
contact |
|
|
Subject of complaint |
complaint handling |
|
|
Content of complaint |
investigate a complaint |
|
|
Attached documents |
investigate a complaint |
|
|
Reason for complaint |
investigate a complaint |
|
|
Duration of data processing and erasure of data |
The Data Controller is required to keep the record of the complaint and a copy of the replies for 5 years from the date of the recording, in accordance with the relevant and applicable provisions of the 1997. CLV. act, Article 17/A (7). |
|
|
Who has access to personal data? |
|
|
|
|
|
|
How the data is stored |
electronic, paper-based |
|
9.5. Request for information
The request for information is based on voluntary consent.
|
Name, description and purpose of processing |
Request information You may address questions in writing (by mail or e-mail) about the service or the controller's conduct or activities. The purpose of the processing is to provide the data subject with adequate information and to maintain contact. |
|
|
Scope of beneficiaries |
Any natural person who contacts the Data Controller and requests information from the Data Controller while providing personal data. |
|
|
Legal basis for processing |
By providing your contact information in the request for information, you are voluntarily consenting to be contacted by the data controller. This contact will be made with the purpose of clarifying or answering your query in accordance with the intended processing. |
|
|
Scope and purpose of the data processed |
Question ID |
identification |
|
Place, time and method of receipt of the question |
identification |
|
|
Your e-mail address |
identification, contact |
|
|
Personal data provided by email |
identification |
|
|
Last name |
identification |
|
|
First name |
identification |
|
|
Mailing address |
contact |
|
|
Subject of the question |
complaint handling |
|
|
Question content |
investigate a complaint |
|
|
Duration of data processing and erasure of data |
Until a goal is achieved. |
|
|
Who has access to personal data? |
|
|
|
|
|
|
How the data is stored |
electronic, paper-based |
|
9.6. Customer satisfaction survey
|
Name, description and purpose of the processing |
Customer satisfaction survey The Data Controller is dedicated to delivering services of high quality. To ensure a satisfactory experience for its customers and maintain service excellence, the Data Controller conducts regular assessments of its operations and service quality. Feedback received from customers is carefully evaluated, and applicable suggestions are integrated into internal processes to enhance service quality. Any necessary policy changes resulting from these improvements will be incorporated during the next revision. We prioritize the user experience and value the opinions of our customers. To gather valuable feedback, the Data Controller may send a customer questionnaire or a link to a customer questionnaire to the contact details provided by the customer. This allows us to continuously improve our services based on customer input and enhance the overall customer experience. The feedback provided in the customer questionnaire is voluntary and maintained in strict anonymity. The email address is solely utilized for distributing the questionnaire and is not associated with any personal data. The Data Controller handles the questionnaire responses separately and in an anonymous manner, ensuring the complete dissociation between the answers and the respondent's identity. |
|
|
Scope of beneficiaries |
Any natural person who completes the customer satisfaction questionnaire and who has given their consent to the processing of their data. |
|
|
Legal basis for processing |
By submitting the customer satisfaction questionnaire, you voluntarily grant consent to the Data Controller for processing your answers and transferring them to the designated Data Processors, aligning with the intended purpose of the processing. If you desire to revoke your consent for the utilization of your email address for forthcoming customer satisfaction surveys, you can communicate your withdrawal request using any of the specified notification methods outlined in section V. |
|
|
Scope and purpose of the data processed |
Answers to some questions in the questionnaire |
customer satisfaction survey |
|
Duration of data processing and erasure of data |
Until a goal is achieved. |
|
|
Who has access to personal data? |
|
|
|
|
|
|
How the data is stored |
electronic |
|
9.7. Cookies (cookies)
Essential cookies for website functionality:
|
Name |
What it does |
Expiry date |
Other information |
|
_ab |
Used in connection with admin user account access. |
|
|
|
_secure_session_id |
It is used to navigate the website interface. |
|
|
|
Cart |
Used in connection with the Basket. |
|
|
|
cart_sig |
Used in connection with the payment interface. |
|
|
|
cart_ts |
Used in connection with the payment interface. |
|
|
|
cart_ver |
Used in connection with the Basket. |
|
|
|
checkout |
Used in connection with the payment interface. |
|
|
|
checkout_token |
Used in connection with the payment interface. |
|
|
|
previous_checkout_token |
Used in connection with the payment interface. |
|
|
|
previous_step |
Used in connection with the payment interface. |
|
|
|
remember_me |
Used in connection with the payment interface. |
|
|
|
Secret |
Used in connection with the payment interface. |
|
|
|
Secure_customer_sig |
Used by users in connection with logging in. |
|
|
|
storefront_digest |
Used by users in connection with logging in. |
|
|
|
_shopify_m |
Used to manage users' privacy settings. |
|
|
|
_shopify_tm |
Used to manage users' privacy settings. |
|
|
|
_shopify_tw |
Used to manage users' privacy settings. |
|
|
|
_storefront_u |
It is used to facilitate the updating of the customer's account information. |
|
|
|
_tracking_consent |
Tracking settings |
|
|
Analytical cookies:
|
Name |
What it does |
Expiry date |
Other information |
|
_landing_page |
Tracking the pages. |
|
does not collect personal data. |
|
_original_referrer |
Tracking the pages. |
|
does not collect personal data. |
|
_s |
Shopify Analytics. |
|
does not collect personal data. |
|
_shopify_e |
Shopify Analytics. |
|
does not collect personal data. |
|
_shopify_fs |
Shopify Analytics. |
|
does not collect personal data. |
|
_shopify_s |
Shopify Analytics. |
|
does not collect personal data. |
|
_shopify_sa_p |
Shopify analytics for marketing and recommendations. |
|
does not collect personal data. |
|
_shopify_sa_t |
Shopify analytics for marketing and recommendations. |
|
does not collect personal data. |
|
_shopify_y |
Shopify Analytics. |
|
does not collect personal data. |
|
_y |
Shopify Analytics. |
|
does not collect personal data. |
|
tracked_start_checkout |
Shopify analytics on payment. |
|
does not collect personal data. |
To ensure the proper functioning of our website, it may be necessary to place "cookies" on your computer, similar to what other popular websites and internet service providers do. These cookies help us enhance your browsing experience and provide essential features and functionality on our website.
Cookies are small text files that are stored on the computer or mobile device of a user when they visit a website. These cookies serve various purposes, such as remembering user actions and preferences for a certain period. For example, cookies can remember your username, language preference, font size, and other personalized settings related to how the website is displayed. By storing this information, cookies eliminate the need for you to enter these details repeatedly when you visit the website or navigate between its pages.
You have the option to manage and control cookies according to your preferences. Instructions on how to do this can be found on reputable websites such as aboutcookies.org. Keep in mind that disabling or deleting cookies may require adjusting browser settings and could affect the functionality of certain services and features on websites
9.7.1. Function of cookies
To collect information about visitors and their devices;
To remember visitors' individual preferences, which are used (e.g. when requesting online transactions, so you don't have to re-enter them),
To make the website easier to use;
To provide a quality user experience.
To provide a personalized service, a small piece of data, a cookie, is placed on the user's computer or other device used for browsing and is read back during a subsequent visit. If the browser returns a previously saved cookie, the cookie provider can link the user's current visit to previous visits, but only about its content.
9.7.2. Strictly necessary cookies
These cookies are essential for visitors to browse the website and utilize its features and services effectively. They are temporary and expire at the end of the browsing session. Once the browser is closed, these cookies are automatically deleted from the device used for browsing.
9.7.3. Third-party cookies (analytics)
Websites utilize Google Analytics, a third-party cookie, for statistical analysis. This helps gather information about how visitors interact with the website, enabling improvements to be made for a better user experience. These cookies, which are stored on the visitor's computer or browsing device, will remain in the browser until they expire or are manually deleted by the visitor.
9.7.4. Targeting or advertising cookies (targeting cookies)
Websites utilize certain cookies to enhance relevance and interest for visitors. These cookies serve various purposes, such as tracking the frequency of advertisement displays and assessing the effectiveness of advertising campaigns. Typically, these cookies are placed on the website by advertising networks with the consent of the website operator. They remember the visitor's website visit and may share this information with other organizations, including advertisers. In most cases, targeting or advertising cookies are associated with the functionality provided by the organization operating the website.
9.8. Further information
The data you have chosen to make visible to other users (recipients) can be viewed by them, as indicated in the table. However, it is important to note that this does not involve transferring the data to them. Other users can only access and view your data without performing any additional processing activities on it. It is essential to understand that processing activities beyond viewing data would require your explicit consent. It is crucial to establish a separate legal relationship concerning any processing activities, which is independent of the Data Controller.
By providing the mandatory data and ticking the checkbox, you consent to your data being visible to other users by the so-called visibility settings and to the Data Controller processing them for the purposes indicated in the table above.
By voluntarily providing optional data, you give your consent for other users to view them based on the visibility settings you have chosen. Additionally, you also consent to the Data Controller processing these data for the specified purposes and duration mentioned in the table above. It is important to note that there is no need to tick the checkbox at this moment, as it is only required during the registration process. However, you have the flexibility to provide these optional data after registration.
This website does not ask for any specific personal data. If anyone on behalf of the Data Controller would like to request such information, please let us know.
The Data Controller does not transfer data within the EEA or to third countries (outside the EEA).
The Data Controller does not carry out profiling.
The Data Controller is responsible for ensuring that the data is up-to-date and accurate, so please report any changes to the data to the Data Controller without hesitation.
9.9 Conversion tracking, custom audience based on data type
Facebook offers various features and tools that can be integrated into the Controller's website. These features and tools enable the transmission of data regarding the actions performed by Customers on the website (referred to as "Event Data") to Facebook. Additionally, they allow for Conversion Tracking, which helps track the effectiveness of advertising campaigns by monitoring specific actions taken by Customers. Another feature is the creation of Custom Audiences, which involves identifying a unique group of individuals who have visited the website.
Facebook utilizes the session data it receives to provide the Data Controller with analytics regarding the effectiveness of its advertisements and the usage of its Web Store. Facebook also employs this data to build its audience, as outlined in its Privacy Policy (accessible at https://www.facebook.com/about/privacy/). By utilizing event data, the Data Controller can enhance ad targeting and optimize their systems. It is important to note that Facebook will (i) optimize ads using event data collected from the Controller's website only after aggregating it with data obtained from other advertisers or gathered on Facebook, and (ii) refrain from permitting other advertisers or third parties to target their ads exclusively based on event data collected from the Controller's website.
We will not share event information with other advertisers or third parties unless you have permitted us or we are legally obliged to do so. Facebook maintains the confidentiality and security of Session Data, including through technical and physical security measures designed to (a) protect the security and integrity of the data when it is on Facebook's systems, and (b) protect against accidental or unauthorized access, use, alteration or disclosure of data on Facebook's systems.
To comply with the requirements related to conversion tracking or the use of custom audiences, it is important to include a clear and prominent link on any page that contains Facebook pixels for these features. This link should direct users to a privacy policy that provides the following information: a) Third parties may collect or receive data from the website and other internet sites through the use of cookies, web beacons, and similar technologies. They may utilize this data to offer measurement services or target advertising. b) Users have the option to opt out of the collection and use of their data for targeted advertising purposes. The privacy policy should explain how users can exercise this choice. c) The mechanism through which users can implement their choice should be accessible. For example, providing a link to www.aboutads.info/choices, where users can find the necessary resources to exercise their opt-out preference. By including this information and link to the privacy policy, the Data Controller ensures transparency and empowers users to make informed decisions about the collection and use of their data for targeted advertising.
The Data Controller acknowledges and respects that Facebook has the right to include notices in or around the Data Controller's advertisements to indicate that the ads are targeted. The Data Controller agrees not to modify, obscure, or interfere with the operation of such notices, including any technical components that enable users to access additional information or mechanisms to exercise their choices. This ensures that users are adequately informed about the targeted nature of the advertisements and have access to relevant information and options provided by Facebook. By adhering to these guidelines, the Data Controller maintains transparency and upholds the integrity of the notices and choices offered by Facebook.
Facebook may modify, suspend or terminate access to, or availability of, the conversion tracking, custom audiences feature at any time. The Data Controller may stop using the features at any time. The Controller may delete your custom audiences from Facebook at any time using the account management tools.
If the Data Controller uses any of these features on behalf of a third party, it further represents and warrants that it is authorized to use such data on its behalf as an agent for such party and may require such party to comply with these Terms of Use.
10. Data security
The Data Controller must ensure the security of the data. To this end, it must take the technical and organizational measures and establish the procedural rules necessary to enforce the applicable laws, data protection, and confidentiality rules.
The Data Controller must take appropriate measures to protect the data against unauthorized access, alteration, disclosure, disclosure, deletion or Deletion, accidental Deletion or damage, and against inaccessibility resulting from changes in the technology used.
The Data Controller must also ensure the enforcement of data security rules through internal regulations, instructions, and procedural rules, which are separate in content and form from the Data Protection and Data Security Policy and this Information Notice.
When establishing and implementing data security measures, the Data Controller must consider the latest advancements and best practices in the field of data security. They should evaluate and select the most appropriate processing solutions that provide a higher level of protection for personal data. However, the Data Controller is not obligated to adopt measures that would involve a disproportionate effort. This means that while striving for an optimal level of data protection, the Data Controller should consider practicality, feasibility, and proportionality in implementing security measures. By doing so, the Data Controller can ensure the adequate protection of personal data while considering the resources and efforts required for implementation.
The Data Controller must ensure, in particular, in the context of its IT security responsibilities:
Measures to protect against unauthorized access, including protection of software and hardware devices and physical protection (access protection, network protection);
Measures to ensure that data files can be recovered, including regular backups and separate secure management of copies (mirroring, backups);
Protecting data files against viruses (virus protection);
The physical protection of data files and the media on which they are stored, including protection against fire, water, lightning, and other natural hazards, and the recoverability of damage caused by such events (archiving, fire protection).
The Data Controller must ensure the backup of the IT data and the technical environment of the Website, which it must operate with the necessary parameters based on the retention period of each data, thus guaranteeing the availability of the data within the retention period and permanently destroying them at the end of the retention period.
The Data Controller employs advanced monitoring techniques to ensure the integrity and functionality of its IT system and data storage. It maintains the necessary capacities and utilizes logging functions to detect and respond to incidents effectively.
We utilize a redundant and high-bandwidth network environment to ensure the uninterrupted availability of the Website. This enables us to distribute the load efficiently across our resources and maintain a secure and reliable service.
The disaster resilience of our systems is ensured by design and business continuity, thus the continuous service to our users is ensured by organizational and technical means at a high level.
We give top priority to the controlled installation of security patches and vendor updates to ensure the integrity of our IT systems, preventing, avoiding, and managing attempts to gain access or damage by exploiting vulnerabilities.
Our IT environment is regular security tested, any errors or weaknesses found are corrected, and strengthening the security of the IT system is an ongoing task.
We have set high-security expectations for our staff, including confidentiality, which we ensure through regular training, and we strive to have planned and controlled processes in place for our internal operations.
Any personal data incidents detected or reported to us in the course of our operations will be investigated in a transparent, responsible, and rigorous manner within 72 hours, i.e. seventy-two hours. Incidents that occur will be handled and recorded.
When developing our services and IT solutions, we ensure that the principle of privacy by design is met, and we prioritize data protection right from the design phase.
11. Data transmission
The Data Controller is entitled to transmit the personal data collected, recorded, and systematized by it to third parties.
The transfer must always respect data management principles (e.g., data limitation principle, purpose limitation principle). The transfer must also take into account the need to ensure an adequate level of protection of the personal data of the Data Subjects by the recipients.
The Data Controller is obligated to engage data processors that offer sufficient safeguards to meet the requirements of the General Data Protection Regulation (GDPR). These processors must implement suitable technical and organizational measures to ensure the protection of Data Subjects' data. The processor is authorized to transfer personal data only upon instruction from the Controller. However, if the transfer is required by the law of a Member State or Union law applicable to the processor, it may take place without the Controller's instruction but with prior notification.
12. Modification of the Privacy Policy
The Company retains the right to modify this Policy at any time through unilateral decision.
If the Data Subject disagrees with the modification, they have the option to request the deletion of their data by contacting us using the provided contact details in section V.
Instituted: Budapest, 01 March 2022.
