Privacy policy
10. Privacy Policy
10.1. GENERAL INFORMATION
The purpose of the Data Management Regulations is to record the data management and data protection procedure used by the data controller - OPTIMA 2747 - by complying with which, in the course of its activities as a data controller (hereinafter: Data Controller), it pays particular attention to the protection and preservation of personal data, as well as safe and fair data management.
The following laws govern the Privacy Policy Regulations:
– CVIII of 2001 TV. on certain issues of electronic commercial services and services related to the information society; – XLVIII of 2008 TV. on the basic conditions and certain limitations of economic advertising activity; – CXII of 2011 TV. on the right to information self-determination and freedom of information – TV V of 2013 on the Civil Code; – Regulation 2016/679/EU (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC.
The Data Controller unilaterally undertakes to comply with these Data Management Regulations in order to respect the rights of the individual as defined by the relevant legislation, or the private sector. The Data Controller reserves the right to change the Data Management Regulations, which it also unilaterally undertakes to publish in an appropriate manner.
10.2. TERMS AND LEGAL INTERPRETATIONS USED IN THE REGULATIONS:
Data subject: natural person identified or identifiable on the basis of any information
Personal data: any information relating to the data subject
Special data: all data belonging to special categories of personal data, i.e. personal data referring to racial or ethnic origin, political opinion, religious or worldview beliefs or trade union membership, as well as genetic data, biometric data aimed at unique identification of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons
Consent: a voluntary, definite and clear declaration of the data subject's will based on adequate information, by which the data subject indicates through a statement or other behavior that clearly expresses his will that he gives his consent to the processing of his personal data
Data controller: the natural or legal person or organization without legal personality who, within the framework defined by law or a mandatory legal act of the European Union, independently or together with others determines the purpose of data management, the data management (including the device used) makes and implements relevant decisions, or has them implemented by the data processor;
Data management: regardless of the procedure used, any operation performed on the data or the set of operations, including in particular collection, recording, recording, organization, storage, change, use, query, transmission, disclosure, coordination or connection, locking, deletion and destruction, and preventing further use of the data, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person (e.g. fingerprint or palm print, DNA sample, iris image)
Data transmission: making the data available to a specific third party
Disclosure: making the data available to anyone
Data deletion: rendering the data unrecognizable in such a way that its recovery is no longer possible
Data processing: the set of data processing operations performed by the data processor acting on behalf of or at the request of the data controller;
Data destruction: complete physical destruction of the data carrier containing the data
Data processor: the natural or legal person or organization without legal personality who - within the framework and conditions defined by law or a mandatory legal act of the European Union - processes personal data on behalf of or on the basis of the order of the data controller
Data file: the totality of the data managed in a register;
Third party: a natural or legal person or an organization without legal personality who is or is not the same as the data subject, the data controller, the data processor or the persons who carry out operations aimed at processing personal data under the direct control of the data controller or data processor
EEA state: a member state of the European Union and another state that is a party to the Agreement on the European Economic Area, as well as the state whose citizen is the European Union and its member states, as well as a state that is not a party to the Agreement on the European Economic Area, on the basis of the European Economic Area He enjoys the same legal status as a citizen of a state party to the Territorial Agreement
Third country: any state that is not an EEA state;
Data protection incident: a breach of data security that results in the accidental or unlawful destruction, loss, modification, unauthorized transmission or disclosure of personal data transmitted, stored or otherwise handled, or unauthorized access to them
10.3. BASIS OF DATA MANAGEMENT
The data controller performs its activities based on the legal principle that personal data can only be processed for a clearly defined, lawful purpose, in order to exercise a right and fulfill an obligation. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal. In the course of the Data Controller's activities, the handling of personal data may in all cases be based on legislation or on voluntary and express consent.
The data manager acts according to the principle that only those who are entitled to do so based on the law, or to whom the given person gives consent, can access the personal data of the data subject.
The data manager acts according to the principle that only those who are entitled to do so based on the law, or to whom the given person gives consent, can access the personal data of the data subject.
The managed data can only be seen by the Data Manager, its employees, or the Data Processor used by the Data Manager, and the Data Manager will not pass them on to third parties who do not have the right to access the data.
10.4. Scope of processed personal data and method of recording
Personal data may only be recorded after the Data Controller has made it possible for the data subject to read these Data Management Regulations, which are the basis of the data management. The processing of personal data is based on the voluntary consent given by the data subject in the knowledge of this information, or, in the case of a purchase, regardless of the consent, on legislation (Ptk or Accounting Act).
The data controller processes the following personal data in connection with its activities covered by these Data Management Regulations: – In case of registration: Surname and first name, User name, Billing and/or shipping address, E-mail address – In the case of one-off purchases: Surname and first name, E-mail address, Billing and/or delivery address – In case of complaint: Surname and first name, E-mail address
The User account created after registration contains the data provided during Registration and information about the User's previous purchases. The user has the right to change the data entered in the User account.
The purpose of data management during shopping on the website is to issue invoices, register customers, fulfill orders, document purchases and payments, and fulfill accounting obligations. In the case of creating a user account, management, registration and modification of purchases.
In the case of complaint management, the purpose of data management is to register, manage and retrieve complaints.
The Data Controller may not use the provided personal data for purposes other than those described in this Data Management Policy. Personal data can only be released to third parties or authorities with the prior express consent of the person concerned, unless the law provides otherwise.
The Data Controller does not check the personal data provided to him - the person providing it is solely responsible for its veracity. The data subject may only provide his own personal data, if he registers under the name of another person, the data provider must obtain the consent of the data subject.
When providing the e-mail address, the data subject assumes responsibility for the fact that only he/she uses the service from the given e-mail address.
The Data Controller is not obliged to verify that the e-mail address provided in this way really belongs to the data subject who provided it - in this way, he is entitled to assume that the data management is legal with regard to the personal data provided.
The process of data recording is controlled by the data subject himself, if during the data recording the data subject interrupts the process of data recording, either explicitly or by referring to it, the Data Controller is obliged to interrupt the recording and delete the personal data provided up to that point without exception.
10.5. RIGHTS OF THE DATA SUBJECT
10.5.1. The right of the data subject to receive information about the facts related to data processing before the data processing begins (hereinafter: the right to prior information).
The Data Controller undertakes to provide the information at the request of the User no later than 15 days from the date of submission of the request.
The Data Controller undertakes to provide the information at the User's request within 15 days of the request at the latest.
10.5.3. The data subject has the right to have it corrected or supplemented by the data controller upon request
In order to enforce the right to rectification, if the personal data managed by it or by a data processor acting on its behalf or at its direction is inaccurate, incorrect or incomplete, it shall - especially at the request of the data subject - clarify it immediately, or if it is compatible with the purpose of data management, the supplements it with additional personal data provided by the data subject or with a statement attached to the personal data processed by the data subject. The Data Controller is released from the obligation assumed in this point if the exact personal data are not available to him and the data subject does not make them available to him, or the authenticity of the personal data provided by the data subject cannot be established beyond doubt.
10.5.4. The data subject has the right to request that the processing of his personal data be restricted by the data controller
In order to enforce this data subject right, the data controller limits data processing to the data processing operations specified in the law
10.5.5. The data subject has the right to have his/her personal data deleted by the data controller upon request.
The data controller shall immediately delete the data subject's personal data, if the data processing is unlawful, the data subject withdraws his consent to data processing, or requests the deletion of your personal data or is ordered to do so by law.
10.5.6. The data subject has the right to object to the processing of his personal data, if the processing or forwarding of the personal data is necessary solely to assert the rights or legitimate interests of the Data Controller or a data recipient; unless data management is mandated by law.
The Data Controller - with the simultaneous suspension of data management - is obliged to examine the protest within the shortest period of time from the submission of the request, but no later than 15 days, and to inform the applicant of the result in writing. If the objection of the data subject is well-founded, the Data Controller is obliged to terminate the data management and block the data, and to notify all those to whom the personal data was previously transmitted of this fact.
In the event of a violation of the data subject's rights, you can file a complaint against the Data Controller with a court or the data protection authority, whose data:
Name: National Data Protection and Freedom of Information Authority Title. 1125 Budapest, Szilágyi Erzsébet fasor 22/c. Phone: 06 – 1 – 391-1400 Fax: 06-1-391-1410 E-mail: [email protected] Website: www.naih.hu
10.6. MODIFICATION AND DELETE OF DATA, PERIOD OF DATA MANAGEMENT
At any time, the data subject can request information about the data managed by the Data Controller, the date of data recording, the scope of the data managed, and the method of recording.
The user has the right to modify the User Account data at any time (however, in the case of an order in progress, the address can only be modified if it does not affect the fulfillment of the delivery).
At any time, the data subject may request the modification of their data, as well as their deletion from the Data Controller's database, free of charge, without justification or limitation, at the Data Controller's contact information provided in point 1.1 of these General Terms and Conditions.
The processing of personal data provided during data recording begins at the time of recording and lasts until its deletion or other time specified by law.
In the case of unregistered customers, the data manager keeps the data for 5 years from the date of purchase. For registered users, this lasts until the registration is canceled, but for a maximum of 5 years.
The data controller informs those concerned that, in the case of a purchase, Ptk. (Act V of 2013) 6:22. Pursuant to §, it manages the data necessary to assert claims and rights for 5 (five) years from the date of purchase. Also in the case of a purchase, in order to fulfill the accounting obligations, the data controller will use the data on the receipt in accordance with the Hungarian accounting legislation in force at all times.
10.7. DATA SECURITY
The Data Controller undertakes to ensure the security of the data in the process of data processing and to take all organizational and technical measures necessary for the safe storage of the data.
The data must be protected by appropriate technical means against unauthorized access, alteration, unauthorized transmission, unauthorized disclosure, deletion, or destruction, as well as against accidental destruction and damage, and the consequent loss of access. It is necessary to use technical protection devices that cannot be directly connected to the person concerned, unless permitted by law.
In order to protect the data files managed electronically in the various registers, the data manager or the data processor within the scope of their activities ensures that the data stored in the registers cannot be directly linked and assigned to the data subject.
A data processor acting on behalf of the Data Controller is also authorized to handle personal data. The data manager reserves the right to involve a data processor in the data management
10.8. DATA PROTECTION INCIDENT
A data protection incident is any event that results in the accidental or unlawful destruction, loss, modification, unauthorized transmission or disclosure of transmitted, stored or otherwise handled personal data, or unauthorized access to them. The data controller must notify the Authority within 72 hours of a data protection incident detected by him or by the data processor he uses. The data protection incident does not need to be reported if it is likely that it does not entail a risk for the enforcement of the rights of the data subjects. The notification includes the nature of the incident, - if possible - the scope and number of those involved, the scope of the data involved, the likely consequences, or actions taken or planned by the Data Controller. If the data protection incident is likely to have consequences that significantly affect the enforcement of a fundamental right of the data subject, the data controller shall immediately inform the data subject of the data protection incident by publishing it on the website. Exempted from the obligation to provide information, - if appropriate technical and organizational protection measures were applied prior to the incident, i.e. in particular those that make the data unintelligible in the event of access by an unauthorized person, resulting in their encryption, - if, after becoming aware of the data protection incident, he ensured with the measures taken that the data protection incident will not likely result in consequences significantly affecting the enforcement of any fundamental right of the data subject, - if the direct information of the data subject in accordance with paragraph (1) could only be achieved with a disproportionate effort of the data controller, therefore the data controller provides the data subjects with appropriate information related to the data protection incident through information published in a manner accessible to anyone, or – if the legislation excludes the provision of information.
The Data Controller keeps records of data protection incidents.
10.9. ENFORCEMENT OF RIGHTS RELATED TO PERSONAL DATA FOLLOWING THE DEATH OF THE PERSON INVOLVED
Within five years of the data subject's death, in the case of data processing operations defined by law, the data subject shall have the rights to which the deceased was entitled during his lifetime with an administrative order, or with a statement made to the data controller in a public document or a private document with full evidentiary force - if the data subject has made more than one statement with one data controller, the subsequent with a statement made at the time - an authorized person is entitled to enforce it.
If the person concerned has not made an appropriate declaration of rights, his or her next of kin according to the Civil Code is entitled to enforce the rights of the deceased during his or her lifetime within five years of the death of the person concerned. The close relative who is the first to exercise this right is entitled to assert the rights of the data subject in accordance with this paragraph.
10.10. FINAL PROVISIONS
The entry into force of these Data Management Regulations is ordered by the company's managing director, and it becomes effective upon uploading to the company's website, this also applies to future amendments to the regulations.
