Privacy Policy

KlassDSign Limited Liability Company

PRIVACY NOTICE AND INFORMATION ON THE PROCESSING OF PERSONAL DATA

 

Tóth Katalin EV. (seat: 1118 Budapest, Kelenhegyi út 50. 2 em. 5 ajtó; registration number: 51109547), as a data controller (hereinafter referred to as the Company or the Data Controller), processes the data concerned in the course of the activities it provides in accordance with the provisions of this information.

 

The Company aims to fully comply with the legal requirements for the processing of personal data, in particular with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (the “Privacy Act”) and Regulation (EU) 2016/679 of the European Parliament and of the Council (the “Regulation” or “GDPR”), and therefore, through this notice, the Company aims to ensure the enforcement of the right to transparent information as provided for in Article 12 of the GDPR.

 

This Privacy Notice has been prepared in accordance with the GDPR and the Privacy Act.

 

The Data Controller declares that it will process personal data in accordance with the provisions of this Privacy Notice and will comply with the provisions of the GDPR, the Privacy Act and any other applicable legislation, in particular with regard to the content of this section:

 

The processing of personal data shall be lawful, fair and transparent for the data subject.

 

The processing of personal data must be carried out lawfully, fairly and fairly, and in accordance with the law and fairness of the data subject.

 

The purposes for which the personal data are processed must be adequate, relevant and the processing must be limited to what is necessary.

 

Personal data must be accurate and up to date. Inaccurate personal data must be deleted without delay.

 

Personal data must be stored in such a way that the identification of the data subjects is limited to the shortest period of time necessary for the purposes for which the data are processed.

 

Further processing of personal data other than as provided for in this notice shall be considered lawful where the processing is necessary to comply with a legal obligation, for reasons of public interest, for scientific research purposes, for statistical purposes or to present and pursue legal claims.

 

Personal data should be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organizational measures.

 

The principles of data protection apply to any information relating to an identified or identifiable natural person.

 

  1. Identification of the Data Controller and this website

 

  1. Name of the Data Controller: Tóth Katalin EV

 

Company registration number: 51109547

Tax number: 68061146-1-43

Registered office: 1118 Budapest, Kelenhegyi út 50. 2 em. 5 ajtó

Postal address: 1118 Budapest, Kelenhegyi út 50. 2 em. 5 ajtó

Website: www.plantebudpest.com

E-mail: help@ssolerawap.com

 

  1. Name of the website:

ssolerawap.com

The website accessible at the Internet address, the webpages and subpages accessible from that address.

  1. Hungarian law clause, scope of this notice

 

  1. Accordingly, the rules relating to the service and the contractual and data management provisions applicable to Users shall be governed by Hungarian law.

In view of the above, the Data Controller shall primarily:

 

– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); (The EU General Data Protection Regulation), (hereinafter referred to as GDPR),

– Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act.),

– Act CVIII of 2001 on certain issues of electronic commerce activities and information society services,

– Act CXIX of 1995 on the processing of name and address data for the purposes of research and direct marketing (DMtv.), and

– the provisions of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising Activities (Act XLVIII of 2008).

 

  1. The scope of this Privacy Notice applies to the processing of data that the Data Controller incurs when using the services provided through the website.

 

  1. For the purposes of this notice, a User is defined as: natural persons browsing the Website, regardless of the service they use, and natural persons who only browse the Website and do not use any service.

 

 

 

 

III. Legal basis for processing

 

  1. The legal basis for the processing carried out by the Data Controller is the consent of the User pursuant to Article 6(1)(a) of the GDPR for certain processing, and Article 6(1)(b) of the GDPR for processing in relation to an order, which requires processing for the performance of a contract to which the User is a party.

 

  1. You can read and become familiar with the Privacy Notice by clicking on the link marked “Privacy Notice” in the Privacy Notice referred to in this point, whereby the Data Controller provides the User with clear and detailed prior information. By ticking the checkbox in front of the Privacy Policy, the User declares that he/she has read and understood the Privacy Policy and, being aware of its contents, consents to the processing of his/her data as described in this Policy and accepts the provisions contained therein as binding.

 

  1. Processing without the data subject’s further specific consent or following the withdrawal of consent

 

  1. Data recorded with the consent of the User concerned may be processed by the Data Controller without the further specific consent of the User concerned or following the withdrawal of consent pursuant to Article 6 Section (1) of the GDPR, as follows.

 

  1. If the personal data have been collected with the consent of the User concerned, the Data Controller may process the collected data without the further specific consent of the User concerned, unless otherwise provided by law, and even after the withdrawal of the consent of the User concerned in the following cases:

 

– processing is necessary for compliance with a legal obligation to which the controller is subject;

– processing is necessary for the protection of the vital interests of the data subject or of another natural person;

– processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

– processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

 

  1. Before starting the processing on the basis of the above legitimate interest, the Data Controller shall in any case – as a mandatory requirement – carry out the so-called interest balancing test. The balancing of interests test is a three-step process during which the Data Controller identifies the legitimate interest and the countervailing interest of the User concerned and the fundamental right affected by the envisaged processing. Finally, based on the completion of the weighing, the Data Controller determines whether the personal data can be processed pursuant to Article 6 Section (1) (f) GDPR.

 

  1. The Data Controller shall inform the User concerned of the result of the balancing of interests test in such a way that the User can clearly identify the legitimate interest and the reasons why the processing of his or her personal data by the Data Controller without his or her consent is a proportionate restriction.

 

  1. When carrying out the balancing of interests test, the Data Controller shall act in accordance with the provisions of Opinion No 6/2014 of the Working Party on the Protection of Individuals with regard to the Processing of Personal Data of the Council of the European Union, which contains the relevant findings. The Opinion is available at the following link: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_hu.pdf#h2-2

 

  1. Other possible legal grounds for processing based on law

 

  1. The legal basis for the processing is also the processing necessary for the fulfilment of a legal obligation pursuant to Article 6 Section (1)(c) of the GDPR in the relevant cases. In certain cases, the controller may be obliged to carry out mandatory processing required by law or other legislation. In addition, the Data Controller is obliged to comply with any requests from public authorities, which may also involve the processing or transfer of personal data, which is also a legal obligation of the Data Controller.

 

2.Pursuant to Article 6 Section (1) (d) and (f) of the GDPR, we further inform you that the Controller may process the User’s personal data without the consent of the User, even if the processing is necessary for the protection of the vital interests of the User or of another natural person or if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the User concerned which require the protection of personal data, in particular where the User is a child.

 

In any case, before starting the processing on the basis of the above legitimate interests, the Data Controller will carry out – as a mandatory requirement – the so-called interest balancing test as described in points 4.3 to 4.5 of this Notice.

 

  1. Pursuant to Article 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter: Ektv.), the Data Controller also informs the User of the following.

 

The service provided by the Data Controller is an information society – electronic commerce – service within the meaning of the Act.

 

The Data Controller may process the natural person identification data and the address of the user (User) for the purpose of creating the contract for the provision of its service, determining the content, amending it, monitoring its performance, invoicing the fees arising from it and enforcing claims relating to it.

The Data Controller may process the natural person’s identification data, the address of the User who has used its services, as well as data relating to the time, duration and place of use of the services, for the purpose of invoicing the fees resulting from the contract for the provision of its services.

 

The controller may process personal data that are technically necessary for the provision of the service. The Controller shall, other things being equal, choose and in any case operate the means used for the provision of the service in such a way that personal data are processed only to the extent strictly necessary for the provision of the service and for the fulfilment of the other purposes laid down in this Act, but even then only to the extent and for the duration necessary.

 

The data controller may process data relating to the use of the service for any purposes other than those set out above, in particular to improve the effectiveness of its service, to deliver electronic advertising or other targeted content to the recipient, to conduct market research, only with the prior specification of the purpose of the processing and with the consent of the recipient.

 

  1. Data processing related to the provision of an IT service

 

  1. Data subject: all Users visiting the Website, regardless of their use of the services available on the Website.

 

  1. For processing that enables visit analysis and marketing activities, the User’s consent pursuant to Article 6 Section (1)(a) GDPR. The User may consent to the technical collection of data for the purposes of traffic analysis and marketing by ticking the checkboxes in the information window that pops up when the User starts browsing the website.

 

  1. Definition of the scope of the data processed: the information technology processing concerns the data necessary for the functioning of the “cookies” used for the operation of the website and the use of the log files used by the web hosting provider.

 

Data processed to enable user-friendly browsing:

 

– the web pages visited during your visit to the website and the order in which they were opened

– IP address of the device used by the user.

 

The scope of the data processed to measure the number of visits to the site:

 

– the web pages visited during the visit to the website and their opening order

– the frequency with which each web page of the site is viewed

– which other website the User came to this website from (only for websites with a link to this website)

– the geographical location of the User visiting the site (based on the ISP’s data, only approximate data on the location of the browsing device)

 

– the time you started browsing the site

– the time you leave the website (end your browsing)

– the duration of your browsing of the website.

 

Data processed to verify access to the website:

– User name and password (may be stored at the User’s discretion)

– User’s e-mail address

– IP address of the device used by the User.

 

4.Purpose of processing: The use of “cookies” and log files is necessary for the user-friendly and secure operation of the website. The purpose of the processing of data through the use of cookies and “cookies” is to ensure the user-friendly operation of the website for the User concerned and to collect anonymous data about the use of the website.

 

In particular:

 

– Identification of the User’s device used for browsing, storage of identification data – until the time of browsing: based on the IP address. This makes browsing smoother, without which the User would have to identify himself or repeat processes for each page visited.

 

The data required for the following purposes are recorded anonymously and cannot be linked to an individual:


– To measure the number of visits to the website, to measure the frequency of visits to each page of the website and to measure the browsing time of each page of the website in order to enable the Data Controller to tailor the website to the maximum extent possible to the needs of the Users.


– Determining the location of the User (browsing device), mapping the level of interest in the Data Controller’s service by territory.

– Identification of the website from which the User came to this website, in order to learn about other topics of interest to Users interested in the Controller’s service and to measure the effectiveness of the activity promoting the Controller’s service.

To measure this data, the Controller’s IT system uses the tools of Google Analytics (Google Inc.). When viewing pages that use Google Analytics, Google cookies remember the preferences and information indicated by the user, which also means that anonymous data is collected to measure the number of visits to the website and to map browsing habits.

 

The above anonymous data is also accessed by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), the owner and operator of the Google Analytics tools. Google Inc. will also use this data for the purpose of delivering targeted advertising to the browser user, in addition to the aforementioned analysis. Google Inc. will do this by combining the anonymous data with the IP address of the browsing device used to determine the discoverable interests based on the browsing habits of the device and then deliver targeted advertising to the device. Google Inc. will not have access to any data other than the anonymous data described in this section.

 

The cookies (Facebook button, Facebook share button, Facebook like button) that facilitate your visit to the Facebook social networking site and the sharing and liking of this website on the social networking site are provided by Facebook Inc. and the anonymous data processed by these cookies is also accessed by Facebook Inc. (1601 Willow Road, Menlo Park, CA 94025, USA).

 

The cookies that facilitate the visit of the social networking site of the data controller Instagram (Instagram button) are provided by Instagram LLC., so that the anonymous data processed by these cookies is also accessed by Instagram LLC. Instagram LLC. is owned by Facebook Inc. and the Instagram service is operated by Facebook Inc., so the processing of data through the use of the service is carried out jointly by Facebook Inc. and Instagram LLC.

 

Through these services, Facebook Inc. and Instagram LLC. therefore have access to the anonymous data described above, which are processed to measure website traffic and to map browsing habits. Facebook Inc. and Instagram LLC. also use the above data to deliver targeted advertising to the browsing user, in addition to the aforementioned analyses. Facebook Inc. and Instagram LLC. do this by combining the anonymous data with the IP address of the browsing device used to determine the discoverable interests based on the browsing habits of the device and then deliver targeted advertising to that device. Facebook Inc. and Instagram LLC. do not have access to any data other than the anonymous data described in this section.

 

The following data are collected in a way that can be linked to the User’s person, but can only be accessed by the Data Controller:

 

– the possible storage of the user name and password to facilitate access (at the User’s choice)

– (user name, e-mail address, password), for the User’s convenience (for the User’s personal use only).

 

5.Duration of data processing.

 

Data necessary to ensure the user-friendliness of the website (IP address, order of the pages visited on the website during browsing) are recorded for the duration of the browsing session (i.e. the duration of the browsing session) and are deleted once the browsing session is completed. The processing of such data is carried out by the Data Controller’s own IT system and is not accessible to third parties, except in the case of IT processing (see below under “Use of a data processor”).

 

The data required to verify access and grant usage rights are stored for the duration of the browsing session (i.e. the duration of your browsing session) and are deleted once the session is over. The processing of such data is carried out by the Data Controller’s own IT system and is not accessible to third parties, except in the case of IT processing (see below under “Use of a data processor”).

 

The user name and password may be stored permanently at the User’s choice, by cookies on the User’s device, and the User may delete them in his/her browser settings, thus controlling the time of data storage.

 

The data on which the measurement of the number of visits and the mapping of habits regarding the use of the website are based are recorded anonymously by the Data Controller’s IT system from the outset and cannot be linked to any individual. The Controller’s IT system uses Google Analytics to measure this data. Only the cookie that the User has used to authorize the collection of data by Google Analytics is stored on the User’s device.  You can delete this in your browser settings, which will stop the data collection.

 

Anonymous data processed to measure the number of visits to the website and to map browsing habits, which is also accessible by Facebook Inc., which provides cookies to facilitate visits to the social networking sites of the Data Controller and the sharing and liking of this website on social networking sites, are permanently stored by Facebook Inc.’s tools, but for a maximum of 2 years, using cookies that are stored on the User’s browsing device. The User can delete these cookies or prevent them from working at any time by changing the settings of his browser.

 

  1. Data necessary to ensure the user-friendliness of the website (IP address, order of pages visited on the website during browsing) are not stored. The cookies providing the data are stored locally on the User’s device. Log files used by the web hosting provider are stored on the hosting provider’s server.

 

  1. For more information about the information technology data processing process and the information technology data processing using Google Analytics and Facebook Inc. tools, the User can access the warning bar that pops up when browsing the website, and the Google Analytics https://www.google.com/intl/hu_ALL/analytics/supportés and Facebook Inc. https://developers.facebook.com/products pages. The Data Controller uses only the functions offered by Google Analytics and Facebook Inc.

 

VII. Processing of data related to the receipt and response to a message

 

Users sending messages to the Data Controller by e-mail using the e-mail address(es) indicated on the website.

 

  1. Legal basis for processing: consent of the User pursuant to Article 6(1)(a) of the GDPR. By voluntarily providing the data requested in the messaging interface, by ticking the checkbox in front of the privacy statement and by voluntarily sending the message, or in the case of a message sent by e-mail, by voluntarily sending the e-mail, the User consents to the processing of the data provided and, where applicable, of any other data included in the message.

 

3.Definition of the scope of the data processed: for users who send messages, the data processing concerns the personal data and contact details to be filled in on the above-mentioned messaging interface, as well as any additional data that the User may provide in the message (including the e-mail message).

 

Scope of the data:

– surname

– first name

– e-mail address

 

With regard to the additional data that the User may provide in the message (including e-mail), the Data Controller will only process the data when receiving the message, if necessary in relation to the content of the message sent, but the Data Controller will not ask the User to provide any personal data that may be provided there. When such unexpected personal data is provided, the Data Controller shall not store the unexpected personal data and shall delete it from its IT system without delay.

 

  1. Purpose of processing: to enable the User to exchange messages with the Data Controller. The purpose of the processing of the personal data and contact details voluntarily provided by the User visiting the website, as indicated above, is to enable the User concerned to use the website’s messaging services.

 

The related services are:

– Messaging via the messaging interface (“Contact us / Have a question?” page),

– Receiving messages sent by e-mail (using the e-mail address(es) indicated on the site),

– replying to messages sent to the Data Controller by the above means, which the Data Controller will complete within 3 working days.

 

  1. Duration of processing: the Data Controller processes the data until the purpose is achieved. Accordingly, in the case of Users sending a message, the duration of the processing lasts until the message is replied to or the User’s request is fulfilled. The Data Controller shall delete the data processed for this purpose after the message has been replied to/ the request has been fulfilled. If the exchange of information takes place through several messages on related subjects, the Data Controller shall delete the data upon completion of the exchange of information or upon fulfilment of the request.

 

  1. Method of storage of the data: in a separate data management list in the IT system of the Data Controller, until the end of the information exchange period.

 

VIII. Data processing related to the sending of newsletters

 

  1. Data subject: the User who subscribes to the newsletter by filling in the subscription fields on the website. In addition, the User who consents to the sending of the newsletter in writing, on paper, when entering into a contract with the Data Controller or in writing, on paper, without entering into a contract.

 

Legal basis for data processing. Article 6 Section (1) and (2) of the GDPR. Voluntary consent is given by the User by reading this Privacy Policy and by filling in the fields for subscribing to the newsletter, by ticking the consent form provided therein or by ticking the consent form for sending the newsletter included in the written contract and signing the contract, or by filling in and signing a separate paper declaration. By doing so, the User declares that he or she consents to the processing of his or her data as set out in the privacy policy or the contract/declaration and to the sending of newsletters.

 

In addition to sending useful information, the newsletter service also aims at direct marketing by the Data Controller. The User may subscribe to this service independently of the use of other services. The use of this service is voluntary and based on the User’s decision, after having been duly informed. The User’s non-use of the newsletter service does not imply any disadvantage for him/her in using the website and its other services. The Data Controller does not make the use of its direct marketing service a condition for the use of any of its other services.

 

  1. Definition of the scope of the data processed:

– surname

– first name

– e-mail address.

 

4.Purpose of processing: sending of newsletters by the Data Controller to the User by e-mail. Sending newsletters means sending information about the Controller’s services, news and updates, attention-grabbing offers, promotional content.

 

5.Duration of data management: the Data Controller manages the data processed for the purpose of sending the newsletter until the User’s consent is withdrawn (unsubscribe) or until the data is deleted at the User’s request.

 

  1. Method of storage of the data: in a separate data management list in the Data Controller’s IT system, and the data processed for the purpose of sending the newsletter, which the User has provided to the Data Controller on paper, including by means of paper contracts/statements.

 

  1. Registration-related data processing

 

  1. Data subjects concerned: users who register on the website.

 

  1. Voluntary consent is given by the User by filling in the form on the main page of the website by clicking on “Register” and ticking the box in front of the privacy statement, and finally by submitting the registration.

 

  1. Definition of the scope of the data processed: for registered users, the data processing concerns the personal data and contact details to be filled in on the registration form referred to above.

 

Scope of data:

– lead name

– first name

– phone number

– e-mail address

– username

– password

– shipping address

– billing address.

 

  1. The purpose of processing the personal data and contact details voluntarily provided by the User registering on the website is to enable the User concerned to use the services of the website.

 

Related services:

– browse the site

– product information

– browsing the site, browsing the website

– sending messages to the Data Controller.

 

5.Duration of data processing. The data processing may also cease upon the User’s cancellation of the registration or upon the deletion of the User’s registration by the Data Controller. The User may delete his/her registration or request its deletion from the Data Controller at any time, which request shall be executed by the Data Controller without delay, but no later than 10 working days after receipt of the request.

 

  1. Method of storage of the data: in a separate processing list in the IT system of the Data Controller.

 

  1. Order-related data processing

 

  1. Data subjects concerned: Users placing an order on the website.

 

  1. When placing an order, the User is informed that the personal data provided in connection with the order will be processed by the Data Controller for the purpose of the performance of the contract based on the order.

 

3.Definition of the scope of the data processed: the data processing concerns the personal data and contact details to be filled in on the registration form displayed prior to placing the order referred to above – or in case of previous registration, on the registration form filled in at that time.

 

Scope of the data:

– lead name

– first name

– telephone number

– e-mail address

– password

– delivery address

– billing address

– purchase price of the order

– receipt/delivery method

– payment method

– date of payment.

 

  1. Purpose of data processing: fulfilling the order, data processing related to the operation of the webshop. The purpose of the processing of the personal data and contact details voluntarily provided by the User placing an order on the website is to enable the fulfilment of the order and to provide the related services of the website to the User concerned.

 

The related services are:

– information on the availability and characteristics of the product

– ordering a product

– the availability of the ordered product, the availability of the product information, the availability of the product, the availability of the product

– arranging delivery

– arranging the delivery of the product

– notifying the delivery

– invoicing

  1. Duration of data processing: during the delivery necessary to fulfil the order, data processing lasts until the delivery is completed. The Data Controller shall use a data processing restriction when transmitting data (name, delivery address, telephone number) to the carrier for the purpose of fulfilling the delivery.

 

As long as the possibility of enforcing the order exists, the data necessary for issuing the invoice (name, address) and the above data processed for the fulfilment of the order are processed for the period of the possible enforcement of the order (5 years from the conclusion of the contract – receipt of the confirmation of acceptance of the order), and the data necessary for issuing the invoice (name, address) for the period necessary to fulfil the obligation to keep records under the Accounting Act (8 years from the issue of the invoice).

 

  1. Method of storage of the data: on a separate data management list in the IT system of the Data Controller and on accounting vouchers for the purpose of the proper accounting in order to fulfil the obligation to keep the accounting vouchers required by the Act on Accounting.

 

  1. Data processing lists

 

  1. Lists related to information technology data management: anonymous lists containing data indicating the browsing habits of Users, as listed in point 6, and a temporary list of IP addresses of the devices of Users currently browsing, kept exclusively in the information system of the Data Controller. (The other data are stored on the User’s device and are not kept by the Data Controller in its own possession.)

 

  1. Exchange list: a list containing the data of users who have sent a message using the contact details on the website, as listed in point 7, and containing the data of the persons concerned by the ongoing exchange of information, for the duration of the exchange of information only. At the end of the exchange, the data of the data subject will be removed from the list.

 

  1. newsletter list: a list containing the data recorded for the purpose of sending newsletters, messages, information material and awareness-raising offers by e-mail, as listed in point 8. The data will be processed by the Data Controller until the User’s consent is withdrawn (unsubscribed) or until the data is deleted at the User’s request.

 

  1. Registration list: a list containing the registration data of registered users, as listed in point 9. The data will remain on this list until the registration is cancelled by the User or the Data Controller or until the User’s request for cancellation is processed.

 

  1. The data shall remain on this list until the User’s request for cancellation is processed, except in cases where the obligation to keep data for accounting purposes as required by law is fulfilled.

 

6.Data transfer register: The Data Controller shall keep a data transfer register for the purpose of monitoring the lawfulness of the data transfer and informing the data subject, which shall contain the date of the transfer of personal data processed by the Data Controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.

 

  1. Data Protection Incident Register: a register of unlawful processing or processing of personal data and the measures taken to rectify such unlawful processing or processing. It includes the scope of personal data affected by the personal data breach, the number and type of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, and, in the case of processing based on a legal obligation, other data specified in the law requiring the processing.

 

  1. In order to achieve the data processing purposes, the Data Controller stores the data in the form of separate lists, as described above, in databases, separate for each data processing purpose, in its IT system, and also by printing paper contracts/statements for the purpose of sending the newsletter.

 

XII. Duration of data processing

 

  1. The duration of the processing for each of the purposes of processing is for the period of time described above in the description of the purposes of processing. The Data Controller shall process the data of the User concerned until the purposes of the processing described above have been fulfilled or until the User’s consent is withdrawn or the data are deleted at the request of the User concerned.

 

2.This means that the data processing lasts until the withdrawal of the consent, the execution of the cancellation request, the cancellation of the registration, the unsubscription from the newsletter, and in the relevant cases until the fulfilment of the legal obligation. The User may at any time object to the processing, request the cessation of the processing, the cessation of certain processing methods or the deletion of the data, both for specific purposes and in full. In such cases, the processing shall continue until the receipt and processing of such a request, which shall be carried out by the Controller without undue delay, but not later than 10 working days. The User may unsubscribe from the newsletter at any time by using the unsubscribe link included in the newsletters, by sending a written request to help@ssolerawap.com e-mail or by sending the objections or requests outlined above by e-mail. Requests sent by e-mail will be considered valid by the Data Controller only if they are sent from the e-mail address provided by the User to the Data Controller in connection with the use of the website, or provided when subscribing to the newsletter or in the written contract/statement and registered with the Data Controller, but the use of another e-mail address does not imply that the request is ignored.

 

XIII. How data is stored

 

  1. The Data Controller stores the data in the form of separate lists in databases, separated according to the purposes of data processing, in its IT system, and also by means of paper contracts/statements for the purpose of sending the newsletter.

 

 

 

 

XIV. Deletion of data, restriction of processing

 

  1. Data processing shall cease for all purposes and the data shall be deleted within 10 working days of receipt of the User’s request to that effect, including the deletion of data already transferred to a new controller (provided that deletion is not excluded by law).

 

  1. Where processing is subject to restriction, such personal data, except for storage, may be processed only with the consent of the User or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

 

  1. Furthermore, the Controller shall delete the personal data if.

– processing is unlawful,

– the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

– the processed data is incomplete or inaccurate – and this situation cannot be lawfully remedied – provided that erasure is not excluded by law,

– the purpose of the processing has ceased to exist or the time limit for the storage of the data laid down by law has expired,

– ordered by a court or the National Authority for Data Protection and Freedom of Information.

 

  1. Data transmission

 

  1. Data subjects concerned by the transfer of data: users who choose to pay online when placing an order on the website, irrespective of the use of other services provided by the website.

 

  1. The recipient of the transfer:

 

UniCredit Bank Hungary Zrt.

Tax number: 10325737-4-44

Registered office: 1054 Budapest, Szabadság tér 5-6.

Postal address: H-1242 Budapest, Pf.386

Phone: +36303253200

E-mail: info@unicreditgroup.hu

Website: www.unicreditbank.hu

Business company as the provider of the online payment service available on the website of the Data Controller.

 

Legal basis for the transfer of data: the User’s consent pursuant to Article 6 Section (1) (a) of the GDPR. By selecting the online payment method and submitting the order, the User, after having read the Privacy Policy, voluntarily consents to the processing of his/her data necessary for the secure processing of the online payment.

 

  1. Scope of the data transmitted:

– username

– line name

– first name

– country

– telephone number

– e-mail address.

 

  1. Purpose of the data transfer: to ensure the proper operation of the payment service and the technical processing of payments, to confirm transactions, to operate fraud-monitoring – a fraud detection system supporting the control of banking transactions initiated electronically – in order to protect the interests of users, and to provide customer service assistance to the User.

 

  1. The transfer of data will be made solely for the purposes set out above.

 

  1. Furthermore, the Data Controller shall only transmit data to public authorities if required to do so by law.

 

  1. The Data Controller shall not transfer data to third parties for commercial or marketing purposes.

 

  1. The Data Controller shall keep a record of data transfers.

 

XVI. Use of a data processor

The Data Controller uses the following entities as data processors.

 

  1. Payment service provider

 

Company name:

UniCredit Bank Hungary Zrt.

Registered office:

1054 Budapest, Szabadság tér 5-6.

Telephone:

+36303253200

E-mail:

info@unicreditgroup.hu

 

The payment transactions made by the data subject are processed by the payment systems provided by the payment service providers referred to in this point for the payment accounts of the Company. The data may only be accessed by the employees of the Data Controller and, in accordance with their respective data management information, by the employees of the payment service providers, who are all responsible for the secure processing of the data.

 

Purpose

 

To ensure the cash flow of the Data Controller

Legal basis

 

To comply with a legal obligation under Article 6 section (1) (c) of the GDPR

Data subjects

Data subjects in a contractual relationship

Scope of data

Name of the data subject, the bank of the account holder, the bank account number and the amount of the payment

Data controller

 

The Company

Persons entitled to access the data

The Company and its employees under an employment or agency relationship with the Company and the payment service provider and its employees

Time limit for processing and deletion of data

As specified in the payment service provider’s information notice.

Method of storage of data

Electronic

Data transmission

None

 

 

  1. IT data processing

 

Company name:

Paylike Inc.

Registered office:

Klostergade 56B, 1, 8000 Aarhus, Denmark

Telephone:

E-mail:

hello@paylike.io

 

Company name:

WordPress / Automatic Inc.

Registered office:

60 29th Street #343, San Francisco, CA 94110

Telephone:

(877) 273 3049

 

Data processing operations consisting of the technical operations necessary for the operation of the website and the provision of the services provided through it, in order to ensure the operation of the website in the information technology sense for the User concerned.

 

Purpose

 

Processing of data relating to the use of the services provided by the Site by Users visiting the Site

Legal basis

 

To comply with a legal obligation under Article 6 Section (1)(c) of the GDPR

Data subjects

Data subjects in a contractual relationship

Scope of data

The processing concerns all the data indicated in this notice.

Data controller

 

The Company

Persons entitled to access the data

The Company and its employees who have an employment or agency relationship with it and the processor and its employees

Time limit for processing and deletion of data

According to the rules of the data processor

Method of storage of data

Electronic

Data transmission

 

None

 

 

  1. Processing of data related to the sending of newsletters

 

3.1.The data subjects concerned by the processing: users who subscribe to the newsletter on the website, irrespective of the use of other services provided by the website.

 

3.2. The Data Controller uses as a data processor

 

SalesAutopilot Kft.

Company registration number: 01-09-286773

Tax number: 25743500-2-41

Registered office: 1024 Budapest, Margit körút 31-33., mezzanine 4.

Phone: +1 3614900172

Website: salesautopilot.hu

as the developer and maintainer of the newsletter sending software used by the Data Controller (hereinafter referred to as the “Data Processor”).

 

3.3.Legal basis for data processing: on the basis of the User’s consent pursuant to Article 6(1)(a) of the GDPR, the Data Controller may use a data processor, subject to the User’s prior information. The User, by giving his/her consent to the sending of the newsletter to the Data Controller, as described in the section on sending newsletters above, after having read the Data Processing Notice, voluntarily consents to the use of a data processor for the processing of his/her data necessary for the sending of the newsletter.

 

3.4. Definition of the data subject of the processing: The processing of data concerns all the data indicated in the section on sending the newsletter in this notice.

 

3.5.Purpose of data processing: to ensure the operation of the software used by the Data Controller for sending newsletters in the information technology sense, by means of data processing in the technical operations necessary for the secure operation of the software.

 

3.6 Duration of the processing: the same as the processing periods indicated in the chapter on the sending of the newsletter in this information note.

 

3.7. The processing of the data consists exclusively of the technical operations necessary for the operation of the newsletter sending software in the IT sense.

 

  1. Data processing related to product delivery

 

4.1.Data subjects concerned by the processing of data: users who choose to receive their order by delivery on the website, regardless of whether they use other services provided by the website.

 

4.2. The Data Controller primarily uses as data processors

 

GLS General Logistics System Hungary Logistics Limited Liability Company

Registration number: 1309111755

Tax number: 12369410244

Registered office: 2351 Alsónémedi, GLS Európa u. 2.

Postal address: 2351 Alsónémedi, GLS Európa u. 2

Phone: +36 29886670

E-mail: info@gls-hungary.com

Website: gls-group.eu/HU

as the carrier delivering the products ordered (hereinafter referred to as the “Data Processor”).

 

4.3. Legal basis for processing: Article 6 Section (1)(b) GDPR, which states that processing is necessary for the performance of a contract to which the User is a party. The Data Controller may use a data processor for the performance of the contract, subject to prior information of the User. The User shall be informed of the content of the contract concluded with him/her and of the use of a data processor for the processing of his/her data necessary for the delivery of the ordered product when he/she receives the data processing information, when choosing the delivery method and when placing the order.

 

4.4.Definition of the scope of the data processing: the processing of the data concerns the following data of the User in order to fulfil the contract (delivery) resulting from the User’s order:

– line name

– first name

– telephone number

– delivery address.

 

4.5. The purpose of the processing of the data is to carry out the delivery of the ordered product within the framework of the performance of the contract resulting from the User’s order, by delivering it to the address indicated by the User, if necessary by telephone agreement on the place and time of delivery.

 

4.6. Duration of data processing: for the time necessary to carry out the delivery and delivery.

 

4.7. The processing of the data is limited to the technical operations necessary to carry out the delivery and delivery.

 

  1. No other processing of data takes place.

 

  1. The Processors have no interest in the business of the Controller.
  2. The Data Controller does not use any other data processor than the Data Processors indicated above.

 

XVIII. User’s rights in relation to data management

 

  1. Right of access: Upon the User’s request, the Data Controller shall provide information about the data processed by the User or by the Data Processor, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the Data Processor and its activities related to the processing, the circumstances and effects of any data breach and the measures taken to remedy the data breach, and, in the case of the transfer of the personal data of the data subject, the legal basis and the recipient of the transfer. The Controller shall provide the information without undue delay and at the latest within one month of receipt of the request.

The information shall be provided free of charge once per calendar year, and a fee may be charged for additional occasions when information is requested. However, the fee already paid shall be refunded if an unlawfulness is established with regard to the processing of the data or if the data have to be rectified for reasons attributable to the Data Controller.

 

In the context of the right of access, the Data Controller shall provide the User with a copy of the personal data subject to processing, at the latest within one month of receipt of the request. For any additional copies requested by the User, the Controller may charge a reasonable fee based on administrative costs (as set out in Chapter 19).

 

  1. Right to data portability: the User has the right to receive the personal data concerning him/her which he/she has provided to the Data Controller in a structured, commonly used, machine-readable format, and the right to transmit such data to another controller without hindrance from the controller to which he/she has provided the personal data, if:

(a) the processing is based on the consent of the User or on a contract; and

(b) the processing is carried out by automated means.

In exercising the right to data portability as set out above, the User has the right to request, where technically feasible, the direct transfer of personal data between controllers.

 

  1. Right to rectification: the User may request the rectification of his/her processed data, which the Data Controller shall carry out without undue delay, but no later than one month from the receipt of the request. Taking into account the purposes of the processing, the User shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

 

  1. Right to restriction of processing: the Data Controller shall designate the personal data it processes for the purpose of restricting the processing. The Data Controller shall designate the personal data which the User has provided to the Data Controller for processing:

(a) the User contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the User opposes the erasure of the data and requests instead the restriction of their use;

(c) the Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

(d) the User has objected to the processing based on the legitimate interests of the Controller; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.

 

Each User has the right to object to or prohibit the inclusion of his/her name and address data, contact details on a commercial list, the use of his/her data for direct commercial purposes or for a specific purpose within a specific list, the use of such data for sending newsletters, the transfer of such data to third parties, and to request other restrictions of his/her personal data, the termination of the processing of all or specific lists held by the Data Controller, including data transferred to third parties. The Controller shall carry out the erasure without undue delay after receipt of the request, but within a maximum of 10 working days, and shall inform the User concerned in writing within a further 15 days of the execution of the request.

 

  1. Right to erasure (“right to be forgotten”): The Controller shall erase personal data if:
  2. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  3. b) the User withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
  4. c) the User objects to the processing and there is no overriding legitimate ground for the processing or the User objects to the processing for direct marketing purposes;
  5. d) the personal data have been unlawfully processed;

(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

(f) the personal data have been collected in connection with the provision of information society services;

(g) where the controller has disclosed the personal data and the personal data are no longer necessary for the purposes for which they were processed, the controller must erase them and take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.

 

If the Data Controller has disclosed the personal data and is obliged to delete it as set out above, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the data controllers that have processed the data that the User has requested them to delete the links to or copies or duplicates of the personal data in question.

The controller shall notify the rectification, restriction and erasure to the User concerned and to all controllers to whom the data were previously transmitted. Notification may be omitted if it proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the User of these recipients.

  1. Right to object: The User has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data by the Controller based on his or her legitimate interests, including profiling based on the aforementioned provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

 

  1. The right to blocking

The data subject may request the blocking of his/her data by the Company using the contact details provided. The blocking shall last for as long as the reason indicated by the data subject makes it necessary to store the data. At the request of the data subject, the Company will do so without delay, but within a maximum of 30 days, and will send information to the e-mail address provided by the data subject.

 

XVIII. Compliance with your requests

 

  1. The information and action provided for in point 18 shall be provided by the Data Controller free of charge. If the request of the User concerned is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller shall, taking into account the administrative costs of providing the requested information or information or of taking the requested action:

(a) charge a reasonable fee; or

(b) refuse to act on the request.

 

  1. The Data Controller shall inform the User of the measures taken in response to the request, including the provision of copies of the data, without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the User of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request. If the User concerned has submitted his request by electronic means, the information shall be provided by the Data Controller by electronic means, unless the User concerned requests otherwise.

 

  1. If the Controller does not take action on the request of the User concerned, it shall inform the User concerned without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to act and of the right to lodge a complaint with the supervisory authority referred to in point 21 and to exercise the right of judicial remedy as provided for in that point.

 

  1. The User may submit his/her requests to the Data Controller by any means that allows the identification of the User. The identification of the User submitting the request is necessary because the Data Controller can only grant requests to those who are entitled to do so. If the Data Controller has reasonable doubts about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the User concerned.

 

User’s requests may be sent by post to the address of the Data Controller indicated in point 1.1 or by e-mail to help@ssolerawap.com. Requests sent by e-mail shall be considered as authentic by the Data Controller only if they are sent from the e-mail address provided by the User to the Data Controller and registered there, however, the use of another e-mail address shall not imply that the request is ignored. In the case of e-mail, the date of receipt shall be deemed to be the first working day following the sending of the request.

 

XIX. Data protection, data security

 

1.The Data Controller shall ensure the security of data in its data processing and data handling activities, and shall ensure the enforcement of legal provisions and other data protection and confidentiality rules by technical and organizational measures and internal rules of procedure. In particular, it shall take appropriate measures to protect the processed data against unauthorized access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.

 

  1. To this end, the Data Controller uses the http protocol “https” to access the website, which allows web communications to be encrypted and uniquely identified. In addition, as described above, the Data Controller stores the processed data in encrypted data files, which are stored in separate processing lists for each processing purpose and to which access is granted to specific employees of the Data Controller who are responsible for the protection of the data and for their responsible processing in accordance with this notice and the applicable legislation.

 

  1. The data on which the measurement of the number of visits and the mapping of the habits of using the website are based are recorded anonymously by the Data Controller’s IT system from the beginning and cannot be linked to any person.

 

  1. Data will be processed only for the legitimate purposes set out in this notice and only to the extent necessary and proportionate for those purposes, in accordance with the applicable laws and recommendations, and with appropriate security measures.

 

  1. Enforcement

 

1.Data subjects may exercise their rights of enforcement before the courts under Act V of 2013 on the Civil Code, the GDPR and the Infotv., and may also apply to the National Authority for Data Protection and Freedom of Information:

 

National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Postal address: 1530 Budapest, PO Box 5.

Phone: +36 1 391 1400

Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu/

In the event that the User concerned chooses to take legal action, the action may also be brought before the court of the place of residence or domicile of the User concerned, as the court has jurisdiction to hear the case.

 

XXI. Miscellaneous provisions

With regard to the data transferred within the scope of this Privacy Notice, the data processors, who are individually responsible for the personal data processing carried out by them on behalf of the Company, are.

 

This Privacy Notice is published in the Official Journal of the European Union 2020.

 

The Data Controller reserves the right to amend this Privacy Notice unilaterally at any time, with prior notice to the data subjects. Data subjects will be informed by means of a notice on http://felhomatrac.hu/ at least eight calendar days prior to the modification.

 

 

PRIVACY NOTICE AND INFORMATION ON THE PROCESSING OF PERSONAL DATA

 

KlassDSign Limited Liability Company (seat: 2800 Tatabánya, Banyi János u. 18.; registration number: 11 09 021505), as a data controller (hereinafter referred to as the Company or the Data Controller), processes the data concerned in the course of the activities it provides in accordance with the provisions of this information.

The Company aims to fully comply with the legal requirements for the processing of personal data, in particular with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (the “Privacy Act”) and Regulation (EU) 2016/679 of the European Parliament and of the Council (the “Regulation” or “GDPR”), and therefore, through this notice, the Company aims to ensure the enforcement of the right to transparent information as provided for in Article 12 of the GDPR.

This Privacy Notice has been prepared in accordance with the GDPR and the Privacy Act.

The Data Controller declares that it will process personal data in accordance with the provisions of this Privacy Notice and will comply with the provisions of the GDPR, the Privacy Act and any other applicable legislation, in particular with regard to the content of this section:

The processing of personal data shall be lawful, fair and transparent for the data subject.

The processing of personal data must be carried out lawfully, fairly and fairly, and in accordance with the law and fairness of the data subject.

The purposes for which the personal data are processed must be adequate, relevant and the processing must be limited to what is necessary.

Personal data must be accurate and up to date. Inaccurate personal data must be deleted without delay.

Personal data must be stored in such a way that the identification of the data subjects is limited to the shortest period of time necessary for the purposes for which the data are processed.

Further processing of personal data other than as provided for in this notice shall be considered lawful where the processing is necessary to comply with a legal obligation, for reasons of public interest, for scientific research purposes, for statistical purposes or to present and pursue legal claims.

Personal data should be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organizational measures.

The principles of data protection apply to any information relating to an identified or identifiable natural person.

 

  1. Identification of the Data Controller and this website
  1. Name of the Data Controller: KlassDSign Ltd.

Company registration number: 11-09-021505

Tax number: 24286549211

Registered office: 2800 Tatabánya, Banyi János utca 18.

Postal address: 2800 Tatabánya, Banyi János utca 18.

Branch office: 1075 Budapest, Madách Imre út 18.

Website: www.plantebudpest.com

E-mail: help@ssolerawap.com

  1. Name of the website:

ssolerawap.com

The website accessible at the Internet address, the webpages and subpages accessible from that address.

  1. Hungarian law clause, scope of this notice
  1. Accordingly, the rules relating to the service and the contractual and data management provisions applicable to Users shall be governed by Hungarian law.

In view of the above, the Data Controller shall primarily:

– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); (The EU General Data Protection Regulation), (hereinafter referred to as GDPR),

– Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act.),

– Act CVIII of 2001 on certain issues of electronic commerce activities and information society services,

– Act CXIX of 1995 on the processing of name and address data for the purposes of research and direct marketing (DMtv.), and

– the provisions of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising Activities (Act XLVIII of 2008).

  1. The scope of this Privacy Notice applies to the processing of data that the Data Controller incurs when using the services provided through the website.
  1. For the purposes of this notice, a User is defined as: natural persons browsing the Website, regardless of the service they use, and natural persons who only browse the Website and do not use any service.

III. Legal basis for processing

 

  1. The legal basis for the processing carried out by the Data Controller is the consent of the User pursuant to Article 6(1)(a) of the GDPR for certain processing, and Article 6(1)(b) of the GDPR for processing in relation to an order, which requires processing for the performance of a contract to which the User is a party.
  1. You can read and become familiar with the Privacy Notice by clicking on the link marked “Privacy Notice” in the Privacy Notice referred to in this point, whereby the Data Controller provides the User with clear and detailed prior information. By ticking the checkbox in front of the Privacy Policy, the User declares that he/she has read and understood the Privacy Policy and, being aware of its contents, consents to the processing of his/her data as described in this Policy and accepts the provisions contained therein as binding.

 

  1. Processing without the data subject’s further specific consent or following the withdrawal of consent

 

  1. Data recorded with the consent of the User concerned may be processed by the Data Controller without the further specific consent of the User concerned or following the withdrawal of consent pursuant to Article 6 Section (1) of the GDPR, as follows.
  1. If the personal data have been collected with the consent of the User concerned, the Data Controller may process the collected data without the further specific consent of the User concerned, unless otherwise provided by law, and even after the withdrawal of the consent of the User concerned in the following cases:

– processing is necessary for compliance with a legal obligation to which the controller is subject;

– processing is necessary for the protection of the vital interests of the data subject or of another natural person;

– processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

– processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

  1. Before starting the processing on the basis of the above legitimate interest, the Data Controller shall in any case – as a mandatory requirement – carry out the so-called interest balancing test. The balancing of interests test is a three-step process during which the Data Controller identifies the legitimate interest and the countervailing interest of the User concerned and the fundamental right affected by the envisaged processing. Finally, based on the completion of the weighing, the Data Controller determines whether the personal data can be processed pursuant to Article 6 Section (1) (f) GDPR.
  1. The Data Controller shall inform the User concerned of the result of the balancing of interests test in such a way that the User can clearly identify the legitimate interest and the reasons why the processing of his or her personal data by the Data Controller without his or her consent is a proportionate restriction.
  1. When carrying out the balancing of interests test, the Data Controller shall act in accordance with the provisions of Opinion No 6/2014 of the Working Party on the Protection of Individuals with regard to the Processing of Personal Data of the Council of the European Union, which contains the relevant findings. The Opinion is available at the following link: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_hu.pdf#h2-2

 

  1. Other possible legal grounds for processing based on law
  1. The legal basis for the processing is also the processing necessary for the fulfilment of a legal obligation pursuant to Article 6 Section (1)(c) of the GDPR in the relevant cases. In certain cases, the controller may be obliged to carry out mandatory processing required by law or other legislation. In addition, the Data Controller is obliged to comply with any requests from public authorities, which may also involve the processing or transfer of personal data, which is also a legal obligation of the Data Controller.

2.Pursuant to Article 6 Section (1) (d) and (f) of the GDPR, we further inform you that the Controller may process the User’s personal data without the consent of the User, even if the processing is necessary for the protection of the vital interests of the User or of another natural person or if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the User concerned which require the protection of personal data, in particular where the User is a child.

In any case, before starting the processing on the basis of the above legitimate interests, the Data Controller will carry out – as a mandatory requirement – the so-called interest balancing test as described in points 4.3 to 4.5 of this Notice.

  1. Pursuant to Article 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter: Ektv.), the Data Controller also informs the User of the following.

The service provided by the Data Controller is an information society – electronic commerce – service within the meaning of the Act.

The Data Controller may process the natural person identification data and the address of the user (User) for the purpose of creating the contract for the provision of its service, determining the content, amending it, monitoring its performance, invoicing the fees arising from it and enforcing claims relating to it.

The Data Controller may process the natural person’s identification data, the address of the User who has used its services, as well as data relating to the time, duration and place of use of the services, for the purpose of invoicing the fees resulting from the contract for the provision of its services.

The controller may process personal data that are technically necessary for the provision of the service. The Controller shall, other things being equal, choose and in any case operate the means used for the provision of the service in such a way that personal data are processed only to the extent strictly necessary for the provision of the service and for the fulfilment of the other purposes laid down in this Act, but even then only to the extent and for the duration necessary.

The data controller may process data relating to the use of the service for any purposes other than those set out above, in particular to improve the effectiveness of its service, to deliver electronic advertising or other targeted content to the recipient, to conduct market research, only with the prior specification of the purpose of the processing and with the consent of the recipient.

  1. Data processing related to the provision of an IT service

 

  1. Data subject: all Users visiting the Website, regardless of their use of the services available on the Website.
  1. For processing that enables visit analysis and marketing activities, the User’s consent pursuant to Article 6 Section (1)(a) GDPR. The User may consent to the technical collection of data for the purposes of traffic analysis and marketing by ticking the checkboxes in the information window that pops up when the User starts browsing the website.
  1. Definition of the scope of the data processed: the information technology processing concerns the data necessary for the functioning of the “cookies” used for the operation of the website and the use of the log files used by the web hosting provider.

Data processed to enable user-friendly browsing:

– the web pages visited during your visit to the website and the order in which they were opened

– IP address of the device used by the user.

The scope of the data processed to measure the number of visits to the site:

– the web pages visited during the visit to the website and their opening order

– the frequency with which each web page of the site is viewed

– which other website the User came to this website from (only for websites with a link to this website)

– the geographical location of the User visiting the site (based on the ISP’s data, only approximate data on the location of the browsing device)

– the time you started browsing the site

– the time you leave the website (end your browsing)

– the duration of your browsing of the website.

Data processed to verify access to the website:

– User name and password (may be stored at the User’s discretion)

– User’s e-mail address

– IP address of the device used by the User.

4.Purpose of processing: The use of “cookies” and log files is necessary for the user-friendly and secure operation of the website. The purpose of the processing of data through the use of cookies and “cookies” is to ensure the user-friendly operation of the website for the User concerned and to collect anonymous data about the use of the website.

In particular:

– Identification of the User’s device used for browsing, storage of identification data – until the time of browsing: based on the IP address. This makes browsing smoother, without which the User would have to identify himself or repeat processes for each page visited.

The data required for the following purposes are recorded anonymously and cannot be linked to an individual:

– To measure the number of visits to the website, to measure the frequency of visits to each page of the website and to measure the browsing time of each page of the website in order to enable the Data Controller to tailor the website to the maximum extent possible to the needs of the Users.

– Determining the location of the User (browsing device), mapping the level of interest in the Data Controller’s service by territory.

– Identification of the website from which the User came to this website, in order to learn about other topics of interest to Users interested in the Controller’s service and to measure the effectiveness of the activity promoting the Controller’s service.

To measure this data, the Controller’s IT system uses the tools of Google Analytics (Google Inc.). When viewing pages that use Google Analytics, Google cookies remember the preferences and information indicated by the user, which also means that anonymous data is collected to measure the number of visits to the website and to map browsing habits.

The above anonymous data is also accessed by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), the owner and operator of the Google Analytics tools. Google Inc. will also use this data for the purpose of delivering targeted advertising to the browser user, in addition to the aforementioned analysis. Google Inc. will do this by combining the anonymous data with the IP address of the browsing device used to determine the discoverable interests based on the browsing habits of the device and then deliver targeted advertising to the device. Google Inc. will not have access to any data other than the anonymous data described in this section.

The cookies (Facebook button, Facebook share button, Facebook like button) that facilitate your visit to the Facebook social networking site and the sharing and liking of this website on the social networking site are provided by Facebook Inc. and the anonymous data processed by these cookies is also accessed by Facebook Inc. (1601 Willow Road, Menlo Park, CA 94025, USA).

The cookies that facilitate the visit of the social networking site of the data controller Instagram (Instagram button) are provided by Instagram LLC., so that the anonymous data processed by these cookies is also accessed by Instagram LLC. Instagram LLC. is owned by Facebook Inc. and the Instagram service is operated by Facebook Inc., so the processing of data through the use of the service is carried out jointly by Facebook Inc. and Instagram LLC.

Through these services, Facebook Inc. and Instagram LLC. therefore have access to the anonymous data described above, which are processed to measure website traffic and to map browsing habits. Facebook Inc. and Instagram LLC. also use the above data to deliver targeted advertising to the browsing user, in addition to the aforementioned analyses. Facebook Inc. and Instagram LLC. do this by combining the anonymous data with the IP address of the browsing device used to determine the discoverable interests based on the browsing habits of the device and then deliver targeted advertising to that device. Facebook Inc. and Instagram LLC. do not have access to any data other than the anonymous data described in this section.

The following data are collected in a way that can be linked to the User’s person, but can only be accessed by the Data Controller:

– the possible storage of the user name and password to facilitate access (at the User’s choice)

– (user name, e-mail address, password), for the User’s convenience (for the User’s personal use only).

5.Duration of data processing.

Data necessary to ensure the user-friendliness of the website (IP address, order of the pages visited on the website during browsing) are recorded for the duration of the browsing session (i.e. the duration of the browsing session) and are deleted once the browsing session is completed. The processing of such data is carried out by the Data Controller’s own IT system and is not accessible to third parties, except in the case of IT processing (see below under “Use of a data processor”).

The data required to verify access and grant usage rights are stored for the duration of the browsing session (i.e. the duration of your browsing session) and are deleted once the session is over. The processing of such data is carried out by the Data Controller’s own IT system and is not accessible to third parties, except in the case of IT processing (see below under “Use of a data processor”).

The user name and password may be stored permanently at the User’s choice, by cookies on the User’s device, and the User may delete them in his/her browser settings, thus controlling the time of data storage.

The data on which the measurement of the number of visits and the mapping of habits regarding the use of the website are based are recorded anonymously by the Data Controller’s IT system from the outset and cannot be linked to any individual. The Controller’s IT system uses Google Analytics to measure this data. Only the cookie that the User has used to authorize the collection of data by Google Analytics is stored on the User’s device.  You can delete this in your browser settings, which will stop the data collection.

Anonymous data processed to measure the number of visits to the website and to map browsing habits, which is also accessible by Facebook Inc., which provides cookies to facilitate visits to the social networking sites of the Data Controller and the sharing and liking of this website on social networking sites, are permanently stored by Facebook Inc.’s tools, but for a maximum of 2 years, using cookies that are stored on the User’s browsing device. The User can delete these cookies or prevent them from working at any time by changing the settings of his browser.

  1. Data necessary to ensure the user-friendliness of the website (IP address, order of pages visited on the website during browsing) are not stored. The cookies providing the data are stored locally on the User’s device. Log files used by the web hosting provider are stored on the hosting provider’s server.
  1. For more information about the information technology data processing process and the information technology data processing using Google Analytics and Facebook Inc. tools, the User can access the warning bar that pops up when browsing the website, and the Google Analytics https://www.google.com/intl/hu_ALL/analytics/supportés and Facebook Inc. https://developers.facebook.com/products pages. The Data Controller uses only the functions offered by Google Analytics and Facebook Inc.

VII. Processing of data related to the receipt and response to a message

 

Users sending messages to the Data Controller by e-mail using the e-mail address(es) indicated on the website.

  1. Legal basis for processing: consent of the User pursuant to Article 6(1)(a) of the GDPR. By voluntarily providing the data requested in the messaging interface, by ticking the checkbox in front of the privacy statement and by voluntarily sending the message, or in the case of a message sent by e-mail, by voluntarily sending the e-mail, the User consents to the processing of the data provided and, where applicable, of any other data included in the message.

3.Definition of the scope of the data processed: for users who send messages, the data processing concerns the personal data and contact details to be filled in on the above-mentioned messaging interface, as well as any additional data that the User may provide in the message (including the e-mail message).

Scope of the data:

– Surname

– first name

– e-mail address

With regard to the additional data that the User may provide in the message (including e-mail), the Data Controller will only process the data when receiving the message, if necessary in relation to the content of the message sent, but the Data Controller will not ask the User to provide any personal data that may be provided there. When such unexpected personal data is provided, the Data Controller shall not store the unexpected personal data and shall delete it from its IT system without delay.

  1. Purpose of processing: to enable the User to exchange messages with the Data Controller. The purpose of the processing of the personal data and contact details voluntarily provided by the User visiting the website, as indicated above, is to enable the User concerned to use the website’s messaging services.

The related services are:

– Messaging via the messaging interface (“Contact us / Have a question?” page),

– Receiving messages sent by e-mail (using the e-mail address(es) indicated on the site),

– replying to messages sent to the Data Controller by the above means, which the Data Controller will complete within 3 working days.

  1. Duration of processing: the Data Controller processes the data until the purpose is achieved. Accordingly, in the case of Users sending a message, the duration of the processing lasts until the message is replied to or the User’s request is fulfilled. The Data Controller shall delete the data processed for this purpose after the message has been replied to/ the request has been fulfilled. If the exchange of information takes place through several messages on related subjects, the Data Controller shall delete the data upon completion of the exchange of information or upon fulfilment of the request.
  1. Method of storage of the data: in a separate data management list in the IT system of the Data Controller, until the end of the information exchange period.

 

VIII. Data processing related to the sending of newsletters

 

  1. Data subject: the User who subscribes to the newsletter by filling in the subscription fields on the website. In addition, the User who consents to the sending of the newsletter in writing, on paper, when entering into a contract with the Data Controller or in writing, on paper, without entering into a contract.

Legal basis for data processing. Article 6 Section (1) and (2) of the GDPR. Voluntary consent is given by the User by reading this Privacy Policy and by filling in the fields for subscribing to the newsletter, by ticking the consent form provided therein or by ticking the consent form for sending the newsletter included in the written contract and signing the contract, or by filling in and signing a separate paper declaration. By doing so, the User declares that he or she consents to the processing of his or her data as set out in the privacy policy or the contract/declaration and to the sending of newsletters.

In addition to sending useful information, the newsletter service also aims at direct marketing by the Data Controller. The User may subscribe to this service independently of the use of other services. The use of this service is voluntary and based on the User’s decision, after having been duly informed. The User’s non-use of the newsletter service does not imply any disadvantage for him/her in using the website and its other services. The Data Controller does not make the use of its direct marketing service a condition for the use of any of its other services.

  1. Definition of the scope of the data processed:

– surname

– first name

– e-mail address.

4.Purpose of processing: sending of newsletters by the Data Controller to the User by e-mail. Sending newsletters means sending information about the Controller’s services, news and updates, attention-grabbing offers, promotional content.

5.Duration of data management: the Data Controller manages the data processed for the purpose of sending the newsletter until the User’s consent is withdrawn (unsubscribe) or until the data is deleted at the User’s request.

  1. Method of storage of the data: in a separate data management list in the Data Controller’s IT system, and the data processed for the purpose of sending the newsletter, which the User has provided to the Data Controller on paper, including by means of paper contracts/statements.

 

  1. Registration-related data processing

 

  1. Data subjects concerned: users who register on the website.
  1. Voluntary consent is given by the User by filling in the form on the main page of the website by clicking on “Register” and ticking the box in front of the privacy statement, and finally by submitting the registration.
  1. Definition of the scope of the data processed: for registered users, the data processing concerns the personal data and contact details to be filled in on the registration form referred to above.

Scope of data:

– lead name

– first name

– phone number

– e-mail address

– username

– password

– shipping address

– billing address.

  1. The purpose of processing the personal data and contact details voluntarily provided by the User registering on the website is to enable the User concerned to use the services of the website.

Related services:

– browse the site

– product information

– browsing the site, browsing the website

– sending messages to the Data Controller.

5.Duration of data processing. The data processing may also cease upon the User’s cancellation of the registration or upon the deletion of the User’s registration by the Data Controller. The User may delete his/her registration or request its deletion from the Data Controller at any time, which request shall be executed by the Data Controller without delay, but no later than 10 working days after receipt of the request.

  1. Method of storage of the data: in a separate processing list in the IT system of the Data Controller.

 

  1. Order-related data processing

 

  1. Data subjects concerned: Users placing an order on the website.
  1. When placing an order, the User is informed that the personal data provided in connection with the order will be processed by the Data Controller for the purpose of the performance of the contract based on the order.

3.Definition of the scope of the data processed: the data processing concerns the personal data and contact details to be filled in on the registration form displayed prior to placing the order referred to above – or in case of previous registration, on the registration form filled in at that time.

Scope of the data:

– lead name

– first name

– telephone number

– e-mail address

– password

– delivery address

– billing address

– purchase price of the order

– receipt/delivery method

– payment method

– date of payment.

  1. Purpose of data processing: fulfilling the order, data processing related to the operation of the webshop. The purpose of the processing of the personal data and contact details voluntarily provided by the User placing an order on the website is to enable the fulfilment of the order and to provide the related services of the website to the User concerned.

The related services are:

– information on the availability and characteristics of the product

– ordering a product

– the availability of the ordered product, the availability of the product information, the availability of the product, the availability of the product

– arranging delivery

– arranging the delivery of the product

– notifying the delivery

– invoicing

  1. Duration of data processing: during the delivery necessary to fulfil the order, data processing lasts until the delivery is completed. The Data Controller shall use a data processing restriction when transmitting data (name, delivery address, telephone number) to the carrier for the purpose of fulfilling the delivery.

As long as the possibility of enforcing the order exists, the data necessary for issuing the invoice (name, address) and the above data processed for the fulfilment of the order are processed for the period of the possible enforcement of the order (5 years from the conclusion of the contract – receipt of the confirmation of acceptance of the order), and the data necessary for issuing the invoice (name, address) for the period necessary to fulfil the obligation to keep records under the Accounting Act (8 years from the issue of the invoice).

  1. Method of storage of the data: on a separate data management list in the IT system of the Data Controller and on accounting vouchers for the purpose of the proper accounting in order to fulfil the obligation to keep the accounting vouchers required by the Act on Accounting.
  1. Data processing lists

 

  1. Lists related to information technology data management: anonymous lists containing data indicating the browsing habits of Users, as listed in point 6, and a temporary list of IP addresses of the devices of Users currently browsing, kept exclusively in the information system of the Data Controller. (The other data are stored on the User’s device and are not kept by the Data Controller in its own possession.)
  1. Exchange list: a list containing the data of users who have sent a message using the contact details on the website, as listed in point 7, and containing the data of the persons concerned by the ongoing exchange of information, for the duration of the exchange of information only. At the end of the exchange, the data of the data subject will be removed from the list.
  1. newsletter list: a list containing the data recorded for the purpose of sending newsletters, messages, information material and awareness-raising offers by e-mail, as listed in point 8. The data will be processed by the Data Controller until the User’s consent is withdrawn (unsubscribed) or until the data is deleted at the User’s request.
  1. Registration list: a list containing the registration data of registered users, as listed in point 9. The data will remain on this list until the registration is cancelled by the User or the Data Controller or until the User’s request for cancellation is processed.
  1. The data shall remain on this list until the User’s request for cancellation is processed, except in cases where the obligation to keep data for accounting purposes as required by law is fulfilled.

6.Data transfer register: The Data Controller shall keep a data transfer register for the purpose of monitoring the lawfulness of the data transfer and informing the data subject, which shall contain the date of the transfer of personal data processed by the Data Controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.

  1. Data Protection Incident Register: a register of unlawful processing or processing of personal data and the measures taken to rectify such unlawful processing or processing. It includes the scope of personal data affected by the personal data breach, the number and type of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, and, in the case of processing based on a legal obligation, other data specified in the law requiring the processing.
  1. In order to achieve the data processing purposes, the Data Controller stores the data in the form of separate lists, as described above, in databases, separate for each data processing purpose, in its IT system, and also by printing paper contracts/statements for the purpose of sending the newsletter.

 

XII. Duration of data processing

 

  1. The duration of the processing for each of the purposes of processing is for the period of time described above in the description of the purposes of processing. The Data Controller shall process the data of the User concerned until the purposes of the processing described above have been fulfilled or until the User’s consent is withdrawn or the data are deleted at the request of the User concerned.

2.This means that the data processing lasts until the withdrawal of the consent, the execution of the cancellation request, the cancellation of the registration, the unsubscription from the newsletter, and in the relevant cases until the fulfilment of the legal obligation. The User may at any time object to the processing, request the cessation of the processing, the cessation of certain processing methods or the deletion of the data, both for specific purposes and in full. In such cases, the processing shall continue until the receipt and processing of such a request, which shall be carried out by the Controller without undue delay, but not later than 10 working days. The User may unsubscribe from the newsletter at any time by using the unsubscribe link included in the newsletters, by sending a written request to hello@ssolerawap.com e-mail or by sending the objections or requests outlined above by e-mail. Requests sent by e-mail will be considered valid by the Data Controller only if they are sent from the e-mail address provided by the User to the Data Controller in connection with the use of the website, or provided when subscribing to the newsletter or in the written contract/statement and registered with the Data Controller, but the use of another e-mail address does not imply that the request is ignored.

 

XIII. How data is stored

 

  1. The Data Controller stores the data in the form of separate lists in databases, separated according to the purposes of data processing, in its IT system, and also by means of paper contracts/statements for the purpose of sending the newsletter.

 

 

 

 

XIV. Deletion of data, restriction of processing

  1. Data processing shall cease for all purposes and the data shall be deleted within 10 working days of receipt of the User’s request to that effect, including the deletion of data already transferred to a new controller (provided that deletion is not excluded by law).
  1. Where processing is subject to restriction, such personal data, except for storage, may be processed only with the consent of the User or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
  1. Furthermore, the Controller shall delete the personal data if.

– processing is unlawful,

– the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

– the processed data is incomplete or inaccurate – and this situation cannot be lawfully remedied – provided that erasure is not excluded by law,

– the purpose of the processing has ceased to exist or the time limit for the storage of the data laid down by law has expired,

– ordered by a court or the National Authority for Data Protection and Freedom of Information.

 

  1. Data transmission

 

  1. Data subjects concerned by the transfer of data: users who choose to pay online when placing an order on the website, irrespective of the use of other services provided by the website.
  1. The recipient of the transfer:

UniCredit Bank Hungary Zrt.

UniCredit Bank Zrt.

Tax number: 10325737444

Registered office: 1054 Budapest, Szabadság tér 5-6..

Postal address: 1242 Budapest Pf. 386

Phone: +36303253200

E-mail: info@unicreditgroup.hu

Website: www.unicreditbank.hu

Business company as the provider of the online payment service available on the website of the Data Controller.

Legal basis for the transfer of data: the User’s consent pursuant to Article 6 Section (1) (a) of the GDPR. By selecting the online payment method and submitting the order, the User, after having read the Privacy Policy, voluntarily consents to the processing of his/her data necessary for the secure processing of the online payment.

  1. Scope of the data transmitted:

– username

– line name

– first name

– country

– telephone number

– e-mail address.

  1. Purpose of the data transfer: to ensure the proper operation of the payment service and the technical processing of payments, to confirm transactions, to operate fraud-monitoring – a fraud detection system supporting the control of banking transactions initiated electronically – in order to protect the interests of users, and to provide customer service assistance to the User.
  1. The transfer of data will be made solely for the purposes set out above.
  1. Furthermore, the Data Controller shall only transmit data to public authorities if required to do so by law.
  1. The Data Controller shall not transfer data to third parties for commercial or marketing purposes.
  1. The Data Controller shall keep a record of data transfers.

XVI. Use of a data processor

The Data Controller uses the following entities as data processors.

 

  1. Payment service provider

Company name:

UniCredit Bank Zrt.

Registered office:

1054 Budapest, Szabadság tér 5-6..

Telephone:

+36303253200

E-mail:

info@unicreditgroup.hu

The payment transactions made by the data subject are processed by the payment systems provided by the payment service providers referred to in this point for the payment accounts of the Company. The data may only be accessed by the employees of the Data Controller and, in accordance with their respective data management information, by the employees of the payment service providers, who are all responsible for the secure processing of the data.

Purpose

To ensure the cash flow of the Data Controller

Legal basis

To comply with a legal obligation under Article 6 section (1) (c) of the GDPR

Data subjects

Data subjects in a contractual relationship

Scope of data

Name of the data subject, the bank of the account holder, the bank account number and the amount of the payment

Data controller

The Company

Persons entitled to access the data

The Company and its employees under an employment or agency relationship with the Company and the payment service provider and its employees

Time limit for processing and deletion of data

As specified in the payment service provider’s information notice.

Method of storage of data

Electronic

Data transmission

None

  1. IT data processing

Company name:

GoDaddy Inc.

Registered office:

14455 N. Hayden Rd., Ste 226, Scottsdale, AZ 85260 USA

Telephone:

016535976

E-mail:

ihq@godaddy.com

Company name:

WordPress / Automatic Inc.

Registered office:

60 29th Street #343, San Francisco, CA 94110

Telephone:

(877) 273 3049

Data processing operations consisting of the technical operations necessary for the operation of the website and the provision of the services provided through it, in order to ensure the operation of the website in the information technology sense for the User concerned.

Purpose

Processing of data relating to the use of the services provided by the Site by Users visiting the Site

Legal basis

To comply with a legal obligation under Article 6 Section (1)(c) of the GDPR

Data subjects

Data subjects in a contractual relationship

Scope of data

The processing concerns all the data indicated in this notice.

Data controller

The Company

Persons entitled to access the data

The Company and its employees who have an employment or agency relationship with it and the processor and its employees

Time limit for processing and deletion of data

According to the rules of the data processor

Method of storage of data

Electronic

Data transmission

None

  1. Processing of data related to the sending of newsletters

3.1.The data subjects concerned by the processing: users who subscribe to the newsletter on the website, irrespective of the use of other services provided by the website.

3.2. The Data Controller uses as a data processor

MailChimp / Rocket Science Group LLC

Company registration number: US26370239.

Tax number: 582554149

Registered office: 675 Ponce De Leon Ave Ne Ste 5000 Atlanta Georgia 30308.

Phone: (404) 806-5843

Website: mailchimp.com

as the developer and maintainer of the newsletter sending software used by the Data Controller (hereinafter referred to as the “Data Processor”).

3.3.Legal basis for data processing: on the basis of the User’s consent pursuant to Article 6(1)(a) of the GDPR, the Data Controller may use a data processor, subject to the User’s prior information. The User, by giving his/her consent to the sending of the newsletter to the Data Controller, as described in the section on sending newsletters above, after having read the Data Processing Notice, voluntarily consents to the use of a data processor for the processing of his/her data necessary for the sending of the newsletter.

3.4. Definition of the data subject of the processing: The processing of data concerns all the data indicated in the section on sending the newsletter in this notice.

3.5.Purpose of data processing: to ensure the operation of the software used by the Data Controller for sending newsletters in the information technology sense, by means of data processing in the technical operations necessary for the secure operation of the software.

3.6 Duration of the processing: the same as the processing periods indicated in the chapter on the sending of the newsletter in this information note.

3.7. The processing of the data consists exclusively of the technical operations necessary for the operation of the newsletter sending software in the IT sense.

  1. Data processing related to product delivery

4.1.Data subjects concerned by the processing of data: users who choose to receive their order by delivery on the website, regardless of whether they use other services provided by the website.

4.2. The Data Controller primarily uses as data processors

 

GLS General Logistics System Hungary Logistics Limited Liability Company

Registration number: 1309111755

Tax number: 12369410244

Registered office: 2351 Alsónémedi, GLS Európa u. 2.

Postal address: 2351 Alsónémedi, GLS Európa u. 2

Phone: +36 29886670

E-mail: info@gls-hungary.com

Website: gls-group.eu/HU

as the carrier delivering the products ordered (hereinafter referred to as the “Data Processor”).

4.3. Legal basis for processing: Article 6 Section (1)(b) GDPR, which states that processing is necessary for the performance of a contract to which the User is a party. The Data Controller may use a data processor for the performance of the contract, subject to prior information of the User. The User shall be informed of the content of the contract concluded with him/her and of the use of a data processor for the processing of his/her data necessary for the delivery of the ordered product when he/she receives the data processing information, when choosing the delivery method and when placing the order.

4.4.Definition of the scope of the data processing: the processing of the data concerns the following data of the User in order to fulfil the contract (delivery) resulting from the User’s order:

– line name

– first name

– telephone number

– delivery address.

4.5. The purpose of the processing of the data is to carry out the delivery of the ordered product within the framework of the performance of the contract resulting from the User’s order, by delivering it to the address indicated by the User, if necessary by telephone agreement on the place and time of delivery.

4.6. Duration of data processing: for the time necessary to carry out the delivery and delivery.

4.7. The processing of the data is limited to the technical operations necessary to carry out the delivery and delivery.

  1. No other processing of data takes place.
  1. The Processors have no interest in the business of the Controller.
  2. The Data Controller does not use any other data processor than the Data Processors indicated above.

XVIII. User’s rights in relation to data management

 

  1. Right of access: Upon the User’s request, the Data Controller shall provide information about the data processed by the User or by the Data Processor, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the Data Processor and its activities related to the processing, the circumstances and effects of any data breach and the measures taken to remedy the data breach, and, in the case of the transfer of the personal data of the data subject, the legal basis and the recipient of the transfer. The Controller shall provide the information without undue delay and at the latest within one month of receipt of the request.

The information shall be provided free of charge once per calendar year, and a fee may be charged for additional occasions when information is requested. However, the fee already paid shall be refunded if an unlawfulness is established with regard to the processing of the data or if the data have to be rectified for reasons attributable to the Data Controller.

In the context of the right of access, the Data Controller shall provide the User with a copy of the personal data subject to processing, at the latest within one month of receipt of the request. For any additional copies requested by the User, the Controller may charge a reasonable fee based on administrative costs (as set out in Chapter 19).

  1. Right to data portability: the User has the right to receive the personal data concerning him/her which he/she has provided to the Data Controller in a structured, commonly used, machine-readable format, and the right to transmit such data to another controller without hindrance from the controller to which he/she has provided the personal data, if:

(a) the processing is based on the consent of the User or on a contract; and

(b) the processing is carried out by automated means.

In exercising the right to data portability as set out above, the User has the right to request, where technically feasible, the direct transfer of personal data between controllers.

  1. Right to rectification: the User may request the rectification of his/her processed data, which the Data Controller shall carry out without undue delay, but no later than one month from the receipt of the request. Taking into account the purposes of the processing, the User shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
  1. Right to restriction of processing: the Data Controller shall designate the personal data it processes for the purpose of restricting the processing. The Data Controller shall designate the personal data which the User has provided to the Data Controller for processing:

(a) the User contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the User opposes the erasure of the data and requests instead the restriction of their use;

(c) the Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

(d) the User has objected to the processing based on the legitimate interests of the Controller; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.

Each User has the right to object to or prohibit the inclusion of his/her name and address data, contact details on a commercial list, the use of his/her data for direct commercial purposes or for a specific purpose within a specific list, the use of such data for sending newsletters, the transfer of such data to third parties, and to request other restrictions of his/her personal data, the termination of the processing of all or specific lists held by the Data Controller, including data transferred to third parties. The Controller shall carry out the erasure without undue delay after receipt of the request, but within a maximum of 10 working days, and shall inform the User concerned in writing within a further 15 days of the execution of the request.

  1. Right to erasure (“right to be forgotten”): The Controller shall erase personal data if:
  2. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  3. b) the User withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
  4. c) the User objects to the processing and there is no overriding legitimate ground for the processing or the User objects to the processing for direct marketing purposes;
  5. d) the personal data have been unlawfully processed;

(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

(f) the personal data have been collected in connection with the provision of information society services;

(g) where the controller has disclosed the personal data and the personal data are no longer necessary for the purposes for which they were processed, the controller must erase them and take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.

If the Data Controller has disclosed the personal data and is obliged to delete it as set out above, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the data controllers that have processed the data that the User has requested them to delete the links to or copies or duplicates of the personal data in question.

The controller shall notify the rectification, restriction and erasure to the User concerned and to all controllers to whom the data were previously transmitted. Notification may be omitted if it proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the User of these recipients.

  1. Right to object: The User has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data by the Controller based on his or her legitimate interests, including profiling based on the aforementioned provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  1. The right to blocking

The data subject may request the blocking of his/her data by the Company using the contact details provided. The blocking shall last for as long as the reason indicated by the data subject makes it necessary to store the data. At the request of the data subject, the Company will do so without delay, but within a maximum of 30 days, and will send information to the e-mail address provided by the data subject.

 

XVIII. Compliance with your requests

  1. The information and action provided for in point 18 shall be provided by the Data Controller free of charge. If the request of the User concerned is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller shall, taking into account the administrative costs of providing the requested information or information or of taking the requested action:

(a) charge a reasonable fee; or

(b) refuse to act on the request.

  1. The Data Controller shall inform the User of the measures taken in response to the request, including the provision of copies of the data, without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the User of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request. If the User concerned has submitted his request by electronic means, the information shall be provided by the Data Controller by electronic means, unless the User concerned requests otherwise.
  1. If the Controller does not take action on the request of the User concerned, it shall inform the User concerned without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to act and of the right to lodge a complaint with the supervisory authority referred to in point 21 and to exercise the right of judicial remedy as provided for in that point.
  1. The User may submit his/her requests to the Data Controller by any means that allows the identification of the User. The identification of the User submitting the request is necessary because the Data Controller can only grant requests to those who are entitled to do so. If the Data Controller has reasonable doubts about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the User concerned.

User’s requests may be sent by post to the address of the Data Controller indicated in point 1.1 or by e-mail to help@ssolerawap.com. Requests sent by e-mail shall be considered as authentic by the Data Controller only if they are sent from the e-mail address provided by the User to the Data Controller and registered there, however, the use of another e-mail address shall not imply that the request is ignored. In the case of e-mail, the date of receipt shall be deemed to be the first working day following the sending of the request.

 

XIX. Data protection, data security

1.The Data Controller shall ensure the security of data in its data processing and data handling activities, and shall ensure the enforcement of legal provisions and other data protection and confidentiality rules by technical and organizational measures and internal rules of procedure. In particular, it shall take appropriate measures to protect the processed data against unauthorized access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.

  1. To this end, the Data Controller uses the http protocol “https” to access the website, which allows web communications to be encrypted and uniquely identified. In addition, as described above, the Data Controller stores the processed data in encrypted data files, which are stored in separate processing lists for each processing purpose and to which access is granted to specific employees of the Data Controller who are responsible for the protection of the data and for their responsible processing in accordance with this notice and the applicable legislation.
  1. The data on which the measurement of the number of visits and the mapping of the habits of using the website are based are recorded anonymously by the Data Controller’s IT system from the beginning and cannot be linked to any person.
  1. Data will be processed only for the legitimate purposes set out in this notice and only to the extent necessary and proportionate for those purposes, in accordance with the applicable laws and recommendations, and with appropriate security measures.

 

  1. Enforcement

1.Data subjects may exercise their rights of enforcement before the courts under Act V of 2013 on the Civil Code, the GDPR and the Infotv., and may also apply to the National Authority for Data Protection and Freedom of Information:

 

National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Postal address: 1530 Budapest, PO Box 5.

Phone: +36 1 391 1400

Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu/

In the event that the User concerned chooses to take legal action, the action may also be brought before the court of the place of residence or domicile of the User concerned, as the court has jurisdiction to hear the case.

XXI. Miscellaneous provisions

With regard to the data transferred within the scope of this Privacy Notice, the data processors, who are individually responsible for the personal data processing carried out by them on behalf of the Company, are.

This Privacy Notice is published in the Official Journal of the European Union 2020.

The Data Controller reserves the right to amend this Privacy Notice unilaterally at any time, with prior notice to the data subjects. Data subjects will be informed by means of a notice on http://felhomatrac.hu/ at least eight calendar days prior to the modification.