Effective date: {{HATALYBA_LEPES}}
Preamble
This Data Protection Notice (hereinafter referred to as the Notice) contains information related to data protection regarding the activities of the Data Controller.
The purpose of the Notice is to explain the rights and obligations of persons using our services or visiting our website regarding data transfer, data management, data protection, the scope of data we process, the principles and methods of data processing, its purpose, legal basis and duration.
Data controller your data
Name: {{COMPANY_NAME}}
Headquarters: {{CEG_CIM}}
Mailing address: {{CEG_CIM}}
Tax number: {{CEG_ADOSZAM}}
Company registration number: {{CEG_CEGCHEGYZEK}} or
EV registration number: 00000000
Website address: csasziandras.hu
Email address: andras.csaszi@gmail.com
Phone number: +36-30-554-6908
Hosting provider details
Name: DRÁVANET Internet Service Provider Private Limited Company
Registered office: 7624 Pécs, Budai Nagy Antal Street 1.
Email: info@dravanet.hu
Phone number: 06-80-811-118
Website:
Legal regulations
The laws that determine our data processing activities are primarily:
Concepts
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Personal data: any information relating to a data subject, such as an identifier, name, number, location data, online identifier or data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
Special data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the purpose of uniquely identifying natural persons, data concerning health and personal data concerning the sex life or sexual orientation of natural persons.
Data management: any operation or set of operations performed on personal data or data files, regardless of the procedure used, including in particular collection, recording, recording, organization, structuring, storage, alteration, transformation, use, retrieval, transmission, disclosure by transmission, alignment or combination, blocking, erasure and destruction, access to data and preventing further use of data, taking photographs, audio or video recordings and taking physical characteristics (e.g. fingerprints or palm prints) suitable for identifying a person.
Data controller: the natural or legal person or organization without legal personality who, alone or jointly with others, determines the purposes and means of the processing of personal data, makes and implements decisions relating to the processing of personal data, or has them implemented by the data processor.
Data processor: the natural or legal person, or an organization without legal personality, who processes personal data on behalf of the data controller.
Affected: any natural person who is identified or can be identified, directly or indirectly, by reference to one or more factors, in particular by reference to an identifier such as a name, number, location data, online identifier or one or more factors. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, number, location data, online identifier or one or more factors.
Data transmission: making personal data accessible to a specific third party. Data transfers to EEA member states or to European Union bodies shall be considered as data transfers within the territory of Hungary.
Data deletion/erasure: making data unrecognizable by deleting content or in a manner that allows for an equivalent result.
Data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
EEA Member State: a Member State of the European Union and another state party to the Agreement on the European Economic Area, as well as a state whose citizen enjoys the same legal status as a citizen of a state party to the Agreement on the European Economic Area under an international treaty concluded between the European Union and its Member States and a state not party to the Agreement on the European Economic Area.
Third country: any state that is not an EEA member state.
NAIH: National Data Protection and Freedom of Information Authority, supervisory authority under the GDPR for Hungary.
Basic principles of data management
Personal data:
As a data controller, we are responsible for compliance with the above, and we will demonstrate compliance where necessary („accountability”).
Managed data
Contact us
If you provide us with your contact information by email, filling out a form on our website, or by calling us, we will use it to contact you. Providing this information is not mandatory, but we will not be able to contact you without it.
Affected: A natural person or a representative of a sole proprietor/legal entity who contacts the Data Controller with the intention of contacting them.
Purpose of data processing: Keeping in touch.
Data type: Name, email address, phone number.
Legal basis: GDPR Article 6(1)(a) (Consent).
Guard time: Until consent is withdrawn.
Order processing
If you have placed an order in the webshop, we will process your data during the processing of the order in order to fulfill the contract.
Affected: A natural person or a representative of a sole proprietor/legal entity placing an order on the website.
Purpose of data processing: Fulfillment of a contract.
Data type: Name, email address, phone number, address, characteristics of the purchased goods, order number and date.
Legal basis: GDPR Article 6(1)(b) (Performance of a contract).
Guard time: We retain the data for 5 years after the order (contract) has been completed.
Invoicing
We issue an invoice for the goods you purchase in accordance with the law, which accounting document must be kept for 8 years.
Affected: A natural person or sole proprietor/legal entity placing an order on the website.
Purpose of data processing: Fulfillment of a legal obligation.
Data type: Name, email address, phone number, address, description of the purchased item.
Legal basis: GDPR Article 6 (1) point c) (Fulfillment of a legal obligation). Pursuant to Section 159 (1) of Act CXXVII of 2007 on Value Added Tax, the issuance of an invoice is mandatory and it must be kept for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.
Guard time: Issued invoices must be kept for 8 years from the date of issue.
Freight transport
When purchasing physical (non-digital) goods, the product must be delivered to the address you provide.
Affected: A natural person or sole proprietor/legal entity placing an order on the website.
Purpose of data processing: Fulfillment of a contract.
Data type: Name, email address, phone number, address.
Legal basis: GDPR Article 6(1)(b) (Performance of a contract).
Guard time: Until the delivery time of the ordered goods.
Handling consumer complaints
If you contact us with a consumer complaint regarding your order, we will process your data for administrative purposes.
Affected: A natural person or a representative of a sole proprietor/legal entity placing an order on the website.
Purpose of data processing: Fulfillment of a legal obligation.
Data type: Name, email address, phone number, content of the complaint.
Legal basis: GDPR Article 6 (1) (c) (Fulfillment of a legal obligation). Pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection, we are obliged to retain the complaint for 3 years.
Guard time: 3 years under the Consumer Protection Act.
Online nowjustification of contributiona
Management of IT data related to your online consent (registration, order, newsletter subscription) stored by the IT system for later verification.
Affected: A natural person or a representative of a sole proprietor/legal entity who provides consent on the website.
Purpose of data processing: Fulfillment of a legal obligation.
Data type: User's IP address, date of consent.
Legal basis: GDPR Article 6(1)(c) (Compliance with a legal obligation). The obligation is stipulated in Article 7(1) of the GDPR.
Guard time: Since consent must be verified later due to legal requirements, the data storage period is the limitation period following the termination of data processing.
Newsletter sending
You can subscribe to our newsletter by filling out the form on the website. Providing your data is not mandatory, but if you do not provide it, we will not be able to send you the newsletter.
Affected: People who subscribe to the newsletter.
Purpose of data processing: Send newsletter.
Data type: Name, email address.
Legal basis: GDPR Article 6(1)(a) (Consent).
Guard time: Until consent is withdrawn (unsubscribe).
Registration
By registering on the website, we can provide more convenient service to users in the future.
Affected: People registering on the website.
Purpose of data processing: Providing convenience services.
Data type: Name, email address, phone number, address, characteristics of purchased products, date of purchase.
Legal basis: GDPR Article 6(1)(a) (Consent).
Guard time: Until consent is withdrawn.
Remarketing
Remarketing marketing activities are implemented using cookies.
Affected: People using a website.
Purpose of data processing: Marketing activity.
Data type: Data processed by cookies specified in the cookie policy.
Legal basis: GDPR Article 6(1)(a) (Consent).
Guard time: The data storage period for the given cookie.
Google general cookie information:
Google Analytics information:
Facebook information:
Automated decision-making
The Data Controller does not perform automated decision-making when operating the website.
Cookiestreatment (cookies–k)
Our website uses cookies to operate the website, make it easier to use, track your activity on the website and display relevant offers. Detailed information on cookie management can be found in Cookie Policy includes.
Data security
We ensure the security of the personal data we process by implementing technical and organizational measures and procedures.
We protect the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, and against inaccessibility resulting from changes in the technology used.
Only those of our employees who need to know your personal data to perform their duties have access to it.
For data security
Transmission and transfer of data
We will only transfer or transfer the personal data of natural persons using our services or our website to our partners and data processors specified in this Data Protection Notice, as well as to the authorities upon request. Data will not be transferred to a third country or international organization.
Involved in data management data processor our partners
Hosting servicedig
DRÁVANET Internet Service Provider Ltd.
Registered office: 7624 Pécs, Budai Nagy Antal Street 1.
E-mail:
Phone number: 06-80-811-118
Website:
Online payment
Barion Payment Ltd.
Registered office: 1117, Budapest, Irinyi József Street 4-20.
E-mail:
Phone number: +36 1 464 70 99
Website:
or
Stripe Payments Europe, Limited
Headquarters: One Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland
Website:
Legal information:
Aid:
Árush delivery
Hungarian Post Ltd.
Headquarters: 1138 Budapest, Dunavirág Street 2-6.
E-mail:
Phone number: +36-1/767-8200
Website:
GLS General Logistics Systems Hungary Package Logistics Ltd.
Headquarters: 2351 Alsónémedi, GLS Európa u. 2.
E-mail:
Phone number: 06-29-88-67-00
Website:
FoxPost Ltd.
Registered office: 1068 Budapest, Dózsa György út 84. B. building.
E-mail:
Phone number: +36 1/999-0-369
Website:
Marketing activity
Facebook Inc.
Headquarters: 1601 Willow Rd MENLO PARK, CA 94025-1452, USA
Website:
Google LLC
Headquarters: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Website:
Rights of data subjects
Right to prior information
The data subject has the right to receive transparent, understandable, clear and easily accessible written information from the Data Controller before the start of the processing of personal data. The information must be provided to the Data Controller at the latest at the time of obtaining the personal data.
If the controller intends to further process personal data for purposes other than those for which they were collected, it must inform the data subject of this different purpose and any relevant additional information prior to further processing.
Right of access
The data subject has the right to receive feedback from the Data Controller as to whether his or her personal data is being processed and, if such processing is taking place, he or she has the right to access the personal data and the following information:
a) the purposes of data processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
(d) where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
e) the right of the data subject to request from the Data Controller the rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data;
(f) the right to lodge a complaint with a supervisory authority;
g) if the data were not collected from the data subject, all available information on their source;
h) the fact of automated decision-making, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
The Data Controller shall provide the data subject with a copy of the personal data which are the subject of the data processing. For further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise. The right to request a copy shall not adversely affect the rights and freedoms of others.
The right to rectification
The data subject shall have the right to obtain from the Controller, at his/her request, the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
The right to erasure („the right to be forgotten”)
The data subject has the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data concerning the data subject without undue delay if one of the following reasons applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws his/her consent which forms the basis for the data processing and there is no other legal basis for the data processing;
c) the data subject objects to the processing of his or her data and there are no overriding legitimate grounds for the processing;
d) the personal data have been processed unlawfully;
e) the personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the Controller;
f) the personal data were collected in connection with the provision of information society services.
Where the Controller has made the personal data public and is obliged to erase them pursuant to the foregoing, the Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, the personal data concerned.
The above does not apply if data processing is necessary:
a) for the purpose of exercising the right to freedom of expression and information;
b) for the purpose of fulfilling an obligation to process personal data under Union or Member State law applicable to the Controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
c) on the basis of public interest in the field of public health;
d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where the right to erasure would likely render impossible or seriously jeopardise such processing; or
e) for the establishment, exercise or defense of legal claims.
Right to restriction of data processing
The data subject has the right to request that the Data Controller restrict data processing if one of the following applies:
a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time enabling the Data Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;
c) the Data Controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defense of legal claims; or
d) the data subject has objected to the data processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.
If processing is subject to restrictions as set out above, such personal data may only be processed, with the exception of storage, with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or of a Member State.
The Data Controller shall inform the data subject, at whose request data processing has been restricted, in advance of the lifting of the restriction on data processing.
Right to rectification or erasure of personal data or to notification of restriction of processing
The data subject has the right to request from the Data Controller the names of the recipients to whom his/her personal data have been disclosed. The Data Controller is obliged to inform all recipients to whom the personal data have been disclosed of the rectification, erasure or restriction of processing of personal data, unless this proves impossible or involves a disproportionate effort.
Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and has the right to transmit these data to another data controller, if
a) the data processing is based on consent or contract and
b) data processing is carried out in an automated manner.
When exercising the right to data portability, the data subject has the right to request the direct transmission of personal data between data controllers, if technically feasible.
The exercise of the data subject's right to data portability may not adversely affect the rights and freedoms of others. If this fact exists, the Data Controller shall exercise the data subject's right to data portability by not disclosing the personal data supported by this fact, and shall send reasonable information to the data subject.
The right to protest
The data subject shall have the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on those provisions. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.
If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.
Automated decision-making, profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply where the decision
a) necessary for the conclusion or performance of a contract between the data subject and the data controller,
b) it is permitted by Union or Member State law applicable to the controller which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject, or
(c) it is based on the explicit consent of the data subject.
In the cases referred to in points a) and c), the Data Controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on the part of the Data Controller, to express his or her point of view and to object to the decision.
The data subject's right to information about the data protection incident
The data subject has the right to be informed about a data protection incident affecting him or her occurring at the Data Controller, if the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons.
The data subject's right to lodge a complaint with the supervisory authority
Without prejudice to other administrative or judicial remedies, each data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes the Regulation.
The supervisory authority to which the complaint has been submitted is obliged to inform the client about the procedural developments related to the complaint and its outcome, including the client's right to seek judicial redress.
Hungarian Member State Supervisory Authority:
National Data Protection and Freedom of Information Authority (postal address: 1363 Budapest, Pf. 9., registered office: 1055 Budapest, Falk Miksa utca 9-11., website: , telephone: 06-1-391-1400, e-mail address: ugyfelszolgalat@naih.hu).
Right to an effective judicial remedy against the supervisory authority
Without prejudice to other administrative or non-judicial remedies, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.
Without prejudice to other administrative or non-judicial remedies, every data subject has the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject of the procedural developments or the outcome of the complaint within three months.
Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
These rights are exercised by the data subjects Data controller data You can exercise your rights in writing using our contact details provided in the section. We will try to respond to all inquiries as soon as possible, but no later than within 15 working days.
We are unable to provide personal information over the phone as we cannot identify the caller.
Modification of data processing information
We regularly review this Privacy Policy and update it if necessary.
In the event of a change, we will choose how to notify Data Subjects, depending on the extent of the change and the impact of the change on the data subjects. If the change is significant, we will notify all data subjects of the change by email; if the change is not significant, we will publish the new version on our website, but we will not send an email notification.
