Privacy Policy
Privacy Policy
- Identification of the Data Controller The online store available at https://www.woolanddreams.com/ is operated by Judit Erzsébet Rigó, an individual entrepreneur.
Registration number: 35207779 / Department of Document Oversight, Ministry of the Interior Tax ID: 66464581-2-33 Registered office: 90 Klapka Street, Pilisvörösvár, 2085, Hungary Business location: 90 Klapka Street, Pilisvörösvár, 2085, Hungary Email: info@varazskezmuhely.hu (hereinafter referred to as the Data Controller).
2. Applicable Laws on Data Processing, Scope of the Policy
2.1. The data processing of users by the Data Controller is subject to the following regulations:
· REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as GDPR),
· Act CVIII of 2001 on certain issues of electronic commerce services and information society services,
- Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising. 2.2. This policy applies to the use of the website https://www.woolanddreams.com/ (hereinafter referred to as the website), the use of the services available on the site, and the data processing related to orders placed in the online store.
2.3. In this policy, the term "User" refers to natural persons who browse the website, use the services of the website, and order products from the Data Controller.
3. Legal Basis for Data Processing
3.1. The legal basis for certain data processing performed by the Data Controller is the consent of the User, according to Article 6(1)(a) of the GDPR. Regarding data processing related to orders, the legal basis is Article 6(1)(b) of the GDPR, stating that the processing is necessary for the performance of a contract to which the User is a party.
3.2. In some cases, the law may require the Data Controller to perform certain data processing operations, and legitimate interests may also serve as the legal basis for data processing. Details can be found in the specific sections below, covering individual data processing operations.
4.
Data Processing Related to the Operation of Information Technology Services
4.1. Scope of Individuals Affected by Data Processing: All Users visiting the website, regardless of using the services available on the website.
4.2. Legal Basis for Data Processing: Regarding data processing that is technically indispensable for providing the service, the Article 13/A of the Electronic Commerce Services Act (Ektv.) authorizes the Data Controller to process data necessary for the proper operation of the website. In this regard, the legal basis for processing such data is the legitimate interest of the Data Controller according to Article 6(1)(f) of the GDPR. With this legal basis, the Data Controller processes only data necessary for the user-friendly operation of the website and manages these data only for the required period. These are technical data necessary for the enjoyable display of the website's pages, the proper functioning of its features, and comfortable use by the user. The Data Controller does not transmit these data to third parties and does not process them for any other purpose. In terms of data processing, the Data Controller uses the service provider(s) identified in Chapter 11, "Information Technology Data Processing." Considering this, the processing of this data poses no risk to the user. However, achieving the stated purpose—the proper use of the website—is not possible without processing the data. The legitimate interest of the Data Controller is to ensure the usability of the website, as it can provide its service only through this means, which is an essential condition for its operation. Therefore, the Data Controller processes the aforementioned data based on its legitimate interest, which, since the data processing poses no risk to the user, proportionally restricts the user's right to self-determination. During visit analysis, only anonymous data is generated that cannot identify the user. Anonymous data processing does not involve the handling of personal data for marketing activities by the Data Controller.
4.3. Determination of the Data Set: Information technology data processing involves data related to the operation of "cookies" used by the website and the use of log files applied by the web hosting service provider, as follows. Data processed to enable user-friendly browsing:
· Web pages visited during the visit to the website and the order of their opening
· IP address of the device used by the user Data set for measuring website traffic (anonymous data not linked to the user):
· Web pages visited during the visit to the website and the order of their opening
· Frequency of views of certain pages on the website
· Referrer information indicating which other website directed the user to this website (only in the case where a link pointing to this website is placed on another website)
· Approximate determination of the geographical location of the user visiting the website (based on the data of the internet service provider, providing only approximate data about the location of the device used for browsing)
· Time of starting the website browsing
· Time of leaving the website (completion of browsing)
· Duration of browsing the website. 4.4. Purpose of Data Processing: The use of "cookies" and log files is necessary for the user-friendly and secure operation of the website. The purpose of data processing with these tools is to ensure the secure and user-friendly operation of the website for the user. The processing of anonymous data collected regarding the use of the website aims to tailor our service and improve our website to be more efficient. Specifically:
· Identification of the device used by the user for browsing, with the identifier data being memorized during the browsing session based on the IP address. This makes browsing smoother, as the user would otherwise have to identify themselves on each visited page or repeat processes without this feature.
The data required for the following purposes are recorded anonymously, and they cannot be linked to any individual:
· Measuring website traffic, determining the frequency of views of certain pages on the website, and measuring the duration of browsing certain pages on the website to shape the website according to the needs of users by the Data Controller.
· Approximate determination of the user's (device used for browsing) location and mapping the interest area based on the level of interest after using the service by the Data Controller.
· Identification of the website from which the user arrived at this website to understand the other areas of interest of users interested in the services of the Data Controller and to measure the effectiveness of promotional activities of the service by the Data Controller.
4.5. Duration of Data Processing: The Data Controller processes part of the data for the duration of browsing, and certain data are stored for a variable period, but no more than 1 month.
The data necessary for the user-friendly operation of the website (IP address, the order of visited pages on the website during browsing) are recorded for the duration of the browsing session (i.e., the duration of browsing the website) and are deleted after its completion. The Data Controller performs the processing of such data with its own tools in its information system, without any third party having access to it, except for cases of information technology data processing (as described in the chapter "Use of Data Processor" below). The data used as the basis for measuring attendance and mapping the habits related to the use
5. Data Processing Related to Receiving and Responding to Messages
5.1. Scope of Individuals Affected by Data Processing: Users who send messages to the Data Controller using the messaging interface available in the "Contact" section of the website or via email using the email address(es) provided on the website.
5.2. Legal Basis for Data Processing: Consent of the User under Article 6(1)(a) of the GDPR.
5.3. Definition of the Data Set: The User sending an email:
· Last name
· First name
· Email address
· Any additional data provided by the User in the email message. Regarding any additional data provided by the User in the email message, the Data Controller only processes data that is necessary upon receiving the message. However, the Data Controller does not request the User to provide unexpected personal data. In the case of the disclosure of unexpected personal data, the Data Controller does not store such data and promptly deletes it from its information system.
5.4. Purpose of Data Processing: Facilitating communication with the User for exchanging messages with the Data Controller. Services related to this include:
· Sending messages through the messaging interface on the "Contact" page,
· Receiving messages sent via email (using the email address(es) provided on the website),
· Responding to messages received through the above methods, which the Data Controller fulfills within 2 business days.
5.5. Duration of Data Processing: The Data Controller processes the data until the purpose is achieved. Accordingly, for Users sending messages, the duration of data processing extends until the response to the message or the fulfillment of the User's request. After responding to the message/meeting the request, the Data Controller deletes the data processed for this purpose. If contractual relations are established as a result of the message exchange, and the content of the messages is essential for the contract, the legal basis and duration of data processing will be as described in point 6 (data processing related to orders).
5.6. Method of Data Storage: In a separate data processing list in the Data Controller's information system, until the end of the information exchange.
6. Data Processing Related to Newsletter Subscription
6.1. Individuals Affected by Data Processing: Users who subscribe to the newsletter by filling out the fields provided for newsletter subscription on the website.
6.2. Legal Basis for Data Processing: User's consent under Article 6(1)(a) of the GDPR. The voluntary consent is given by the User by acknowledging this data processing information and completing the fields for newsletter subscription, marking the consent statement found there. By doing so, the User declares their consent to the processing of their data as specified in the data processing information and for sending newsletters.
6.3. The newsletter service aims to provide useful information and also includes direct marketing by the Data Controller. Users can subscribe to this service independently of using other services. The use of this service is voluntary and based on the decision made by the User after appropriate information. If a User chooses not to use the newsletter service, it does not disadvantage them regarding the use of the website and the utilization of other services. The utilization of the service targeting direct marketing is not a condition for using any other service of the website.
6.4. Definition of the Data Set:
· Name
· Email address.
6.5. Purpose of Data Processing: Sending newsletters from the Data Controller to the User via email. Sending newsletters involves providing information about the services of the Data Controller, updates, current affairs, promotional offers, and advertising content.
6.6. Duration of Data Processing: The Data Controller processes the data intended for newsletter sending until the User withdraws their consent (unsubscribes) or until the data is deleted upon the User's request.
6.7. Method of Data Storage: In a separate data processing list in the Data Controller's information system.
7.
Data Processing Related to Registration
7.1. Scope of Individuals Affected by Data Processing: Users registering on the website.
7.2. Legal Basis for Data Processing: User's consent under Article 6(1)(a) of the GDPR.
7.3. Definition of the Data Set: For registering users, data processing involves the personal information and contact details indicated on the registration form mentioned above.
7.4. Data Set:
· Last name
· First name
· Email address
· Username
· Password
· Phone number.
7.5. Purpose of Data Processing: Facilitating website registration for the ease of regular purchases. Services related to this include:
· Browsing the website after logging in,
· Facilitating online product ordering by storing necessary data for order fulfillment and allowing users to independently modify this data,
· Storing and making previous orders accessible to the user in their user account.
7.6. Duration of Data Processing: For registered Users, data processing lasts until the registered User requests deletion. Data processing can also cease with the User's deletion of their registration or with the Data Controller's deletion of the User's registration. The User can delete their registration at any time or request its deletion from the Data Controller, which the Data Controller promptly executes within 10 business days of receiving the request.
7.7. Method of Data Storage: In a separate data processing list in the Data Controller's information system.
8. Data Processing Related to Orders
8.1. Individuals Affected by Data Processing: Users placing orders on the website.
8.2. Legal Basis for Data Processing: Article 6(1)(b) of the GDPR, stating that data processing is necessary for the performance of a contract to which the User is a party.
8.3. Definition of the Data Set: The data processing involves the following personal information and contact details. For Natural Person Users:
· Last name
· First name
· Phone number
· Email address
· Billing name (if different)
· Billing address
· Shipping name (if different)
· Shipping address (if different)
· Specification of ordered product(s)
· Unit price of ordered product(s)
· Method of receipt/delivery
· Payment method
· Any other information provided by the User during the order process
· Order date
· Payment date
· User's bank account number in case of advance payment by bank transfer. For Representative/Contact Person of a Business Organization:
· Contact person's last name
· Contact person's first name
· Phone number
· Email address
· Password
· Billing name of the business organization
· Billing address of the business organization
· Tax identification number of the business organization
· Shipping name (if different)
· Shipping address. For online payment by credit card, the Data Controller does not obtain the credit card details; the User directly provides this information to the payment service provider.
8.4. Purpose of Data Processing: Execution and fulfillment of the contract resulting from the order.
8.5. Duration of Data Processing: The Data Controller processes the above data required for order fulfillment for the period necessary to fulfill the accounting law's obligation to retain documents. According to the accounting law, this period is at least 8 years from the issuance of the invoice, and after this period, the Data Controller deletes the data within one year. During the necessary data processing for the delivery of the ordered products, the Data Controller restricts data processing when transmitting the necessary data (name, shipping address, phone number) to the delivery service provider, allowing the delivery service provider to process the transmitted data only to the extent and duration necessary for the delivery.
However, the delivery company may have a legitimate interest in retaining the above data or part of it for a certain period in case of potential complaints, claims, or civil disputes. This is conducted as an independent Data Controller, and further information can be found in the data processing information of the respective service provider in the "Use of Data Processors" section of this information, where the contact information for their data processing information is also provided.
Any additional data processed during the order, such as essential messages related to the order between the User and the Data Controller, will be stored by the Data Controller for 5 years from the conclusion of the contract - the general limitation period applicable to civil law claims.
8.6. Method of Data Storage: In a separate data processing list in the Data Controller's information system and in accounting documents (invoices) as required by the accounting law.
9. Data Processing Without Additional Consent or After Withdrawal of Consent
9.1. The Data Controller may process the data obtained with the consent of the User without further separate consent from the User or after the withdrawal of consent, based on Article 6(1) of the GDPR, as outlined below.
9.2. If the personal data was collected with the User's consent, the Data Controller may process the collected data without the User's additional separate consent and even after the User withdraws their consent in the following cases:
· Data processing is necessary to fulfill a legal obligation applicable to the Data Controller;
· Data processing is necessary to protect the vital interests of the User or another natural person;
· Data processing is necessary to assert the legitimate interests of the Data Controller or a third party, except where the User's interests or fundamental rights and freedoms, requiring the protection of personal data, prevail, especially if the User is a child.
10. Additional Legal Bases for Data Processing - Independent of User Consent
10.1. In specific cases, the legal basis for data processing can also be the fulfillment of legal obligations, as required by Article 6(1)(c) of the GDPR. The Data Controller may be obligated to perform mandatory data processing imposed by law or other regulations. Additionally, the Data Controller is obliged to fulfill any requests from authorities, which may involve processing and transmitting personal data. This is also a legal obligation imposed on the Data Controller.
10.2. Furthermore, according to Article 6(1)(d) and (f) of the GDPR, the Data Controller informs that personal data of the User may be processed without their consent when the processing is necessary to protect the vital interests of the User or another natural person, and when the processing is necessary for the legitimate interests pursued by the Data Controller or a third party—except where the interests or fundamental rights and freedoms of the User, requiring the protection of personal data, take precedence, especially if the User is a child.
10.3. In accordance with Section 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter referred to as Ekertv.), the Data Controller also provides the User with the following information: The service provided by the Data Controller qualifies as an information society service related to electronic commerce according to Ekertv. For the purpose of creating, defining, modifying, monitoring the performance, invoicing fees related to the service, and enforcing related claims, the Data Controller may process personal identification data and address necessary to identify the User. For invoicing fees arising from the service contract, the Data Controller may process the User's personal identification data, address, and data related to the time, duration, and location of using the service. For the provision of the service, the Data Controller may process personal data that is technically indispensable for the provision of the service. In cases where the conditions are the same, the Data Controller selects and operates the tools used in the provision of the service in such a way that personal data is processed only when absolutely necessary for providing the service and fulfilling other purposes defined by law, and even in this case, only to the necessary extent and duration. (For further characteristics of technically necessary data processing, refer to the "Information on the Use of Cookies" document and Section 4 of this information, titled "Information.") Any data related to the use of the service for purposes other than those specified above—such as increasing the efficiency of the service, delivering electronic advertisements or other targeted content to the User, or conducting market research—will only be processed with the prior determination of the data processing purpose and the User's consent.
11.
Data Processing Records
11.1. Records of Customers: This includes the necessary data for the performance of the contract from Users who place orders, as listed in point 8. The data related to invoice retention will be deleted in the year following the fulfillment of the legal accounting-related data retention obligation, which is at least 8 years from the issuance of the invoice. Other data related to orders will be deleted after 5 years from the conclusion of the contract.
11.2. Records of Registered Users: This includes the data of Users who register on the website, as listed in point 7. The deletion of data occurs when the registration is deleted, when the User withdraws consent, or upon fulfilling the request for data deletion.
11.3. Records of Newsletter Subscribers: This includes the data of Users subscribing to newsletters, as listed in point 6. The deletion of data occurs upon unsubscribing, upon withdrawal of consent, or upon fulfilling the request for data deletion.
11.4. Records of Data Breaches: This involves a record of the illegal processing or processing of personal data and measures taken to remedy these issues. It includes the scope of personal data affected by the incident, the number of individuals affected by the data breach, the date, circumstances, impacts, and measures taken to remedy the data breach, as well as any other data prescribed by the legislation requiring data processing.
11.5. For the achievement of data processing purposes, the Data Controller, as outlined above, stores data in separate lists, in databases separated by data processing purpose, and in its IT system.
12. Data Transmission
12.1. Individuals Affected by Data Transmission: Users who choose online payment during the order process, regardless of using other services provided by the website.
12.2. Recipient of Data Transmission: Barion Payment Ltd. Company Registration Number: 01-10-048552 Tax Identification Number: 25353192243 Address: 1117 Budapest, Irinyi József utca 4-20, 2nd floor Website: https://www.barion.com A business entity serving as the provider of the online payment service available on the Data Controller's website.
12.3. Legal Basis for Data Transmission: User's consent pursuant to Article 6(1)(a) of the GDPR. After becoming acquainted with the data processing information, the User voluntarily consents to data transmission for the secure execution of online payment by selecting the online payment method and submitting the order.
12.4. Scope of Transmitted Data:
· Username
· Last name
· First name
· Country
· Phone number
· Email address.
Bank card data provided during payment are directly given to the payment service provider by the User, and thus, they do not come into the possession of the Data Controller.
12.5. Purpose of Data Transmission: Proper operation of the payment service and the technical execution of payments, confirmation of transactions, operation of fraud monitoring for the protection of users—implementing a fraud detection system supporting the control of electronically initiated banking transactions—and providing customer support to Users.
12.6. The Data Controller does not transmit data to third parties for business or marketing purposes.
12.7. Except for the cases mentioned above, the Data Controller only transmits data to authorities in case of legal obligations.
13. Data Processor Engagement
The Data Controller utilizes the following business entities as data processors.
13.1. Web Development and Hosting Service
13.1.1. Individuals Affected by Data Processing: Users visiting the website, regardless of utilizing the services provided by the website.
13.1.2. The Data Controller engages as a data processor: ShopRenter.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság Short name: ShopRenter.hu Kft. Company Registration Number: 09-09-020636 Tax Identification Number: 23174108-2-09 Address: 4028 Debrecen, Kassai út 129. Website: https://www.shoprenter.hu/ Acting as a web hosting service provider, website developer, and technical maintainer (hereinafter: Data Processor).
13.1.3. Determination of Data Processing Scope: The data processing involves all data specified in this information document.
13.1.4. Purpose of Data Processing: Ensuring the IT operation of the website for the respective User.
13.1.5. Duration of Data Processing: Corresponds to the data processing periods regulated for each data category according to the data processing purposes specified in this information document.
13.1.6. Data processing involves only technical operations necessary for the IT operation of the website.
13.2. Email Correspondence Data Processing
13.2.1. Individuals Affected by Data Processing: Users sending emails to the email address published on the website, regardless of utilizing other services provided by the website.
13.2.2. The Data Controller engages as a data processor: GOOGLE INC. Short name: GOOGLE INC. Company Registration Number: 20031277465 Tax Identification Number: 20031277465 Address: 1600 Amphitheatre Parkway Mountain View CA 94043 US Website: https://www.google.hu/ Acting as the software developer and maintainer of the electronic mail service used by the Data Controller, as well as the provider of the hosting service used for email correspondence (hereinafter: Data Processor).
13.2.3. Determination of Data Processing Scope: Data processing involves the User's name, email address, and any additional data provided in the email.
13.2.4. Purpose of Data Processing: Ensuring the IT operation of the electronic mail service for the respective User.
13.2.5. Duration of Data Processing: The duration of data processing extends until the response to the message or the fulfillment of the User's request. After responding to the message or fulfilling the request, the Data Controller deletes the data processed for this purpose. In the case of multiple related message exchanges, data deletion occurs after the completion of the information exchange or the fulfillment of the request.
If a contract is concluded as a result of the message exchange, and the content of the messages is essential for the contract, the legal basis and duration of data processing will be determined as described in point 5 (data processing related to orders).
Data processing continues until deletion by the Data Controller in all cases, as described above.
13.2.6. Data processing involves only technical operations necessary for the IT operation of the electronic mail service.
13.3. Newsletter Sending Data Processing
13.3.1. Individuals Affected by Data Processing: Users subscribing to newsletters on the website, regardless of utilizing other services provided by the website.
13.3.2. The Data Controller engages as a data processor: SalesAutopilot Kft. Address: 1016 Budapest, Zsolt utca 6/A. 5. em. 1. Postal Address: SalesAutopilot Kft. 1538 Budapest, Pf. 515. Phone: (+36) 1 490 0172 Service: MailMaster / SalesAutopilot Tax Identification Number: 25743500-2-41 Company Registration Number: Cg. 01 09 286773 Company Registration Date: 2016.10.31.
13.3.3. Determination of Data Processing Scope: Data processing involves the User's name and email address subscribing to the newsletter.
13.3.4. Purpose of Data Processing: Ensuring the IT operation of the software used by the Data Controller for sending newsletters, through data processing involved in the technical operations necessary for secure software operation.
13.3.5. Duration of Data Processing: Until the User withdraws consent for newsletter sending (unsubscribes) or until the deletion of data upon the User's request.
13.3.6. Data processing involves only technical operations necessary for the IT operation of the newsletter sending software.
13.4. Product Delivery-Related Data Processing
13.4.1. Individuals Affected by Data Processing: Users choosing delivery to a Hungarian address during the order process.
13.4.2. The Data Controller engages as a data processor: Post Solutions Kft. Address: 1215 Budapest Popieluszko u.23. Tax Identification Number: 24952152-2-43, HU24952152243 Acting as the organizer of courier delivery for the ordered products (hereinafter: Data Processor).
13.4.3. The Data Controller engages as a data processor: DPD HUNGARY KFT. Address: 1134 BUDAPEST, VÁCI ÚT 33. A ÉPÜLET II. EMELET EU VAT Number: HU13034283 Tax Identification Number: 13034283-2-44 Company Registration Number: 01-09-888141 Acting as the carrier of the ordered products (hereinafter: Data Processor).
13.4.4. Determination of Data Processing Scope: Data processing involves the following User data for the fulfillment of the contract resulting from the User's order (execution of delivery):
· Last name
· First name
· Phone number
· Delivery address.
13.4.5. Purpose of Data Processing: Organizing and executing the delivery of the ordered product to the address specified by the User, including telephone coordination if necessary, within the framework of fulfilling the contract resulting from the User's order.
13.4.6. Duration of Data Processing: For the time required to complete delivery and execution.
13.4.7. Data processing involves only the data processing operations necessary for organizing and executing delivery.
13.5. Postal Delivery of Products-Related Data Processing
13.5.1. Individuals Affected by Data Processing: Users requesting delivery to an address outside Hungary within the European Union, and Users requesting delivery to a Hungarian address as a post-held item.
13.5.2. The Data Controller engages as a data processor: G3 Worldwide Hungary
G3 Worldwide Hungary Limited Liability Company
Company Registration Number: 01 09 063948
Tax ID: 10271384243
Address: 1097 Budapest, Ecseri út 14-16.
Website: https://www.spring-gds.com/countries/hungary/
The economic entity, G3 Worldwide Hungary Ltd., operates as a data processor, providing delivery services for ordered products (hereinafter: Data Processor).
13.5.3. Definition of the scope of data affected by data processing: The data processing, carried out in the interest of fulfilling the contract resulting from the User's order (execution of delivery), involves the following data of the User:
· Last name
· First name
· Phone number
· Delivery address.
13.5.4. Purpose of data processing: The purpose of data processing is to execute the delivery of the ordered product to the address specified by the User, with the possibility of telephone coordination regarding the place and time of delivery, within the framework of fulfilling the contract resulting from the User's order.
13.5.5. Duration of data processing: The processing of data lasts for the time necessary to perform the delivery.
13.5.6. Data processing involves only operations necessary for delivery.
13.5.7. Data Controller uses Data Processor: GLS General Logistic Systems Hungary Package Logistics Ltd.
Short name: GLS Ltd.
Company Registration Number: 13-09-111-755
Tax ID: 12369410-2-44
Registered office: 2351 Alsónémedi, GLS Európa u. 2.
Email: info@gls-hungary.com
Website: https://gls-group.eu/HU/hu/home
The economic entity, GLS Ltd., operates as a data processor, providing delivery services for ordered products (hereinafter: Data Processor).
13.5.8. Definition of the scope of data affected by data processing: The data processing, carried out in the interest of fulfilling the contract resulting from the User's order (execution of delivery), involves the following data of the User:
· Last name
· First name
· Phone number
· Delivery address.
13.5.9. Purpose of data processing: The purpose of data processing is to execute the delivery of the ordered product to the address specified by the User, with the possibility of telephone coordination regarding the place and time of delivery, within the framework of fulfilling the contract resulting from the User's order.
13.5.10. Duration of data processing: The processing of data lasts for the time necessary to perform the delivery.
13.5.11. Data processing involves only operations necessary for delivery.
13.6. Data processing for any other purpose does not take place.
13.7. Processors are not involved in the Data Controller's business activities.
13.8. Data Controller does not use any other data processors than those specified above.
14. User's rights regarding data processing
14.1. Right of access: Upon the User's request, the Data Controller provides information about the User's data managed by the User, or processed by the Data Processor authorized by the User, including their source, purpose, legal basis, duration, the name and address of the Data Processor, and the circumstances of any data protection incidents, their effects, and the measures taken to remedy them. If requested, this information is provided by the Data Controller without undue delay, but no later than within one month from the receipt of the request. Within the framework of the right of access, the Data Controller provides the User with a copy of the personal data being processed, no later than one month from the receipt of the request. For any additional copies requested by the User, the Data Controller may charge a reasonable fee based on administrative costs (as specified in point 15).
14.2. Right to data portability: The User is entitled to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller, without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent or a contract; and b) the processing is carried out by automated means. In exercising the right to data portability, the User has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
14.3. Right to rectification: The User may request the correction of their processed data, which the Data Controller shall carry out without undue delay, but no later than within one month from the receipt of the request. Taking into account the purpose of the data processing, the User is entitled to request the completion of incomplete personal data, among other things, by means of a supplementary statement.
14.4. Right to restriction of processing: The Data Controller marks the personal data it processes for the purpose of restricting processing. The User is entitled to request the Data Controller to restrict processing if one of the following applies: a) the accuracy of the personal data is contested by the User, in which case the restriction applies for the period during which the Data Controller can verify the accuracy of the personal data; b) the processing is unlawful, and the User opposes the erasure of the personal data and requests the restriction of their use instead; c) the Data Controller no longer needs the personal data for the purposes of the processing, but the User requires them for the establishment, exercise, or defense of legal claims; or d) the User has objected to processing based on the legitimate interests pursued by the Data Controller; in this case, the restriction applies for the time it takes to verify whether the legitimate grounds of the Data Controller override those of the User.
14.5. Right to Deletion: The Data Controller deletes personal data if: a) The personal data is no longer necessary for the purpose for which it was collected or otherwise processed; b) The User withdraws the consent on which the data processing is based, and there is no other legal basis for the processing; c) The User objects to the processing, and there is no overriding legitimate reason for the processing, or the User objects to the processing for direct marketing purposes; d) The personal data has been unlawfully processed; e) The personal data must be deleted to fulfill a legal obligation applicable to the Data Controller under Union or Member State law; f) The User requests deletion or objects to the processing, and the personal data was collected in relation to the offer of information society services directly to children.
The Data Controller informs the affected User about corrections, restrictions, and deletions, and notifies all data processors to whom the data was previously transmitted. Notification may be omitted if it proves impossible or requires disproportionate effort. Upon the User's request, the Data Controller informs the User about these recipients.
14.6. Right to Object: The User is entitled to object at any time, for reasons related to their particular situation, to the processing of their personal data based on the legitimate interest of the Data Controller. In this case, the Data Controller may no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
15. Fulfillment of User Requests
15.1. The Data Controller provides information and actions according to point 14 free of charge. If the User's request is clearly unfounded or – especially due to its repetitive nature – excessive, the Data Controller may: a) Charge a reasonable fee, or b) Refuse to act on the request.
15.2. The Data Controller informs the User about the measures taken as a result of the request without undue delay, but no later than one month from the receipt of the request, including the issuance of copies of the data. If necessary, taking into account the complexity of the request and the number of requests, this period may be extended by an additional two months. The Data Controller informs the User of the extension within one month of receiving the request, indicating the reasons for the delay. If the User submitted their request electronically, the information is provided electronically, unless otherwise requested by the User.
15.3. If the Data Controller does not take action on the User's request, the Data Controller informs the User of the reasons for not taking action without undue delay, but no later than one month from the receipt of the request. The Data Controller also informs the User that they may lodge a complaint with the supervisory authority specified in point 15 and exercise their right to judicial remedy there.
15.4. The User can submit their requests to the Data Controller in any way that enables their identification. If the Data Controller has reasonable doubts about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the User.
15.5. The User can submit their requests to the Data Controller by post to Hungary, 2085 Pilisvörösvár, Klapka u. 90., or by email to varazskezmuhely@gmail.com. An email request is considered authentic only if it is sent from the User's email address registered with the Data Controller, and the use of another email address does not imply the disregard of the request. For email, the date of receipt is considered the first working day after sending.
16. Data Protection, Data Security
16.1. The Data Controller ensures the security of data in its data processing activities through technical and organizational measures and internal procedural rules to enforce data protection and confidentiality regulations. Adequate measures are taken to protect data against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against becoming inaccessible due to changes in the applied technology.
16.2. The data used to measure attendance and map habits related to the use of the website are recorded by the Data Controller's IT system from the beginning in a way that cannot be directly linked to a person.
16.3. Data is processed only to achieve the purposes defined in this information, in a necessary and proportionate manner, in accordance with relevant laws and recommendations, with appropriate security measures.
16.4. For this purpose, the Data Controller uses the "https" scheme of the http protocol to access the website, encrypting web communication for confidentiality and individual identification. In addition, in accordance with the above, the Data Controller stores the processed data in encrypted data files, in purpose-separated data processing lists, accessible only to specified employees responsible for tasks related to the activities specified in this information, ensuring the protection of data and responsible management in accordance with this information and relevant laws.
17. Enforcement of Rights
Individuals may enforce their rights in court based on the Civil Code (Act V of 2013) and the GDPR. They can also turn to the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. Mailing address: 1530 Budapest, Pf.: 5. Phone: +36 1 391 1400 Fax: +36 1 391 1410 Email: ugyfelszolgalat@naih.hu Website: http://www.naih.hu/
If the judicial route is chosen, the lawsuit can be initiated before the court having jurisdiction over the individual's place of residence or stay, as the adjudication of the lawsuit falls under the competence of the respective court.
Date: February 7, 2024
Judith Erzsébet Rigó