1. Introduction

This Data Protection and Privacy Notice (the ‘Notice’ ) aims to record the data protection and data processing principles related to the web shop available at budapestselectstore.com (the ‘Website’) operated by Startup Campus Inkubator Zártkörűen Működő Részvénytársaság (the ‘Company’), so the data subjects can receive appropriate information about the data managed and processed by the Company – and the Data Processors engaged by it – their source, the purpose, legal basis and duration of data processing, the name and address of the Data Processor that may be involved in data processing and its activities related to data processing, as well as, if the data subject’s personal data are transmitted, the legal basis for and recipient of such data transmission.

  1. Applicable legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);

  • Act CXII of 2011 on informational self-determination and freedom of information;
  • Act V of 2013 on the Civil Code (the ‘Civil Code’);
  • Act C of 2000 on accounting (the ‘Accounting Act’);
  • Act XLVIII of 2008 on the basic conditions of, and certain restrictions on, commercial advertising activities;
  • Act CXIX of 1995 on the processing of name and home address data serving the purposes of research and direct marketing;
  • Act XLVII of 2008 on the prohibition of unfair commercial practices vis-à-vis consumers;
  • Act CVIII of 2001 on certain issues of electronic commerce services and information society services;
  • Act CL of 2017 on tax procedures (the ‘Tax Procedures Act’).
     
  1. Definitions

The conceptual system of this Notice corresponds to the interpretative definitions set out in Article 4 GDPR, in particular:

  • ‘data processing’ means the performance of technical tasks associated with the processing operations of personal data, whether or not by automated means, irrespective of the means and method used for carrying out the operations and the location of such use, provided that the technical task is performed on the data;
     
  • ‘data processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
     
  • ‘data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
     
  • ‘data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
     
  • ‘data transmission’ means the transmission of processed personal data to other Data Controllers for purposes other than data processing; ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
     
  • ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to identified or identifiable natural persons;
     
  • ‘consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
     
  • ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law should not be regarded as recipients; the processing of those data by those public authorities should be in compliance with the applicable data protection rules according to the purposes of the processing;
     
  • ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
     
  • ‘special data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the unique identification of natural persons, health data and personal data concerning the sexual life or sexual orientation of natural persons;
     
  • ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
     
  • ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

If the definitions of the GDPR in force at any given time differ from the definitions in this Notice, the definitions given in the Regulation prevail.

  1. Principles of data processing

4.1 Principles of legality, due process and transparency

Personal data must be processed lawfully and fairly and in a transparent manner in relation to the Data Subject. In the interest of lawful data processing, it must be based on the consent of the Data Subject or must have another basis established by law.

Personal data may be processed only if the purpose of data processing cannot reasonably be fulfilled by other means.

Any information and communication relating to the processing of personal data must be easily accessible and easy to understand, and clear and plain language must be used.

In order to achieve fair, transparent data processing, it is necessary that the Data Subject is informed about the fact and purposes of data processing.

If the Company collects personal data directly from the Data Subject, it is necessary to inform the Data Subject whether they are obliged to disclose the personal data and what consequences non-disclosure may have on them. The information must be provided to the Data Subject at the time of data collection.

If the data were collected from sources other than the Data Subject, the information must be made available to the Data Subject within a reasonable time. If the personal data can be lawfully disclosed to another recipient, the Data Subject must be informed about it at the time of the first disclosure.

The obligation to provide information is not necessary if the Data Subject already has this information or if the recording or disclosure of personal data is expressly provided for by legislation or if the provision of information to the Data Subject proves impossible or required a disproportionately large effort.

The Data Subject must ensure that they receive access to their personal data processed by the Company free of charge, request their rectification or erasure, and exercise their right to object. The Data Controller is obliged to respond to the request of the Data Subject without undue delay, but no later than within 25, say twenty-five, days, or if the Data Controller does not comply with any request of the Data Subject, it must justify it.

4.2 Purpose limitation principle

Personal data may only be collected for a specific, clear and lawful purpose. It is prohibited to process personal data in a way that is incompatible with their purposes.

The processing of personal data for purposes other than the original purpose for which they were collected is permitted only if data processing is compatible with its original purposes for which the personal data were originally collected. In this respect, it is necessary to examine, in particular, but not limited to, the relationship between the original and intended purposes of data processing, the circumstances of data collection and the nature of the personal data.

4.3 Principle of data minimisation

The processing of personal data must be appropriate and relevant for the purposes and the processing of personal data must be limited to the necessary minimum.

In order to ensure the implementation of the principle, the Data Controller must implement appropriate technical and organisational measures, such as pseudonymisation, both in determining the way in which the data are processed and in the data processing process, with the aim of, firstly, implementing the data protection principles and, secondly, incorporating the guarantees necessary for the protection of the rights of the Data Subjects into the data processing process.

The Data Controller is obliged to implement technical and organisational measures that ensure that only personal data necessary for the specific purpose of data processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their accessibility.

4.4 Principle of accuracy

The personal data collected, stored and processed by the Data Controller must be accurate and, if necessary, up-to-date. The Data Controller must take all reasonable measures to forthwith erase or rectify personal data that are inaccurate for the purposes of data processing.

In order to ensure the implementation of the principle of accuracy, the Data Controller is obliged to verify the accuracy of the data (right to rectification and erasure) in the event of a request made to that effect by the Data Subject and, if necessary, to modify and erase the specified personal data.

4.5 Principle of storage limitation

In order to ensure the implementation of the purpose limitation principle, it must be ensured, in particular, that the period for which the personal data are stored is limited to a strict minimum. In order to ensure that the personal data are not kept longer than necessary, the Data Controller must set deadlines for erasure or for a periodic review.

Personal data must be stored in such a way that the identification of the Data Subject can only be possible for the time necessary to achieve the purposes for which the personal data are processed. Personal data may be stored for a longer period only if their processing is for archiving purposes in the public interest, for scientific and historical research, or for statistical purposes.

4.6 Principle of integrity and confidentiality

Personal data must be processed in a manner that ensures their appropriate security and confidentiality, including for preventing unauthorised access to or use of personal data and the equipment used for their processing.

In order to ensure the implementation of the principle, the Data Controller must use technical or organisational measures during the processing of personal data to ensure that the security of the personal data is satisfactory throughout. In this respect, it is necessary to also provide protection against the unauthorised or unlawful processing, accidental loss or destruction of or damage to the data.

4.7 Accountability of the Data Controller

The Data Controller is obliged to comply with the principles detailed above and to be able to prove compliance during the processing of personal data.
 

  1. Rights of the Data Subject
     

The Data Subject may exercise their rights in the following ways:

  • by e-mail: ugyfelszolgalat@budapestselectstore.com
     
  • by post: 1052 Budapest, Váci utca 9. II. emelet 2., Hungary
     

5.1 Right of access

At the request of the Data Subject, the Data Controller provides information on whether their personal data are being processed; if so, it should grant access to the Data Subject.

5.2 Right to rectification

At the request of the Data Subject, the Data Controller corrects any inaccurate personal data relating to the Data Subject or supplements any incomplete data without undue delay.

5.3 Right to erasure

At the request of the Data Subject, the Data Controller erases the relevant personal data without undue delay if one of the following reasons exists:

  • if the purpose of data processing has ceased to exist or if its statutory deadline has expired;
     
  • if the Data Subject revokes their consent and there is no other legal basis for data processing;
     
  • if the Data Subject objects to data processing and there is no priority legitimate reason for it;
     
  • if the data processing is unlawful;
     
  • if the personal data are incomplete or incorrect, and this condition cannot be remedied lawfully;
     
  • it needs to be erased pursuant to the provisions of legislation;
     
  • if ordered by an authority or the court.

In the event that the Data Controller has disclosed the personal data which it has to erase on the basis of the above, it is obliged to take all measures to inform the other Data Controllers of the obligation of erasure, as far as possible (state of the art and implementation costs).

The personal data need not be erased even in the case of the above reasons for erasure if data processing is necessary for one of the following reasons:

  • for exercising the right to freedom of expression and information;
     
  • for compliance with a legal obligation which the Data Controller is subject to or performing a task in the public interest assigned to the Data Controller;
     
  • no health data specified in legislation may be erased for the purpose of a public interest in public health;
     
  • for archiving in the public interest, for scientific and historical research purposes, or for statistical purposes, where erasure would be likely to render impossible or seriously jeopardise data processing;
     
  • required for the submission and enforcement of legal claims or for indictment.

5.4 Right of restriction of processing

At the request of the Data Subject, the Data Controller restricts the processing of their personal data if one of the following conditions is fulfilled:

  • the Data Subject disputes the accuracy of their personal data (in this case, the restriction applies to the period that allows the Data Controller to verify the accuracy of the personal data);
     
  • the Data Controller no longer needs the personal data of the Data Subject, nonetheless, it requires them for submitting, enforcing or protecting legal claims;
     
  • the Data Subject has objected to data processing; in this case, the restriction applies to the period that allows the Data Controller to examine whether the legitimate interests of the Data Controller take precedence over the legitimate reasons of the Data Subject.

During the restriction of data processing, it must be ensured that no data processing operation can be carried out on personal data. During the restriction of data processing, personal data may only be processed by the Data Controller, except for storage, with the consent of the Data Subject or for submitting, enforcing or protecting the legal claims of the Data Controller or for protecting the rights of other natural or legal persons or out of important public interest of the EU or a Member State.

In the event of a restriction of data processing, the Data Controller informs the Data Subject in advance of its lifting.

5.5 Right to object

The Data Subject is entitled to object at any time to the processing of their personal data by the Data Controller if its legal basis is the exercise of rights in the public interest or the prerogatives of a public authority conferred on it or the enforcement of the legitimate interests of the Data Controller or a third party. The Data Subject may also exercise the right to object by automated means based on technical specifications by unsubscribing from the newsletter.

5.6 Right to data portability

The data subject is entitled to receive the personal data related to them and provided by them to a Data Controller in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller without being hindered by the Data Controller to which it has provided the personal data.

5.7 Right of revocation

The Data Subject is entitled to revoke their consent to the processing of their personal data by the Data Controller at any time. The revocation of consent does not affect the lawfulness of data processing based on consent before such revocation. After the revocation of consent, the Data Controller is obliged to delete the personal data processed on the basis of such consent.

5.8 Right of remedy of the Data Subject

In the event of a complaint about data processing, if you have any requests or questions about data processing, you can send your inquiry by post to the registered office of the Data Controller or electronically to the e-mail address indicated at the contact details of the Data Controller. We will send our answers without delay, but within no more than 30 (thirty) days to the address you requested.

The Data Subject is entitled to lodge a complaint with the National Authority for Data Protection and Freedom of Information without prejudice to other administrative or judicial remedies if they consider that the Data Controller has violated the provisions of law during the processing of their personal data (for example, unlawful processing, disagreement with a decision on data processing or information provided by the Data Controller, late provision of data or omission by the Data Controller).

National Authority for Data Protection and Freedom of Information
Mailing address: 1363 Budapest, Pf. 9.,
Hungary address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
e-mail: ugyfelszolgalat@naih.hu
website: http://naih.hu/

 

A judicial remedy is available against the decision of the supervisory authority.

The Data Subject is entitled to initiate proceedings with the court to remedy the infringement sustained if the Data Controller does not process their personal data in accordance with legislation. The Data Controller is obliged to compensate the Data Subject for pecuniary and non-pecuniary damages caused by unlawful data processing. The adjudication of data protection lawsuits falls within the competence of the regional court. The Data Subject may also file a lawsuit, at their option, before the regional court with jurisdiction at their domicile of residence.

The list of regional courts (name and contact details) and the jurisdiction search service are available on the www.birosag.hu website.

If their rights related to content that insults minors, incites hatred or is exclusionary, corrections, the rights of a deceased person or the violation of good reputation are infringed, the Data Subject may initiate proceedings with the National Media and Communications Authority.

National Media and Infocommunications Authority
mailing address: 1525 Pf. 75.
Hungary address: 1015 Budapest, Ostrom utca 23-25., Hungary
Telephone: +36-1-457-7100
Fax +36-1-356-5520
e-mail: info@nmhh.hu
website: http://nmhh.hu

 

 

In the event that the Data Controller infringes the personality rights of the Data Subject by unlawfully processing their data or violating the data security requirements, the Data Subject may demand an injury fee from the Data Controller.

  1. Data Controller and its contact details

The Data Controller is obliged to implement appropriate technical and organisational measures to ensure and demonstrate that personal data are processed in accordance with data protection legislation, taking into account the nature, scope, circumstances and purposes of data processing and the risk to the rights and freedoms of natural persons, with a varying probability and severity. At all stages of data processing, it is required to comply with the purpose of data processing and the relevant legal rules.

The technical and organisational measures applied for lawful data processing are reviewed and, if necessary, updated by the Data Controller.

In connection with the data provided, the Data Controller is as follows:

Name: Startup Campus Inkubator Zrt.
Registered office: 4025 Debrecen, Simonffy utca 4-6.,
1st Floor Nos 123, 125 and 126, Hungary
Company register No: 09 10 000547
Tax No: 25452985-2-09
Represented by: Zsolt Kovács, Member of the Board of Directors
e-mail address: ugyfelszolgalat@budapestselectstore.com

 

  1. Data processor and its contact details

If data processing is carried out by someone else on behalf of the Data Controller, the Data Controller may only use Data Processors who or which provide appropriate guarantees for the implementation of appropriate technical and organisational measures to ensure compliance by data processing with legislation and the protection of the rights of the Data Subjects.

If a Data Processor is used, the ultimate responsibility remains with the Data Controller, who must supervise the Data Processors in order to ensure that their decisions comply with data protection legislation.

In connection with the data provided, the Data Processors are as follows:

7.1 Data processors

  Name Registered office E-mail Responsibilities
E-mail provider Microsoft Outlook USA, Washington State, Seatle – Redmond One Microsoft Way www.support.microsoft.com/hu-hu/contactus We will notify the registrants and will keep in touch with them through it.
Storage Shopify International Ltd. 2nd Floor 1-2 Victoria Buildings Haddington Road Dublin 4, D04 XN32 Ireland support@shopify.com Website Domains are stored here.
Newsletter MailChimp The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA https://mailchimp.com/contact/ Registrants will receive newsletters through it.
IT service provider Gergely Rácz, sole proprietor 1123 Budapest, Ráth György utca 6. gergely.racz@highlight.hu They manage our NAS system and perform system administrator tasks.
Courier service GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. 2351 Alsónémedi, GLS Európa u. 2. info@gls-hungary.com They deliver the products ordered.
Accounting company A.H. Audit Könyvvizsgáló és Adótanácsadó Kft. Office: 6200 Kiskőrös, Petőfi tér 10-11. albert@ahaudit.hu It performs accounting services for the Company.
Online payment system OTP Mobil Kft. 1143 Budapest, Hungária körút 17-19. ugyfelszolgalat@simple.hu The total amount of the order is paid through it.
Invoicing program KBOSS.hu Kft. 1031 Budapest, Záhony utca 7. info@szamlazz.hu Electronic invoices are issued through it.
Provision of a web shop and contribution to sending out newsletters Magyar Divat & Design Ügynökség Nonprofit Zrt. 1027 Budapest, Kacsa utca 15-23. info@hfda.hu It is the owner of the Web Shop and participates in sending out newsletters.
Conversion tracking, creating a target audience Facebook Ireland Ltd. 4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland daterequest@support.facebook.com Facebook is used to track conversions and to create target audiences.

 

 

  1. Data protection officer and their contact details

Pursuant to Article 37 GDPR, the Data Controller is not obliged to appoint a data protection officer.

  1. Process of data processing

The data may be processed by the staff of the Data Controller only to the extent essential for performing their tasks if the Data Controller employs staff. If it does not employ any staff, the data will be processed by the representative of the Data Controller.

Please note that the Data Controller does not perform any data processing activity in connection with the functions invited by the shortcuts of external service providers (Facebook, Twitter, Linkedin and Instagram) appearing on the website. In these cases, the data controller is the third party company providing the service.

9.1 Data processed during the use of the Website

Data processed Is it mandatory to provide? Purpose of data processing
(what are the data needed for)?
Legal basis for data processing Who can see the data? Duration of data processing How can the data be deleted?
Name mandatory registration, identification n the case of registration and newsletter, consent of the Data Subject, Article 6.(1)(a) GDPR, and statutory requirement, Article 6(1)(a) GDPR authorised staff of the Data Controller and authorised staff of Data Processors until registration is cancelled or until unsubscribing from the newsletter in the case of a newsletter, by revoking consent by using the unsubscribe link in the newsletter
E-mail address mandatory registration, liaison performance of the contract, Article 6(1)(b) GDPR; in the case of a newsletter, consent of the Data Subject, Article 6(1)(a) GDPR, and statutory requirement, Article 6(1)(a) GDPR authorised staff of the Data Controller and authorised staff of Data Processors until registration is cancelled or until unsubscribing from the newsletter e-mail or in the case of a newsletter, by revoking consent by using the unsubscribe link in the newsletter
Username mandatory identification consent of the Data Subject, Article 6(1)(a) GDPR authorised staff of the Data Controller and authorised staff of Data Processors until registration is cancelled by e-mail
Password mandatory identification consent of the Data Subject, Article 6(1)(a) GDPR authorised staff of the Data Controller and authorised staff of Data Processors until the password is changed, but until the registration is cancelled, at the latest by e-mail
Data related to the secure technical operation of the website automatic, mandatory During the operation of the website, we treat the IP address of the computer or mobile device of the Data Subject, approximate geographical location, operating system type and version number, browser type and version number, and activities on the website as technical data. legitimate interest of the Data Controller, Article 6(1)(f) GDPR authorised staff of the Data Controller and authorised staff of Data Processors 1 year automatically deleted at the end of the data processing period
Conversion tracking, data related to creating a target audience optional On the facebook.com site, sharing or liking certain content elements, products or promotions of the Web Shop or the website itself consent of the Data Subject, Article 6(1)(a) GDPR authorised staff of the Data Controller and authorised staff of Data Processors   the regulations of the facebook.com social media site apply to the duration and manner of data processing and the possibilities of deleting and modifying data: http://www.facebook.com/legal/terms?ref=pf http://www.facebook.com/about/privacy/

 

9.2 Data processed in connection with the order

Data processed Is it mandatory to provide? Purpose of data processing (what are the data needed for)? Legal basis for data processing Who can see the data? Duration of data processing How can the data be deleted?
Name / Company name mandatory identification, issuing an invoice

if an order is placed performance of the contract, Article 6(1)(b)

GDPR and statutory requirement, Article 6(1)(a)

GDPR authorised staff of the Data Controller and authorised staff of Data Processors required pursuant to the Accounting Act and the Tax Procedures Act 8 years By destruction by the Data Controller
Address / Registered office mandatory identification, issuing an invoice if an order is placed performance of the contract, Article 6(1)(b) GDPR and statutory requirement, Article 6(1) GDPR authorised staff of the Data Controller and authorised staff of Data Processors required pursuant to the Accounting Act and the Tax Procedures Act 8 years By destruction by the Data Controller
Tax No mandatory for companies identification, issuing an invoice if an order is placed performance of the contract, Article 6(1)(b) GDPR and statutory requirement, Article 6(1) GDPR authorised staff of the Data Controller and authorised staff of Data Processors required pursuant to the Accounting Act and the Tax Procedures Act 8 years By destruction by the Data Controller
Delivery address mandatory identification, performance of delivery if an order is placed performance of the contract, Article 6(1)(b) GDPR and statutory requirement, Article 6(1) GDPR authorised staff of the Data Controller and authorised staff of Data Processors required pursuant to the Accounting Act and the Tax Procedures Act 8 years By destruction by the Data Controller
Telephone number mandatory identification, performance of delivery f an order is placed performance of the contract, Article 6(1)(b)  GDPR authorised staff of the Data Controller and authorised staff of Data Processors for invoice required pursuant to the Accounting Act and the Tax Procedures Act 8 years in other cases pursuant to the Civil Code, 5 years corresponding to the general period of limitation By destruction by the Data Controller
Data relating to the order mandatory identification, performance of the contract if an order is placed performance of the contract, Article 6(1)(b) GDPR authorised staff of the Data Controller and authorised staff of Data Processors required pursuant to the Accounting Act and the Tax Procedures Act 8 years By destruction by the Data Controller
Other information provided when the order is placed optional identification, performance of the contract consent of the Data Subject, Article 6(1)(a) GDPR authorised staff of the Data Controller and authorised staff of Data Processors pursuant to the Civil Code, 5 years corresponding to the general period of limitation By destructionby the Data Controller 
Data provided on the anonymous Customer Satisfaction Questionnaire (answers to certain questions of the questionnaire) optional You can help our work and the provision of a higher level of professional service to you by filling out the questionnaire to give us feedback on the quality of our work and your satisfaction with it. consent of the Data Subject, Article 6(1)(a) GDPR authorised staff of the Data Controller and authorised staff of Data Processorspursuant to the Civil Code, 5 years corresponding to the general period of limitation   By destruction by the Data Controller  

 

9.3 Newsletter and direct marketing activities, social media sites

Subscribing to the newsletter is based on voluntary consent.

Name, description and purpose of data processing

Sending out newsletters

When subscribing to the newsletter, we are not in a position to verify the authenticity of the contact details and to establish that the details provided relate to an individual or business. We treat companies that contact us as customer partners.

The purpose of data processing is to send professional brochures, electronic messages containing advertisements, information and newsletters, from which you can unsubscribe at any time without consequences. You can also unsubscribe without any consequences if your business has in the meantime ceased to exist, you have left the business, or someone has provided us with your contact details.

We may send you a newsletter if you consent in advance and expressly (during registration and by filling in the name, e-mail address and consent checkbox when subscribing to the newsletter) to us providing you with our advertising offers, information and other items at the e-mail address provided during registration. As a result, you may consent to us processing your personal data necessary for this purpose. In accordance with the above, if you wish to receive a newsletter, you must provide the necessary details. If you do not provide the details, we will not be able to send you the newsletter.

Scope of Data Subjects Those subscribing to the newsletter
Legal basis for data processing Your consent.
Scope and purpose of the processed data Last name identification, contact and sending newsletters
First name identification, contact and sending newsletters
E-mail address identification, contact and sending newsletters
Duration of data processing and erasure of data The data are processed until consent is revoked. The data will be deleted when the consent to the data processing is revoked. You may revoke your consent to data processing at any time by using the unsubscribe link in the newsletters sent to you.
Who can have access to the personal data?
  • authorised staff of the Data Controller
  • authorised staff of the Data Processor
Method of data storage electronic

 

9.4 Complaints management

Lodging a complaint is based on voluntary consent, but pursuant to the data processing legislation (Act CLV of 1997) it is mandatory in respect of the processed data.

Name, description and purpose of data processing Complaints management You may report your complaint about the service or product or the conduct, acts or omissions of the Data Controller in writing (by post or e-mail). The purpose of data processing is to identify the Data Subject and the complaint as well as to record the data that are mandatory to be recorded from the law, as well as to enable the communication of the complaint and to maintain contact.
Scope of Data Subjects Every natural person who wishes to report a complaint about the service or the conduct, acts or omissions of the Data Controller in writing.
Legal basis for data processing The complaint handling process starts on the basis of voluntary consent, but in the case of a complaint it is mandatory pursuant to the legislation on data processing (Act CLV of 1997).
Scope and purpose of the processed data Complaint ID identification
Place, time and manner of receipt of the complaint identification
E-mail address identification, liaison
Personal data provided by e-mail identification
Last name identification
First name identification
Mailing address liaison
Subject-matter of complaint complaints management
Content of complaint investigation of complaint
Attached documents investigation of complaint
Reason for complaint investigation of complaint
Duration of data processing and erasure of data The Data Controller retains the record of the complaint and a copy of the response for 5 years from their date pursuant to Section 17/A(7) of the applicable Act CLV of 1997 in force.
Who can have access to the personal data?
  • authorised staff of the Data Controller
  • authorised staff of the Data Processor
Method of data storage electronic, paper-based

 

9.5 Request of information

The request for information is based on voluntary consent.

Name, description and purpose of data processing

Request of information

You can ask questions about the service or the conduct and activities of the Data Controller in writing (by post or e-mail). The purpose of data processing is to provide the Data Subject with appropriate information and to maintain contact.

Scope of Data Subjects Any natural person who contacts the Data Controller and requests information from the Data Controller in addition to providing their personal data.
Legal basis for data processing In accordance with the purpose of data processing, you voluntarily consent to the Data Controller contacting you through such data in order to clarify or answer the question if you have provided your contact details when the information was requested.
Scope and purpose of the processed data Question ID identification
Place, time and manner of receipt of the question identification
E-mail address identification, liaison
Personal information provided by e-mail identification
Last name identification
First name identification
Mailing address liaison
Subject-matter of question complaints management
Content of question investigation of complaint
Duration of data processing and erasure of data Until the goal is achieved.
Who can have access to the personal data? authorised staff of the Data Controller
authorised staff of the Data Processor
Method of data storage electronic, paper-based

 

9.6 Customer satisfaction survey

Name, description and purpose of data processing

Customer satisfaction survey

The Data Controller is committed to providing its services to a high standard. In order to guarantee the supply of Customers and to ensure the quality of the services provided to them, the Data Controller regularly examines the efficiency of its activities and the standard of the services. The Data Controller evaluates the feedback received and integrates the comments the implementation of which contributes to the provision of services to a higher standard and which can be implemented within the framework of its systems used into its internal processes. If the changes also require an amendment to the regulations, it will include them in the next amendment.

The user experience gained during the purchase and the opinion of our Customers are extremely important to us. To this end, after the purchase, the Data Controller will send the Customers a customer questionnaire or a link to it to the e-mail address provided during the purchase.

Expression of an opinion based on the customer questionnaire is voluntary and completely anonymous. We only use the email address to send the customer questionnaire. The Data Controller handles the answers given on the customer questionnaire completely separately and anonymously from the respondent’s personal data. The relationship between the responses and the respondent cannot be reconstructed.

Scope of Data Subjects Any natural person who completes the customer satisfaction questionnaire and consents to the data management.
Legal basis for data processing

By completing and submitting the customer satisfaction questionnaire, you voluntarily consent to the Data Controller handling your responses given during the customer satisfaction survey and transmitting them to the Data Processors in accordance with the purpose of data processing.

If you wish to revoke your consent to the use of your e-mail address for future customer satisfaction survey questionnaires, you may indicate your intention to revoke it by one of the notification methods set out in Section V.

Scope and purpose of the processed data Answers to the individual questions of the questionnaire customer satisfaction survey
Duration of data processing and erasure of data Until the goal is achieved.  
Who can have access to the personal data?
  • authorised staff of the Data Controller
  • authorised staff of the Data Processor
Method of data storage electronic

 

9.7 Cookies

Cookies necessary for the operation of the Website:

Name Purpose Expiration date Other information
_ab Used in connection with admin user account access.    
_secure_session_id Used to navigate the website interface.    
Cart Used in connection with the Cart.    
cart_sig Used in connection with the payment interface.    
cart_ts Used in connection with the payment interface.    
cart_ver Used in connection with the Cart.    
checkout Used in connection with the payment interface.    
checkout_token Used in connection with the payment interface.    
previous_checkout_token Used in connection with the payment interface.    
previous_step Used in connection with the payment interface.    
remember_me Used in connection with the payment interface.    
Secret Used in connection with the payment interface.    
Secure_customer_sig Used it in connection with user login.    
storefront_digest Used it in connection with user login.    
_shopify_m Used to manage the users’ privacy settings.    
_shopify_tm Used to manage the users’ privacy settings.    
_shopify_tw Used to manage the users’ privacy settings.    
_storefront_u Used to facilitate the updating of customer account information.    
_tracking_consent Tracking settings    

 

Analytical cookies:

Name Purpose Expiration date Other information
_landing_page Tracking of pages.   Does not collect personal data.
_orig_referrer Tracking of pages.   Does not collect personal data.
_s Shopify analytics   Does not collect personal data.
_shopify_d Shopify analytics   Does not collect personal data.
_shopify_fs Shopify analytics   Does not collect personal data.
_shopify_s Shopify analytics   Does not collect personal data.
_shopify_sa_p Shopify analytics related to marketing and recommendations.   Does not collect personal data.
 _shopify_sa_t Shopify analytics related to marketing and recommendations.   Does not collect personal data.
_shopify_y Shopify analytics   Does not collect personal data.
_y Shopify analytics   Does not collect personal data.
tracked_start_checkout Shopify analytics related to payment.   Does not collect personal data.

For a website to work properly, it is sometimes necessary to place cookies on your computer, as other large websites and internet service providers do.

Cookies are small text files, which a website stores on the computer or mobile device of a user visiting its pages. Cookies allow the website to remember actions and personal settings for a certain time, such as username, language, font size and other custom settings related to the display of the website, so that you do not have to re-enter them each time you visit the website or when navigating from one page to another.

It is possible to maintain and/or delete cookies as desired. Please visit aboutcookies.org for more information. You may delete all cookies stored on your computer and may also disable their installation in most browsers. In this case, however, you may need to make some settings manually each time you visit the site and you should also be aware that certain features and functions may not work.

9.7.1 The function of cookies

  • collect information about visitors and their devices;
     
  • record the individual settings of visitors, which are (may be) used, (e.g. at the time of making online transactions, eliminating the need to enter them again);
     
  • facilitate the use of the website;
     
  • provide quality user experience.

In order to provide customised service, a small data packet, a ‘cookie’, is placed on the user’s computer or other device used for browsing and it is read back at a later visit. If the browser returns a previously saved cookie, the service provider processing the cookie has the option to link the user’s current visit to previous ones, but only with respect to its own content.

9.7.2 Essential, session cookies

The purpose of these cookies is to enable visitors to fully and seamlessly browse the Website and to use its features and the services available there. This type of cookies remains valid until the end of the session (browsing), and when the browser is closed, this type of cookies is automatically deleted from the computer or other device used for browsing.

9.7.3 Third party cookies (analytics)

The Website also uses the cookies of Google Analytics as a third party. Using Google Analytics for statistical purposes, the Website collects information about how visitors use websites. It uses the data to improve the website and user experience. These cookies also remain on the visitor’s computer or other browsing device, in its browser, until they expire or until the visitor deletes them.

9.7.4 Targeting or advertising cookies

The Website uses these cookies, the purpose of which is to display advertisements that are even more interesting and relevant to the visitor. These cookies can be used, for example, to determine the number of times an advertisement is displayed and to assess the efficiency of advertising campaigns. These cookies are usually placed by advertising networks on a specific website, with the permission of the website operator. These cookies record visits to a particular website and share this information with other organisations, such as the advertiser. Typically, targeting or advertising cookies are related to the features provided by the organisation operating the website.

9.8 Additional information

Some of your data, as shown in the table, are also visible to our other users (recipients) to whom you have made them visible. However, this does not constitute either data transmission or data transfer. Other users can only see your data, but may not perform data processing activities other than viewing them, so you may not process third party data either besides viewing them unless they have specifically consented to it, but this is your legal relationship independent of the Data Controller.

By entering the mandatory data and ticking the checkbox, you consent to it being visible to other users according to ‘visibility settings’ and to the Data Controller processing them for the purpose indicated in the above table.

By entering the data to be provided voluntarily, optionally, you consent to it being visible to other users according to the ‘visibility settings’ and to the Data Controller processing them for the purpose and time indicated in the above table. It is not necessary to tick the checkbox here, it only needs to be done at the time of registration, while these data can be provided after registration.

The site does not ask for any special personal data. If someone requested this on behalf of the Data Controller, please let us know.

The Data Controller does not transmit data to either EEA or third countries (non-EEA countries).

The Data Controller does not perform profiling.

The Data Controller is responsible for ensuring that the data are up to date and accurate, so we ask you to notify the Company forthwith of any changes in the data.

9.9 Conversion tracking and data file-type custom target audience

Facebook provides features and tools that, after being placed on the website of the Data Controller, may send data to Facebook on operations carried out by Customers on its website (the ‘event data’) to track conversions (the ‘conversion tracking’) and to create an individual target audience of people who visit the Web Store (the ‘individual target audience’).

Facebook will use the event data received to provide the Data Controller with analytical data on the performance of its advertisements and the use of the Web Shop, and to create its target audience in accordance with its Privacy Policy (https://www.facebook.com/about/privacy/). In addition, event data allow the Data Controller to better target advertisements and to optimise their systems. In connection with such targeting and optimisation, Facebook will: (i) use the event data collected from the website of the Data Controller to optimise advertisements only after such event data have been aggregated with other data collected from other advertisers or on Facebook, and (ii) not allow other advertisers or third parties to target their advertisements solely on the basis of event data collected from the website of the Data Controller.

We do not share event data with other advertisers or third parties unless you have given us permission to do so or we are legally obliged to do so. Facebook maintains the confidentiality and security of event data, among other things, through technical and physical security measures designed to (a) protect the security and integrity of the data when they are on Facebook’s systems and (b) protect data on Facebook’s systems against accidental or unauthorised access, use, modification or disclosure.

When using conversion tracking or individual target audiences, there must be a clear and prominent link to such features on each Facebook-generated pixel page, which points to a privacy policy that clearly states that (a) a third-party may collect or receive data from the site and other internet sites using cookies, web beacons and similar technologies and may provide metering services or make advertisements targeted using such data; (b) how users can opt out of the collection and use of data to target advertisements; and (c) where users can access the mechanism that implements their above decision (e.g. by placing a link to www.aboutads.info/choices).

The Data Controller acknowledges that Facebook may place a notice in or around the advertisements of the Data Controller, stating that the advertisement is of a targeted nature, and the Data Controller agrees not to modify or obscure such advertisements or otherwise interfere with their operation, including any technical components that allow users to access additional information or choice mechanisms.

Facebook may at any time modify, suspend or terminate conversion tracking or access to the individual target audience feature or may terminate its availability. The Data Controller may stop using the features at any time. The Data Controller may delete its individual target audience from Facebook’s system at any time using the account management tools.

If the Data Controller uses any of these functions on behalf of a third party, it further represents and warrants that, as an agent of such party, it is authorised to use such data on its behalf and may oblige such party to comply with such terms of use.

  1. Data security

The Data Controller provides for data security. To this end, it takes the technical and organisational measures and establishes the rules of procedure that are required for the enforcement of the governing legislation and rules of data protection and confidentiality.

The Data Controller protects, through appropriate measures, the data against unauthorised access, alteration, transmission, disclosure, erasure or destruction, and accidental destruction and damage as well as becoming inaccessible as a result of a change in the technology applied.

The Data Controller (also) ensures the enforcement of the data security rules by means of internal regulations, instructions and rules of procedure separate from the Data Protection and Data Security Regulations and this Notice in content and form.

When specifying and applying measures aimed at data security, the Data Controller takes into consideration the current development level of technology and chooses a data processing solution from several alternatives which provides a higher level of protection of personal data unless it would represent disproportionate difficulties.

Within the scope of its tasks related to IT protection, the Data Controller provide, in particular, for:

  • measures to protect against unauthorised access, including the protection of software tools and hardware devices and physical protection (access protection, network protection);
     
  • measures to ensure the possibility of restoring data files, including regular backups and the separate, secure processing of copies (mirroring, backup);
     
  • the protection of data files against viruses (virus protection);
     
  • the physical protection of data files and the devices carrying them, including protection against fire, water damage, lightning, other natural forces, and the recoverability of damage resulting from such events (archiving, fire protection).

The Data Controller ensures the proper backup of the IT data and the technical environment of the Website, which it operates with the necessary parameters based on the retention period of each data, thus guaranteeing the availability of the data within the retention period, and will permanently destroy them upon the expiration of the retention period.

It monitors the integrity and functionality of the IT system and the data storage environment with advanced monitoring techniques and continuously provides the necessary capacities. It records events in its IT environment using complex logging functions, thus ensuring the subsequent detectability and legal proof of possible incidents.

We are constantly using a redundant network environment that provides high bandwidth to serve the Website, which securely distributes the loads that occur between our resources.

We guarantee the disaster resilience of our systems as planned and ensure the business continuity and thus the continuous service of our users at a high level with organisational and technical means.

With a high priority, we ensure the controlled installation of security patches and manufacturer upgrades that also ensure the integrity of our IT systems, thus preventing, avoiding and managing attempts to access or damage it by exploiting vulnerabilities.

We regularly inspect our IT environment with security testing, correct any errors or weaknesses found, and consider strengthening the security of the IT system to be an ongoing task.

We have formulated high security requirements for our employees, including confidentiality.

We also ensure that they are met through regular training, and in connection with our internal operations, we strive to operate planned and controlled processes.

Any incidents involving personal data, which are detected by or reported to us during our operations will be investigated in a transparent manner, in accordance with responsible and strict principles, within 72 hours.

Incidents that have occurred are handled and recorded. During the development of our services and IT solutions, we ensure the fulfilment of the principle of built-in data protection. We treat data protection as a priority requirement already in the planning phase.

  1. Data transmission

The Data Controller is entitled to transmit the personal data collected, recorded and organised by it to a third party.

The principles of data processing (for example, the principle of data minimisation, the purpose limitation principle) must be observed throughout the data transmission. During data transmission, it must also be borne in mind that the recipients should also ensure an appropriate level of protection for the personal data of the Data Subject.

The Data Controller may only use a Data Processor who or which provides appropriate guarantees for the requirements set out in the General Data Protection Regulation and implements appropriate technical and organisational measures, which ensure the protection of Data Subjects. The Data Processor is only entitled to transmit personal data if instructed to do so by the Data Controller. Where the obligation to transmit data is required by the law of a Member State under the law of the Data Processor or by the EU law applicable to it, the transmission may take place without the instructions of the Data Controller, but with its prior notification.

  1. Amendment of the Notice

The Company reserves the right to amend this Notice at any time by unilateral decision.

If the Data Subject does not agree with the amendment, they may request the erasure of their personal data at one of the contact details specified in Section V.

Dated: Budapest, November 2020

Join us
Sign up to our newsletter and enjoy 10% off on your first purchase!
Close