PRIVACY POLICY
The operator of the BorbolyaBolt Webshop, (hereinafter referred to as the Data Controller), as Data Controller, accepts to be bound by the content of this legal notice. It obliges to ensure that all data processing performed in connection with its activities complies with the requirements specified in this policy, in the effective national legislation, and in the legal acts of the European Union. The privacy policy that arises in connection with the data management of the website is continuously available under the "Privacy Policy" menu item of the website. The website reserves the right to revise and change this notice. You will inform your audience of any changes in a timely manner. If you have any questions about this communication, please write to us and our colleague will answer your question shortly. Therefore, our firm shall endeavor to provide for the confidential management of your personal data, employing all of the required security measures in information technology and data administration. The website describes its data management practices below.
2. Data controller
Mailing address, complaint handling: 6131 Szank, Petőfi Sándor street 32.
3. Concept definitions
Enterprise: natural or legal persons engaged in an economic activity, whatever its legal form, including partnerships and associations engaged in a regular economic activity.
Personal data: any information relating to an identified or identifiable living person (“data subject”). For example: name, number, location data, online identifier or information that can be identified based on one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
Processing: any operation or set of operations performed on personal data or files, whether automated or manual: recording, organization, collection, storage, alteration or amendment, retrieval, consultation, use, communication, transmission, dissemination, making available, alignment or combination, restriction, erasure or destruction.
Controller: means any natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; the purposes and means of the processing may be determined by Union or Member State law.
Data Processor: any natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller, who cannot take decisions on matters related to data processing, may process the data only on the basis of the Data Controller's definitions, and may not process data for its own sake.
Data Protection Officer: The Controller and the Processor shall appoint a Data Protection Officer whenever:
-
the processing is carried out by public authorities or other bodies exercising public functions (except courts acting in their judicial capacity).
-
the main activities of the Controller or the Processor include processing operations which, by their nature or purpose, require regular and systematic monitoring of data subjects on a large scale.
-
the main activities of the Controller or the Processor include the processing of data relating to special categories of personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, etc.) and decisions and criminal offences relating to the determination of criminal liability.
Restriction of data processing: marking stored personal data to limit their future processing.
Profiling: Any form of automated processing of personal data in which personal data are used to evaluate certain personal characteristics relating to a natural person, in particular to analyze or predict characteristics related to job performance, economic situation, interests, health, personal preferences, behavior, location, movement.
Pseudonymisation: Processing of personal data in such a way that, without the use of additional information, it can no longer be established which specific natural person the personal data relate to, provided that such additional information is stored separately, technical and organisational measures are taken to ensure that this personal data cannot be linked to identified or identifiable natural persons.
Registration system: A file of personal data in any way - centralized, decentralized, functional or geographical - that is accessible on the basis of specific criteria.
Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
4.Description of data processing during the operation of the webshop
4.1.Information about the use of cookies
What is a cookie?
The Data Controller uses so-called cookies when you visit the website. A cookie is an information package made up of letters and numbers, which is sent by our website to your browser with the aim to save certain settings, to facilitate the use of our website, and to assist collecting certain relevant statistical information on our visitors.
Some of the cookies do not contain personal information and are not suitable for the identification of the individual user, but some of them contain a unique identifier - a secret, accidentally generated sequence of numbers - that is stored by your device, thus ensuring your identification. The duration of each cookie is described in the relevant description of each cookie.
4.2.Legal background and legal basis of cookies
The legal basis for the processing is your consent pursuant to Article 6 (1) (a) of the Regulation.
4.3.The main attributes of the cookies used for the website:
-
Google Analytics cookie
-
Remarketing cookies-k
-
Strictly necessary cookies for operation
-
Cookies used for improving user experience:
-
Facebook pixel (Facebook cookie)
5. Data processed for the purpose of concluding and fulfilling a contract
Several data processing cases may occur for the purpose of concluding and fulfilling a contract. We would like to inform you that data processing related to complaint handling and warranty administration will only take place if you exercise one of the aforementioned rights.
If you do not make a purchase through the webshop, but are a visitor to the webshop, then the data processing for marketing purposes may apply to you if you give us your consent for marketing purposes.
Data processing in order to conclude and fulfill contracts:-
Contact
For example, if you contact us by email, contact us by submitting a form or phone with questions about a product. Prior personal contact is not necessary, you can leave it out in case of placing an order.
Information you provide when contacting us.
Duration of data processing:
The data will only be processed until the end of the contact.
Legal basis for data processing:
Your voluntary consent that you give to the Data Controller by contacting us. [Processing pursuant to Article 6 (1) (a) of the Regulation]
-
Registration on the website
Data processed:
During the data processing, the Data Controller shall process your name, address, phone number, e-mail address, as well as the features of the purchased product and the date of purchase.
Duration of data processing:
Until consent is withdrawn.
Legal basis for data processing:
Your voluntary consent that you provide to the Controller by registering [Processing pursuant to Article 6 (1) (a) of the Regulation]
-
Processing of orders
Data processed:
During the data processing, the Data Controller shall process your name, address, phone number, e-mail address, as well as the features of the purchased product and the date of purchase.
If you have placed an order in the webshop, data management and the provision of data are essential for the performance of the contract.
Duration of data processing:
We process data for a period of 5 years according to the civil limitation period.
Legal basis for data processing:
Performance of the contract. [Processing pursuant to Article 6 (1) (a) of the Regulation]
-
Issuing the invoice
Data processed:
Name, address, e-mail address, telephone number.
Duration of data processing:
Pursuant to Paragraph (2) of Section 169 of the Accounting Act, the invoices issued shall be retained for 8 years following the issuance of the invoice.
Legal basis for data processing:
Pursuant to Section 159 (1) of Act CXXVII of 2007 on Value Added Tax, the issuance of invoices is mandatory and must be retained for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting [Processing pursuant to Article 6 (1) (c) of the Regulation].
-
Data processing related to the delivery of goods
Data processed:
Name, address, e-mail address, telephone number.
Duration of data processing:
The Data Controller shall process the data until the ordered goods are delivered.
Legal basis for data processing:
Performance of the contract [Processing pursuant to Article 6 (1) (a) of the Regulation]
-
Handling Consumer Union complaints
Data processed:
Customer name, telephone number, e-mail address, content of complaint.
Duration of data processing:
Warranty complaints are retained for 5 years under the Consumer Protection Act.
Legal basis for data processing:
Whether your voluntary decision makes a complaint to us, but if you make a complaint to us, pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection, we are obliged to keep the complaint for 5 years [Processing pursuant to Article 6 (1) (c) of the Regulation].
-
Data processed in connection with the verification of the consent
During the registration, ordering and subscription to the newsletter, the IT system stores the IT data related to the consent in order to prove it later.
Date of consent and IP address of the data subject.
Duration of data processing:
Due to legal requirements, the consent must be verified later, so the data storage period is stored for the limitation period after the termination of the data processing.
Legal basis for data processing:
Article 7 (1) of the Regulation provides for this obligation. [Processing pursuant to Article 6 (1) (a) of the Regulation]
6. Data processing for marketing purposes
-
Data processing in connection with the sending of newsletters
Name, address, e-mail address, telephone number.
Duration of data processing:
Until withdrawn by the Data Subject.
Legal basis for data processing:
Your voluntary consent to the Data Controller by subscribing to the newsletter [Processing pursuant to Article 6 (1) (a) of the Regulation]
-
Data processing in connection with the sending and display of personalized advertisements
Name, address, e-mail address, telephone number.
Duration of data processing:
Until consent is withdrawn.
Legal basis for data processing:
Your voluntary consent that you provide to the Controller by registering [Processing pursuant to Article 6 (1) (a) of the Regulation]
-
Remarketing
The data management as a remarketing activity is carried out with the help of cookies.
The data processed by the cookies specified in the cookie notice.
Duration of data processing:
The data storage period of the given cookie, more information is available here:
-
Google general cookie notice: https://www.google.com/policies/technologies/types/
-
Google Analitycs notice: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=en
-
Facebook notice: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
Your voluntary consent that you provide to the Controller by registering [Processing pursuant to Article 6 (1) (a) of the Regulation]
-
Further data processing
You are hereby informed that the Data Controller is required to fulfill your written data requests based on statutory authority. In accordance with Paragraphs (2)-(3) of Section 15 of the Freedom of Information Act, the Data Controller shall keep a record (on which authorities were provided with what personal data, on what legal basis and when), and on request, the Data Controller is required to provide information on such content, except it is excluded by legislation.
7.About the use of data processors and their activities related to data management
-
Processing for the storage of personal data
Registered office: 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland
E-mail address of the data processor: support@shopify.com
The Data Processor performs the storage of personal data on the basis of a contract with the Data Controller. It shall not be entitled to access personal data.
-
Data processing activities related to the transport of goods
Registered office of the data processor: 1135 Budapest, Reitter Ferenc street 66-68.
E-mail address of the data processor: info@webshoppont.hu
The Processor participates in the delivery of the ordered goods on the basis of a contract with the Controller. In doing so, the Processor may process the name, address and telephone number of the recipient until the end of the calendar year following the dispatch of the postal mail, after which it shall immediately delete it.
-
Data processing in connection with invoicing
Registered office of the data processor: 1133 Budapest, Árbóc street 6. III. floor
Phone number of the data processor: +36-1/500-9491
E-mail address of the data processor: hello@billingo.hu
During the period of data processing, you have the following rights according to the provisions of the Regulation:
-
Right to withdraw consent
-
Access to personal data and information related to data processing
-
Right to rectification
-
Restrict processing
-
Right to data erasure
-
The right to object
-
Right to data portability
If you wish to exercise your rights, this will entail your identification and the Controller will need to communicate with you. Therefore, in order to identify you, it will be necessary to provide personal data (but the identification can only be based on data that the Data Controller handles about you anyway), and your complaint about data processing will be available in the Data Controller's e-mail account within the period specified in this notice in connection with the complaints. If you were a customer and you would like to identify yourself for complaints or warranty purposes, please also provide your order ID for identification. By using this, we can also identify you as a customer.
Complaints related to data processing will be answered by the Data Controller within 30 days at the latest.
Right to withdraw consent
You have the right to withdraw your consent to data processing at any time, in which case the data provided will be deleted from our systems. However, please note that in the case of an unfulfilled order, the cancellation may have the effect that we cannot deliver to you. In addition, if the purchase has already been made, we cannot delete the billing data from our systems based on accounting regulations, and if you have a debt to us, we may also process your data in the event of withdrawal of consent on the basis of a legitimate interest in the recovery of the claim.
Access to personal data
You have the right to receive feedback from the Data Controller on whether your personal data is being processed and, if it is, you have the right to:
- have access to the personal data processed and
- inform the Data Controller of the following information:
- the purposes of data processing;
- the categories of personal data processed about you;
- information about the recipients or categories of recipients to whom the personal data have been or will be disclosed by the Controller;
- the sheduled period for which the personal data will be stored or, where that is not possible, the criteria for determining that period;
- your right to request from the Data Controller the rectification, erasure or restriction of the processing of personal data concerning you and, in the case of processing based on legitimate interest, to object to the processing of such personal data;
- the right to file a complaint with a supervisory authority;
- if the data was not collected from you, all available information regarding their source;
- the existence of automated decision-making (if any), including profiling, and, at least in these cases, understandable information about the logic involved and the significance of such processing and the likely consequences for you.
The purpose of exercising the right may be to establish and verify the lawfulness of the data processing, therefore, in case of repeated requests for information, the Data Controller may charge a fair reimbursement for the performance of the information.
Access to personal data is ensured by the Data Controller by sending you the processed personal data and information by e-mail after your identification. If you have a registration, the access will be provided so that you can view and verify the personal data processed about you by logging into your user account.
Please indicate in your request whether you are requesting access to personal data or information related to data processing.
Right to rectification
You are entitled to have the Data Controller rectify your incorrect personal data without delay.
Right to restriction of processing
(1) The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- You dispute the accuracy of the personal data, in this case the restriction applies for the period of time that allows the Data Controller to verify the accuracy of the personal data, if the exact data can be determined immediately, then the restriction does not take place;
- the processing is unlawful, but you oppose the erasure of the data for any reason (for example, because the data is important to you for the enforcement of a legal claim), and therefore you do not request the erasure of the data, but instead request the restriction of their use;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- You have objected to the data processing, but the legitimate interest of the Data Controller may also justify the data processing, in this case, until it is established whether the legitimate grounds of the Data Controller override your legitimate grounds, the data processing must be restricted.
Where data processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of your legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The Data Controller informs you in advance (at least 3 working days before the lifting of the restriction) about the lifting of the restriction of data processing.
Right to be deleted - Right to be forgotten
You have the right to erase your personal data without undue delay if one of the following reasons applies:
- the personal data are no longer necessary for the purpose for which they were collected or otherwise processed by the Controller;
- you withdraw your consent and there is no other legal basis for the processing;
- you object to the processing based on legitimate interest and there is no overriding legitimate reason (i.e. legitimate interest) for the processing,
- the personal data have been unlawfully processed by the Data Controller and this has been established on the basis of the complaint,
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
If the Data Controller has disclosed the personal data processed about you for any lawful reason and is obliged to delete it for any of the above reasons, it shall take reasonable steps, including technical measures, taking into account the available technology and the costs of implementation, to inform other data controllers that you have requested the deletion of the links to or copies or copies of such personal data.
The deletion shall not apply where the processing is necessary:
- for exercising the right of freedom of expression and information;
- compliance with an obligation to process personal data under Union or Member State law applicable to the controller (such as processing in the context of invoicing, as the retention of the invoice is required by law) or for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller;
- to submit, enforce or defend legal claims (e.g. if the Data Controller has a claim against you and has not yet fulfilled it, or a consumer or data processing complaint is being handled).
The right to object
You have the right to object to the processing of your personal data based on legitimate interest at any time for reasons related to your particular situation. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to data portability
If the data processing is carried out automatically or if the data processing is based on your voluntary consent, you have the right to request from the Data Controller to receive the data you have provided to the Data Controller, which the Data Controller will provide to you in xml, JSON or csv format, if this is technically feasible, you can request that the Data Controller transfer the data in this form to another data controller.
Automated decision making
You have the right not to be subject to a decision based solely on automated processing which would produce legal effects concerning you or would affect you in a similarly significant way. In such cases, the Controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention from the controller, to express his or her point of view and to object to the decision.
The above shall not apply where the decision:
Necessary for the conclusion or performance of a contract between you and the data controller;
Is based on an EU or Member State law applicable to the Service Provider, which governs the rights and freedom of the Subscriber, and establishes appropriate measures to protect its legitimate interests; or is based on your consent.
9. Data security measures
The Data Controller declares that it has taken appropriate security measures to protect personal data against unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as against accidental destruction or damage, and against becoming inaccessible due to a change in the technique used.
The Data Controller will do its utmost to ensure that its data processors take appropriate data security measures when processing your personal data.
10. Remedies
If you believe that the Data Controller has violated a statutory provision on data processing or has not complied with any of your requests, you may initiate the investigation procedure of the National Authority for Data Protection and Freedom of Information in order to terminate the alleged unlawful data processing (mailing address: 1530 Budapest, Pf.: 5., e-mail: ugyfelszolgalat@naih.hu).
Please also note that in the event of violating statutory provisions on data processing, or if the Data Controller failed to fulfill any of your requests, you have the right to turn to court against the Data Controller.
11. Privacy Policy change
The Data Controller reserves the right to amend this data processing notice in a manner that does not affect the purpose and legal basis of the data processing. You accept the modified Privacy Notice by using the service after the modification has taken effect.
If the Data Controller intends to carry out further data processing in relation to the collected data for purposes other than the purpose for which they were collected, it shall inform you of the purpose of the data processing and the following information before the further data processing:
- the envisaged period for which the personal data will be stored or, where that is not possible, the criteria for determining that period;
- the right to request from the Controller access to, rectification, erasure or restriction of processing of personal data concerning you and, in the case of processing based on legitimate interest, to object to the processing of personal data and, in the case of processing based on consent or contractual relationship, to request the right to data portability;
- in the case of data processing based on consent, that you can withdraw your consent at any time,
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is based on a legal or contractual obligation or a prerequisite for the conclusion of a contract, whether you are obliged to provide the personal data, and the possible consequences of not providing the data;
- the existence of automated decision-making (if any), including profiling, and, at least in these cases, understandable information about the logic involved and the significance of such processing and the likely consequences for you.
Data management can only start after that, if the legal basis for data management is consent, you must also consent to the data management in addition to the information.
This document contains all relevant data management information related to the operation of the webshop in accordance with the European Union General Data Protection Regulation 2016/679 (hereinafter: Regulation. GDPR) and Act CXII of 2011 (hereinafter: Infotv.).