Privacy policy
Privacy Policy
- Introduction
The purpose of this Data Protection and Privacy Notice (hereinafter referred to as the "Notice") is to inform the Data Controller of the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the "Information Act"). ), and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "Directive on the protection of individuals with regard to the processing of personal data"): Regulation or GDPR), to provide you with simple and transparent information about the details of the processing of your personal data, what data we collect and for what purposes, how and for how long we process and store it, as well as your rights in relation to the processing of your personal data and how you can exercise them.
EMERZY Group Ltd (hereinafter referred to as "the Company" or "the Controller") is committed to ensuring the highest possible level of protection of personal data and will take appropriate and necessary measures to ensure that the processing of personal data is carried out in accordance with the applicable legal requirements.
Please read the following information carefully! If you have any questions or comments about data protection or data management, or if you wish to exercise your rights in relation to data management, please contact us at hello@pulowear.com
- The Company
|
Name: |
EMERZY Group Kft. |
|
Postal adress: |
Hungary, 2371 Dabas, Szent János út 347. |
|
Email adress: |
hello@pulowear.com |
|
Phone number: |
+36 30 465 2428 |
|
Website: |
http://www.pulowear.com |
|
Registration number: |
13-09-221059 |
- What concepts should you be aware of when handling data?
3.1 "Personal data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3.2 "Data Subject" means any specified natural person who is identified or can be identified, directly or indirectly, on the basis of Personal Data.
3.3 "Legal basis": the legal basis for the processing of personal data is the legal basis on which we rely when using your personal data in order to ensure its lawfulness.
3.4 "Consent" means the freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her confirmation, his or her agreement to the processing of personal data concerning him or her.
3.5 "Objection": a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data.
3.6 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3.7 "Controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law.
3.8 'Processing' means the performance of technical tasks related to processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data.
3.9 "Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
3.10. "Recipient" means the natural or legal person, public authority, agency or any other body with whom or to which personal data are disclosed, whether or not a third party. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing.
3.11. 'Restriction of processing' means the marking of stored personal data for the purpose of restricting their future processing.
3.12. "Renaming" means the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separately and technical and organisational measures are taken to ensure that no link can be established between the personal data and identified or identifiable natural persons.
3.13. 'Filing system' means a set of personal data, structured in any way, whether centralised, decentralised or structured according to functional or geographical criteria, which is accessible on the basis of specific criteria.
3.14 "Authority" means the Hungarian Nemzeti Adatvédelmi és Információszabadság Hatóság
3.15. "Third party" means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
3.16. "Transfer" means the making available of data to a specified third party.
- What principles do we apply when processing and protecting your personal data?
Data protection is the legal protection of personal data, including sensitive data, which aims to safeguard the privacy of individuals and the right to informational self-determination of the data subject by regulating the processing of personal data that can be associated with the data subject.
The Company, as data controller, is responsible for compliance with the data protection rules and for the ability to demonstrate compliance.
The processing of personal data must be lawful, fair and transparent to the data subject. The Company shall exercise its rights and obligations in relation to the processing in accordance with their intended purpose, lawfully and in a transparent manner for the data subject.
On the basis of the purpose limitation principle, the Company shall process personal data only for specified, explicit and legitimate purposes and not in a way incompatible with those purposes.
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed, i.e. only personal data which is necessary for the purposes for which it is processed and adequate for those purposes, and only to the extent and for the duration strictly necessary for those purposes.
The employees of the Company may process personal data only for the purpose of carrying out their specific tasks in the proper exercise of the rights conferred on them and, if the purpose of the processing ceases to exist, the data must be deleted without delay, at the latest after the expiry of the period prescribed by law. Processing unrelated to the purpose is prohibited.
In accordance with the principle of limited storage, personal data should be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, and personal data should be stored for longer periods only for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
In accordance with the principle of accuracy, the Company shall make every effort to ensure that the personal data processed are accurate and, where necessary, kept up to date.
Based on the principles of integrity and confidentiality, data shall be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.
The Company shall not use any decision-making process based on automated data processing or profiling.
The Controller may lawfully process personal data if at least one of the conditions listed above is met:
- the data subject has given his or her freely given, specific and unambiguous informed consent to the processing of his or her personal data for specified purposes, for a specified scope and for a specified period;
- the processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
A transfer is considered to be a disclosure if the data is made available to a specified third party. The transfer as a data processing operation may also only take place if the appropriate legal basis exists.
A request from a third party to disclose personal data may only be complied with if it is necessary for compliance with a legal obligation or for the performance of a task carried out in the exercise of official authority or in the public interest, or if the data subject has given his or her consent.
Transfers to a third country or an international organisation should not undermine the level of protection afforded to natural persons in the EU by the GDPR. Accordingly, a transfer may only take place if the controller or processor in the third country complies with the conditions of the GDPR in full compliance with the GDPR.
In the course of its activities, the Company may use a Data Processor on a permanent or ad hoc basis. The use of a Data Processor shall be governed by the legislation on data protection, in particular the provisions of the GDPR.
The Data Processor shall be responsible for the processing, modification, erasure, transmission, blocking and disclosure of personal data within the scope of its activities and within the limits set by the Data Controller. The processor shall not engage other processors in the performance of his or her activities without his or her specific or general authorisation.
Where a processor is used, it must be ensured in a documented manner that the knowledge of and compliance with this Notice and the obligation of confidentiality in the data processing contracts also apply to the contracting party and its employees.
- What personal data do we process?
5.1. Registration on the website
5.1.1. Purpose of processing: to enable you to register on our website and use our services by providing your personal data.
5.1.2. Processed personal data:
- your surname and first name;
2. your telephone number;
3. your e-mail address;
4. your login identification data (username) and password;
5. the IT data processed in connection with the verifiability of your consent (date of consent, your IP address).
5.1.3 Legal basis for processing: your personal consent.
5.1.4 Duration of processing: the personal data provided under 5.1.2 will be processed until your personal consent is withdrawn. The storage period for data processed in relation to the justification of consent is the limitation period (5 years) following the cessation of processing.
5.1.5 Data Processor: Shopify Inc. (headquarters: 150 Elgin Street, 8th Floor Ottawa, ON K2P 1L4 Canada, e-mail: info@shopify.com).
5.1.6 Purpose of processing: to store your personal data in accordance with the data processing contract (the data processor is not entitled to know your personal data).
5.1.7. Data forwarding: -
5.1.8. Reason for data forwarding: -
5.2. Contact
5.2.1. Purpose of data processing: after registration, if you make a purchase, a contract is concluded between you and the Company, the purpose of data processing is to process the data necessary for the conclusion of the contract.
5.2.2. The personal data concerned by the processing:
- your first and last names;
2. your permanent address;
3. your billing address;
4. your telephone number;
5. your e-mail address;
6. information about your online purchases (details of the product purchased, date of purchase, method of payment);
7. the IT data processed in relation to the verifiability of your consent (date of consent, your IP address).
5.2.3. Legal basis for processing: your personal consent
5.2.4 Duration of processing: the data provided under 5.2.2 will be processed until your personal consent is withdrawn. The storage period for data processed in relation to the justification of consent is the limitation period (5 years) following the cessation of processing.
5.2.5 Data processor: Shopify Inc. (headquarters: 150 Elgin Street, 8th Floor Ottawa, ON K2P 1L4 Canada, e-mail address: info@shopify.com).
5.2.6 Purpose of processing: to store your personal data in accordance with the data processing contract (the data processor is not entitled to know your personal data).
5.3 Order processing
5.3.1 Purpose of the processing: if you have placed an order in the webshop, the provision of the personal data specified in section 5.3.2 is necessary for the processing of the order as part of the performance of the contract.
5.3.2. The personal data concerned by the processing:
- your first and last names;
2. your permanent address (delivery address if different from your permanent address);
3. your billing address;
4. your telephone number;
5. your e-mail address;
6. information about your online purchases (details of the product purchased, date of purchase, method of payment).
5.3.3 Legal basis for processing: fulfillment of the contract.
5.3.4 Duration of data processing: the data provided under 5.3.2 will be processed for 5 years in accordance with the statute of limitations under civil law.
5.3.5 Data Processor: Shopify Inc. (headquarters: 150 Elgin Street, 8th Floor Ottawa, ON K2P 1L4 Canada, e-mail address: info@shopify.com).
5.3.6. Purpose of the processing: to store your personal data in accordance with the data processing contract (the data processor is not entitled to know your personal data).
5.3.7. Data forwarding: -
5.3.8 Purpose of the forwarding: -
5.4. Online Payment
5.4.1 Purpose of data processing: to collect the data necessary for the purchase of the goods to be purchased online.
5.4.2. The personal data concerned by the processing:
- your first and last names;
2. your bank card details (card issuing financial institution, card number, cardholder name, card validity, security code);
3. your billing address;
4. information about your online purchases (amount of the purchase, order number).
5.4.3. Legal basis for processing: fulfillment of the contract.
5.4.4 Duration of data processing: the data provided in point 5.4.2 are not stored by the Data Controller, they are processed by the Data Processor for a period of 5 years according to the statute of limitations under civil law.
5.4.5 Data Processor: Stripe Payments Europe, Limited; Stripe Technology Europe, Limited (add.: The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland)
5.4.6 Purpose of the processing: to carry out online payments and to store your personal data in accordance with the data processing contract.
5.4.7. Data forwarding: -
5.4.8 Purpose of the forwarding: -
5.5 Invoice creation
5.5.1 The purpose of data processing: to issue invoices in accordance with the law and to fulfil the obligation to keep accounting records.
5.5.2. The personal data concerned by the processing:
- your first and last names;
2. your billing address;
3. your telephone number;
4. your e-mail address;
5. other data required by Section 169 of the VAT Act.
5.5.3. Legal basis for processing: compliance with a legal obligation.
5.5.4. Duration of data management: invoices issued must be kept for 8 years from the date of issue of the invoice, pursuant to Section 169 (2) of the Public Finance Act.
5.5.5. Data Processor: KBOSS.hu Kft. (add.: 1031 Budapest, Záhony utca 7., e-mail: info@szamlazz.hu), Vödrös Judit (add.: 8000 Székesfehérvár, Zámoly utca 56., e-mail: vodros.judit@gmail.com) and Shopify Inc. (add.: 150 Elgin Street, 8th Floor Ottawa, ON K2P 1L4 Canada, e-mail: info@shopify.com).
5.5.6. The purpose of the data processing is: according to the data processing contract, to assist in the registration of accounting documents (KBOSS.hu Ltd.), to assist in the accounting of accounting documents (Judit Vödrös), and to store your personal data.
5.5.7. Data forwarding: -
5.5.8 Purpose of the forwarding: -
5.6. Delivery of goods
5.6.1. Purpose of data processing: delivery of the product ordered and paid for on the website.
5.6.2. The personal data concerned by the processing:
- your surnames and first names;
2. your permanent address (delivery address if different from your permanent address);
3. your telephone number;
4. your e-mail address;
5. information about your online purchases (details of the product purchased).
5.6.3. Legal basis for processing: fulfilling the contract.
5.6.4. Duration of data processing: the data provided in 5.6.2 will be processed for 5 years, subject to the limitation period under civil law.
5.6.5. Data processor: GLS General Logistics Systems Hungary Kft. (headquarters: 2351 Alsónémedi, GLS Európa utca 2., e-mail: info@gls-hungary.com) and Shopify Inc. (add: 150 Elgin Street, 8th Floor Ottawa, ON K2P 1L4 Canada, e-mail: info@shopify.com).
5.6.6. The purpose of the processing: to assist in the delivery of the goods ordered (GLS General Logistics Systems Hungary Kft.) in accordance with the data processing contract and to store your personal data.
5.6.7. Data forwarding: -
5.6.8. Purpose of the forwarding: -
5.7. Handling disputes, complaints, warranty management:
5.7.1 Purpose of the processing: collection of personal data for the purpose of filing and handling disputes, complaints, warranty management.
5.7.2. The personal data concerned by the processing:
- your first and last names;
2. your permanent address (delivery address if different from your permanent address);
3. your telephone number;
4. your e-mail address;
5. information about your online purchases (details of the product purchased, date of purchase, method of payment);
6. the content of the complaint.
5.7.4 Duration of data processing: pursuant to Article 17/A (7) of Act CLV of 1997 on Consumer Protection, we are obliged to keep the complaint for 5 years.
5.7.5 Data processor: -
5.7.6 Purpose of processing: -
5.7.7 Data Transfer: -
5.7.8 Purpose of data transfer: -
5.8. Contacting, marketing enquiries
5.8.1 Purpose of processing: to provide contact between you and the Company, to provide information, marketing enquiries.
5.8.2. Personal data concerned by the processing:
- your surnames and first names;
2. your permanent address;
3. your billing address;
4. your telephone number;
5. your e-mail address
6. the IT data processed in relation to the verifiability of your consent (date of consent, your IP address).
5.8.3. Legal basis for processing: your personal consent.
5.8.4 Duration of processing: the personal data provided under 5.8.2 will be processed until your personal consent is withdrawn. The storage period for data processed in relation to the justification of consent is the limitation period (5 years) following the cessation of processing.
5.8.5.. Data processor: The Rocket Science Group LLC. (add.: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA, e-mail: privacy@mailchimp.com) and Shopify Inc. (add.: 150 Elgin Street, 8th Floor Ottawa, ON K2P 1L4 Canada, e-mail: info@shopify.com).
5.8.6 Purpose of the processing: to assist in the sending of newsletters (The Rocket Science Group LLC.) and to store your personal data in accordance with the data processing contract.
5.8.7 Data Transfer: -
5.8.8 Purpose of data transfer: -
5.9. Giveaways
5.9.1. Purpose of data processing: to ensure contact between you and the Company, to publish a giveaway.
5.9.2. The personal data concerned by the processing:
- your surnames and first names;
2. your permanent address (delivery address if different from your permanent address);
3. your telephone number;
4. your e-mail address
5. the IT data processed in relation to the verifiability of the consent (date of consent, your IP address).
5.9.3. Legal basis for processing: your personal consent.
5.9.4 Duration of data processing: if you have not won, the duration of the prize draw; if you have won, 8 years under the Accounting Act. The period of storage of data processed in relation to the justification of consent is the limitation period (5 years) following the cessation of processing.
5.9.5 Data Processor: Shopify Inc. (headquarters: 150 Elgin Street, 8th Floor Ottawa, ON K2P 1L4 Canada, email: info@shopify.com).
5.9.6 Purpose of processing: to store your personal data.
5.9.7. Data forwarding: -
5.9.8 Purpose of the forwarding: -
- Information about the use of cookies
The Data Controller uses so-called cookies when you visit the website. A cookie is a set of letters and numbers that our website sends to your browser to save certain settings, facilitate the use of our website and help us to collect some relevant statistical information about our visitors.
Some of the cookies do not contain any personal information and cannot be used to identify the individual user, but some of them contain a unique identifier - a secret, randomly generated sequence of numbers - that is stored on your device, thus ensuring your identification. The duration of each cookie is described in the relevant description of each cookie.
The legal basis for processing is your consent pursuant to Article 6(1)(a) of the Regulation.
Cookies used by the website and their main character:
6.1: Necessary: These cookies help make the website usable by enabling basic functions such as site navigation. The website cannot function properly without these cookies, so accepting them is mandatory.
- PHPSESSID: Keeps the user session state between page requests. Expiry time: session
- SESS#: Keeps user states between different page requests. Expiry date: 365 days
- CookieConsent: Stores the user's cookie consent for the current domain. Expiry date: 365 days
- ci_session: Keeps user states between different page requests. Expiry time: session
- __cfduid: The Cloudflare content network uses it to identify trusted web traffic. Expiry date: 364 days
- nicelink_: Expiry time: session
- AWSALB: Expiry time: 6 days
- _landing_page: Tracking landing pages. Expiry time: 13 days
- _orig_referrer: Tracking landing pages. Expiry time: 13 days
- _s: Shopify analitika. Expiry time: session
- _shopify_fs: Shopify analitika. Expiry time: 9 days
- _shopify_s: Shopify analitika. Expiry time: session
- _shopify_sa_p: Shopify analytics for marketing and recommendations. Expiry time: session
- _shopify_sa_t: Shopify analytics for marketing and recommendations. Expiry time: session
- _shopify_y: Shopify analitika. Expiry time: 719 days
- _y: Shopify analitika. Expiry time:: 719 days
- algoliasearch-client-js: Expiry time: 0 days
- cart_sig: Shopify analitika. Expiry time: 13 days
- cookietest: Testing whether the user accepts any cookies. Expiry time: session
- secure_customer_sig: It is used in connection with customer login. Expiry date: 7304 days
- simpleStorage: Expiry time: 0 days
- statsQueue: Expiry time: 0 days
- oxi_referrer: Expiry time: 6 days
- storefront/page: Expiry time: session
- storefront/session-attribution: Expiry time: session
- storefront/track: Expiry time: session
6.2: Statistical: These cookies are used to track visitors to the website. The aim is to display ads that are relevant and interesting to the visitor, and therefore more valuable to the advertisers and third party advertisers. Acceptance of these cookies is optional.
- _ga: Records the unique identifier used to generate statistical data on the visitor's use of the website. Expiry date: 729 days
- _gid: Records the unique identifier used to generate statistics on the visitor's use of the website. Expiry time: session
6.3: Marketing: these cookies help website owners understand how visitors use the website by collecting and reporting information anonymously. Accepting these cookies is optional.
- __zlcmid: Keeps the user states between different page requests. Expiry time: 364 days
- zte#: Saves the Zopim Live Chat ID, which recognizes the device during chat between different visits. Expiry time: session
- IDE: Google DoubleClick is used by Google to record and report a website user's activity after viewing or clicking on an advertiser's ad to measure the effectiveness of an ad and show targeted ads to the user. Expiry time: 389 days
- test_cookie: Checks whether the user's browser supports cookies. Expiry time: session
- fr: Used by Facebook to serve a series of advertising products, for example, as real-time bids from third-party advertisers. Expiry time: 89 days
- php/#: Used by Facebook to record views on pages with a Facebook login button. Expiry time: session
- tr: Expiry time: session
- ads/ga-audiences: Used by Google AdWords to re-engage visitors who are likely to become customers based on their online behaviour on websites. Expiry time: session
- ads/user-lists/# : Expiry time: session
- collect: Sends data to Google Analytics about visitors' devices and online behaviour. Tracks the visitor across different devices and sales channels. Expiry time: session
- KRTBCOOKIE_#: Records a unique identifier that identifies a returning user's device on sites that use the same ad network. The identifier enables targeted advertising. Expiry time: 89 days
- PUBMDCID: Records a unique identifier that identifies the returning user's device on sites that use the same advertising network. The identifier enables targeted advertising. Expiry date: 89 days
- PugT: Expiry date: 29 days
- c: Expiry time: session
- khaos: Captures anonymous user data including: IP address, geographic location, websites visited, ads clicked (by user) with the purpose of optimising ad placement based on user activity on websites using the same ad network. Expiry date: 364 days
- put_#: Captures anonymous user data, including IP address, geographic location, websites visited, ads clicked (by user), with the purpose of optimising ad placement based on user activity on websites using the same ad network. Expiry date: 29 days
- rpb: Collects anonymous user data, including: IP address, geographic location, websites visited, ads clicked (by user) for the purpose of optimising ad placement based on user activity on websites using the same ad network. Expiry date: 29 days
- rpx: Expiry date: 29 days
- php : Expiry time: session
- id: Records a unique identifier that identifies the returning user's device. The identifier is used for targeted advertising. Expiry time: 364 days
- PREF: Google uses this unique identifier to record statistics on how visitors use YouTube videos on different websites. Expiry date: 243 days
- VISITOR_INFO1_LIVE: On sites with integrated YouTube videos, it tries to estimate the available bandwidth of users. Expiry time: 243 days
- YSC: Captures statistics about which YouTube videos the user has watched, using a unique identifier. Expiry time: session
- __zlcstore: Expiry time: session
- mayAdd: Helps to give appropriate recommendations to the user by tracking the products they choose. Expiry time: session
- profile: Helps to give appropriate recommendations to the user through the tracking of products of his choice. Expiry time: 364 days
- visitor: Helps to provide the user with appropriate recommendations through the follow-up of the products of his choice. Expiry time: 364 days
- __zlcid: Expiry time: session
- sc_timings: Expiry time: 0 days
- ZD-buid : Expiry time: 0 days
- ZD-currentTime : Expiry time: session
- ZD-suid: Expiry time: 0 days
6.4 Other: these cookies are being categorised, with the help of individual cookie providers. Acceptance of these cookies is optional.
- cdv: Helps to provide the user with appropriate recommendations by tracking the products of his choice. Expiry date: 365 days
- s: Helps to provide the user with appropriate recommendations by tracking the products of his choice. Expiry time: session
- xp: Helps to give appropriate recommendations to the user through the tracking of products of his choice. Expiry time: 365 days
Several processing scenarios may be implemented for the purpose of contracting and fulfillment. Please note that data processing related to complaint handling, warranty management will only take place if you exercise one of these rights.
If you do not make a purchase through the webshop, but are only a visitor to the webshop, the marketing processing may apply to you if you provide us with your consent for marketing purposes.
- Enforcement of data subjects' rights
7.1 Rights of the data subject:
- right to information;
- right of access;
- right to rectification;
- right to erasure;
- Right to rectification, right to obtain information, right to rectification, right to obtain information;
- the right to data portability;
- the right to object;
- the right to withdraw consent.
7.2. Right to information
The Data Controller shall provide the data subjects with information and the right of access to the data subject upon request/enquiry without any specific request.
The data subject shall have the right to request, prior to giving consent to processing, information which shall include the following information:
- the name and contact details of the controller;
- contact details of the Data Protection Officer;
- the purposes for which the personal data are intended to be processed,
- the legal basis for the processing;
- where applicable, the recipients of the personal data or categories of recipients, if any;
- where applicable, the fact that the controller intends to transfer the personal data to a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the GDPR, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy or the availability of a copy.
7.3. Right to acces
The data subject shall have the right to receive feedback on the processing of his or her data processed by or on behalf of the Controller, which shall contain the following information:
- the legitimate purposes of the processing;
- the categories of personal data concerned;
- the categories of recipients of the personal data concerned;
- where possible, the duration of the storage of the personal data, or, if this is not possible, the criteria for determining this duration;
- the source of the personal data, where the personal data have not been collected from the data subject;
- in the case of transfers to a country providing an inadequate level of protection or under an adequacy decision, the appropriate safeguards.
7.4. Right to rectification
The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her.
7.5. Right to erasure
The data subject has the right to request the erasure of personal data concerning him or her if:
- their personal data are no longer necessary for the legitimate purposes for which they were collected or otherwise processed;
- the data subject withdraws his or her consent and the processing is no longer necessary for the legitimate purposes for which it was collected or for which it is processed;
- the data subject successfully objects to the processing of his or her personal data;
- the personal data concerned have been unlawfully processed; or
- the personal data concerned must be erased in order to comply with a legal obligation.
7.6 Right to restriction of processing
The data subject has the right to request the restriction of the processing of personal data concerning him or her if.
- the data subject contests the accuracy of his or her data for the period necessary for the Controller to verify the accuracy of the data;
- in case of unlawful processing;
- the controller no longer has a legitimate need for the data but the data subject requires them for the establishment, exercise or defence of legal claims; or
- the data subject has objected to the processing of his or her personal data, pending the establishment of the legitimate interests of the controller.
7.7 Right to data portability
The data subject shall have the right to receive the personal data that he or she has provided to the Controller in a structured, commonly used, machine-readable format, if:
- the processing is based on the data subject's consent; or
- the processing is based on the performance of a contract with the data subject; and the processing is carried out by automated means.
7.8. Right to object
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on legitimate interest or for direct marketing purposes. In the event of an objection to the processing of personal data based on legitimate interests, the Controller may no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. In the event of an objection to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.
7.9. Right to withdraw consent
If the processing is based on the data subject's voluntary consent (legal basis for processing), he or she has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal. The data subject must be informed before consent is given. The Data Controller shall ensure that the withdrawal of consent is as simple as giving it. Where the personal data of the data subject are not processed by the Controller on the basis of personal consent but on another legal basis (e.g. legal obligation), the processing of the personal data may lawfully continue on that other legal basis.
7.10. Rules for the exercise of data subjects' rights
The information on the measures taken to enforce the data subject's rights must be provided to the data subject without undue delay and at the latest within 30 days of receipt of the request. This information shall be provided free of charge, but where the request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller may charge a fee or refuse to act on the request.
If the data subject considers that the processing of his or her personal data infringes his or her rights concerning the protection of personal data, he or she has the right to lodge a complaint with the Company or directly with the supervisory authority, the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36 1 391 1400; e-mail: ugyfelszolgalat@naih.hu).
If the supervisory authority does not deal with a complaint lodged with it, or does not inform the data subject within three months of the procedural developments concerning the complaint or of the outcome of the complaint, or if the data subject considers that the processing of personal data concerning him or her infringes his or her rights concerning the protection of personal data, he or she has the right to take legal action. In such a case, judicial proceedings against the supervisory authority shall be brought before the Metropolitan Court or the court of the place of habitual residence.
- Data security aspects, data protection measures
The Controller shall ensure the protection of personal data and a level of data security appropriate to the level of risk. The Data Controller shall protect the personal data processed against threats, in particular against unauthorised access, accidental or unlawful alteration, disclosure, loss, disclosure, deletion, accidental or unlawful destruction or accidental loss, loss or destruction by accident, accidental or unlawful destruction or accidental loss, loss or destruction by accident, accidental or unlawful destruction or accidental loss, loss, disclosure, destruction or accidental loss, or any other unauthorised access, loss, destruction or destruction, and against inaccessibility resulting from changes in the technology used.
The Data Controller shall ensure the necessary and appropriate technical and organisational measures with regard to data stored by means of information technology and data stored on traditional paper storage media.
The Data Controller shall make every effort, within its organisational and technical possibilities, to ensure that its processors also take appropriate data security measures when working with the personal data of the data subject.
- Provisions
The Data Controller reserves the right to amend this privacy statement in a manner that does not affect the purpose and legal basis of the processing. By using the website after the amendment has entered into force, you accept the amended privacy notice.