The official webshop of the Nike Budapest stores

Privacy policy

Sportmonkey.hu Data Processing Policy
Trimera Sports Hungary Kft.


Introduction
Trimera Sports Hungary Kft. (1075 Budapest, Madách I.ú. 13-14.B. (complainant management: Nike Árkád: Árkád Budapest, Örs vezér tere 25/A, 1106), tax identification number: 23724923-2-42, company registry number: 0109975378) (hereinafter referred to as: Service Provider, data controller) submit to the following policy:

The below information is based on the 2016/679 decree of the European Parliament and Council (EU) (dated April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as follows.

This Privacy Policy governs the processing of data on the following sites/mobile applications: https://sportmonkey.hu.
The Privacy Policy is available at https://sportmonkey.hu/hu/adatvedelem
Amendments to this Policy shall enter into force by publication at the above-mentioned address.
The data controller and its contact details
Name: Trimera Sports Hungary Kft.

Registered seat: 1075 Budapest, Madách I.ú. 13-14.B. (complainant management: Nike Árkád: Árkád Budapest, Örs vezér tere 25/A, 1106)

Email: info@sportmonkey.hu Phone: +36-70-771-6614

Definitions

    1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
    2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    3. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
    4. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
    5. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
    6. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
    7. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to processing of personal data
Personal data shall be:

    1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with this (‘accountability’).

The controller declares that the data processing takes place in accordance with the principles set out in this section.

Data processing related to the operation of the webshop and the rendering of services
    1. The existence of data collection, the scope of the processed data, and the purposes of the processing:

Personal data The purpose of the processing Legal basis
User name Enables identification and registration. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).
Password Provides secure access to the user account. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).
Surname and first name Necessary for communication, purchasing, issuing a correct invoice and exercising the right of withdrawal. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).
Email address Communication. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).
Phone number Communication, more efficient coordination of issues related to billing and shipping. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).
Billing name and address Enables proper invoicing, creating the contract, defining and amending its content, following up on its performance, invoicing the resulting fees, as well as enforcing any related claims. GDPR Section 6(1)(c) and Act C of 2000 on accounting Section 169 (2)
Shipping name and address Enables door-to-door delivery. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).
Time of purchase/registration For carrying out technical operations. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).
IP address used for the purchase/registration For carrying out technical operations. GDPR Section 6(1)(b) and Electronic Commerce law Section 13/A. (3).

It is not required to include any personal data in the user name or the email address.

    2. The scope of data subjects: All users registering/making a purchase on the webshop’s website are data subjects.

    3. Duration of the data processing, deadline for erasure of the data: If any conditions of Section 17 (1) of the GDPR exist, the duration is until the data subject’s request for erasure. Data controller shall inform data subject about the erasure of any personal data provided by data subject by electronic means, based on Article 19 of the GDPR. If the data subject's request for erasure extends to the email address provided as well, data controller shall also erase the email address after the information has been communicated. Accounting documents are an exception, as based on Section 169 (2) of Act C of 2000 on accounting, these data must be retained for 8 years. The contractual information of the data subject may be erased after expiry of the limitation period under the civil law, upon request for erasure of the data subject.

The accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for minimum eight years, shall be legible and retrievable by means of the code of reference indicated in the accounting records.

4. Potential data controllers to whom the data may be disclosed, recipients of the personal data: The personal data may be processed by the data controller, as well as its sales and marketing employees, in compliance with the above principles.

5. Description of the data subject’s rights related to the data processing:

The data subject may request access to and rectification or erasure of, or restriction of the processing of personal data concerning the data subject from the controller; and
data subject has the right to data portability, or to withdraw the consent to processing at any time.

6.Data subject may request the access to and rectification or erasure of the personal data, the restriction of their processing, or the portability of the data in the following ways:

by post at 1075 Budapest, Madách I.ú. 13-14.B. (complainant management: Nike Árkád: Árkád Budapest, Örs vezér tere 25/A, 1106),
via email at info@sportmonkey.hu; via phone at +36-70-771-6614.

7. The legal basis of the data processing:

    1. GDPR Section 6(1)(b) and (c),

    2. Section 13/A. (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services; and with other pertinent regulations (hereinafter referred to as Electronic Commerce law):

Service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in this Act, and only to the required extent and duration.
    3. Section 6 (1) c) of the GDPR, regarding the issuance of an invoice compliant with the legislation on accounting.

    4. In the case of enforcement of claims arising from the contract, a limitation period of 5 years applies in accordance with Act V of 2013, Section 6:21.

6:22. [Statute of limitations]

    (1) Unless otherwise provided in this Act, claims shall lapse after five years.

    (2) The statute of limitations shall commence when the claim becomes due.

    (3) Agreements concerning the alteration of the limitation period shall be made in writing.

    (4) Agreements excluding the statute of limitations shall be null and void.

8. Please, be informed that

the data processing is necessary for performance of the contract and for making and offer. you are obliged to
provide your personal data so that we can fulfil your order.
your failure to provide the necessary data results in our inability to process your order.

Cookies policy
    1. No prior consent from the data subject needs to be requested for the following cookies: cookies used for password-protected sessions, cookies necessary for the shopping cart, security cookies, strictly necessary cookies, functionality cookies, and cookies responsible for managing website statistics.

    2. The fact of the processing, the scope of the data processed: Unique identification number, dates, times
    3. The scope of data subjects: All data subjects visiting the website.
    4. The purpose of the processing: Identification of the users and the tracking of the visitors.
    5. Duration of the data processing, deadline for erasure of the data:

Cookie type Legal basis of the data processing Duration of the data processing
Session cookies Section 13/A. (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services; and with other pertinent regulations (Electronic Commerce law) The period until the end of the relevant visitor session
Persistent or stored cookies Section 13/A. (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services; and with other pertinent regulations (Electronic Commerce law) Until erasure by the data subject
Statistics cookies Section 13/A. (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services; and with other pertinent regulations (Electronic Commerce law) 1 month – 2 years

 
  6. Potential data controllers to whom the data may be disclosed: By using cookies, the date controller does not process personal data.

    7. Description of the data subject’s rights related to the data processing: Data subjects have the option to delete cookies in the Tools/Settings menu of any browsers, usually under the Privacy settings.

    8. The legal basis of the data processing: Consent from the data subject is not required where the sole purpose of the use of cookies is the transmission of communications over the electronic communications network, or if it is absolutely indispensable for providing an information society service expressly requested by the subscriber or user.

    9. Most browsers that are used by our users allow for setting which cookies should be stored, and allows for (specific) cookies to be deleted again. If you restrict the storing of cookies for specified websites, or you do not allow third party cookies, this may in some circumstances result in losing the capability of using our website in its entirety. Further information on how cookie settings can be customized for the most common browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=en)

Internet Explorer (https://support.microsoft.com/en-us/topic/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d)

Firefox (https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences?redirect=no)

Safari (https://support.apple.com/en-gb/guide/safari/sfri11471/mac)

Use of Google Ads conversion tracking
        1. The data controller uses the online advertising solution Google Ads, and as part of this, Google’s conversion tracking service is used as well. Google’s conversion tracking is the analytics service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).
        2. When User accesses a website via a Google advertisement, a cookie necessary for the conversion tracking is placed on User’s computer. The validity of these cookies is limited, and they do not contain any personal information, so User may not be identified by them.
        3. When User browses certain pages of the website, and the cookie has not yet expired, Google and the data controller both can see when User clicks on an advertisement.
        4. Every Google Ads client receives a different cookie, so they can be tracked via the websites of the Ads clients.
        5. The information gained via the conversion tracking cookies are designed to create conversion statistics for the Ads clients choosing the conversion tracking option. This is how clients are informed of the number of users clicking on their advertisements and being redirected to the page tagged with the conversion tracking code. At the same time, they do not receive any information that would be suitable for identifying any user.
        6. If you do not want to participate in the conversion tacking, you can refuse this by disabling the option of installing cookies in your browser. Following this, you will not be included in the conversion tracking statistics.
        7. Further information and Google’s privacy policy are available here: https://policies.google.com/privacy?gl=en&hl=en

Use of Google Analytics
    1. This website uses the Google Analytics application, which is the web analytics service offered by Google Inc. (“Google”). Google Analytics uses so-called “cookies,” small text files stored on your computer, which help in analysing the usage of the website visited by User.
    2. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. By activating IP anonymization on the website, User’s IP address is truncated prior to transfer/storage by Google in European Union Member States or other signatory states of the Agreement on the European Economic Area.
    3. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, to compile reports on website activity, and to provide other services relating to website and Internet usage to the website operator.
    4. The IP address transferred by your browser via Google Analytics will not be combined with other Google data. User can prevent the storage of cookies by using the appropriate setting in your browser software. However, please note that if you do this, you may not be able to make full use of all the features of this website. You can also prevent the collection of data generated by the cookie and relating to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en

Newsletter, direct marketing activities
    1. Based on Section 6 of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities, User may give his or her express prior consent to be contacted by Service Provider at the contact details specified at the time of registration with Service Provider’s promotional offers, and other communications.

    2. In addition, under the provisions of this Policy, User may consent to Service Provider’s processing of User’s personal data necessary for sending promotional offers.

    3. Service Provider shall not send unsolicited advertising messages, and User may opt-out of receiving offers without any restriction or justification, free-of-charge. In this case, Service Provider shall delete all of User’s personal data necessary for sending the promotional messages from its records, and shall not contact User with any further promotional offers. User may opt-out of the promotional emails by clicking on the link included in the message.

    4. The existence of data collection, the scope of the processed data, and the purposes of the processing:

Personal data The purpose of the processing Legal basis
Name, email address, phone number. Identification, enabling subscription to newsletter/promotional coupons/SMS campaigns. The consent of the data subject, Section 6 (1) a) of the GDPR. Section 6 (5) of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities.
Time of subscription For carrying out technical operations. The consent of the data subject, Section 6 (1) a) of the GDPR. Section 6 (5) of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities.
IP address at the time of the subscription For carrying out technical operations. The consent of the data subject, Section 6 (1) a) of the GDPR. Section 6 (5) of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities.


    5. The scope of data subjects: All data subjects subscribing to the newsletter.

    6. The purpose of the data processing: to send electronic promotional messages (email, SMS, push messages) to the data subject, including current information, promotions, new features, etc.

    7. The period of the data processing is the deadline for data erasure: data processing is carried on until withdrawal of the declaration of consent, that is, until unsubscribing.

    8. Potential data controllers to whom the data may be disclosed, recipients of the personal data: The personal data may be processed by the data controller, as well as its sales and marketing employees, in compliance with the above principles.

    9. Description of the data subject’s rights related to the data processing:

The data subject may request access to and rectification or erasure of, or restriction of the processing of personal data concerning the data subject from the controller; and
may object to the processing of his or her personal data; and
data subject has the right to data portability, or to withdraw the consent to processing at any time.

    10. Data subject may express objection, request the access to and rectification or erasure of the personal data, the restriction of their processing, or the portability of the data in the following ways:

by post at 1075 Budapest, Madách I.ú. 13-14.B. (complainant management: Nike Árkád: Árkád Budapest, Örs vezér tere 25/A, 1106),
via email at info@sportmonkey.hu; via phone at +36-70-771-6614.

    11. Data subject may unsubscribe from the newsletter free-of-charge at any time.

    12. Please, be informed that

  • the data processing is based on your consent and the service provider’s legitimate interest.
  • you are obliged to provide personal information if you want to receive the newsletter.
  • failure to provide the necessary data results in our inability to send you a newsletter. Please note that you may withdraw your consent at any time by clicking on the unsubscribe link.
  • the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Complaint handling
    1. The existence of data collection, the scope of the processed data, and the purposes of the processing:

Personal data The purpose of the processing Legal basis
Surname and first name Identification, communication. GDPR Section 6 (1) c) and Section 17/A. (7) of Act CLV of 1997 on consumer protection.
Email address Communication. GDPR Section 6 (1) c) and Section 17/A. (7) of Act CLV of 1997 on consumer protection.
Phone number Communication. GDPR Section 6 (1) c) and Section 17/A. (7) of Act CLV of 1997 on consumer protection.
Billing name and address Identification, and handling the quality concerns, questions and issues related to the ordered products. GDPR Section 6 (1) c) and Section 17/A. (7) of Act CLV of 1997 on consumer protection.

    2. The scope of data subjects: All data subjects making a purchase on the website and raising a quality-related objection or complaint.

    3. Duration of the data processing, deadline for erasure of the data: Based on Section 17/A. (7) of Act CLV of 1997 on consumer protection, copies of the statement of objection, the transcript and the response shall be retrained for 5 years.

    4. Potential data controllers to whom the data may be disclosed, recipients of the personal data: The personal data may be processed by the data controller, as well as its sales and marketing employees, in compliance with the above principles.

    5. Description of the data subject’s rights related to the data processing:

The data subject may request access to and rectification or erasure of, or restriction of the processing of personal data concerning the data subject from the controller; and
data subject has the right to data portability, or to withdraw the consent to processing at any time.

    6. Data subject may request the access to and rectification or erasure of the personal data, the restriction of their processing, or the portability of the data in the following ways:

by post at 1075 Budapest, Madách I.ú. 13-14.B. (complainant management: Nike Árkád: Árkád Budapest, Örs vezér tere 25/A, 1106),
via email at info@sportmonkey.hu; via phone at +36-70-771-6614.

    7. Please, be informed that

  • the provision of personal data is based on a legal obligation.
  • processing of personal data is a prerequisite for the conclusion of the contract.
    you are obliged to provide your personal data so that we can handle your complaint.
    your failure to provide the necessary data results in our inability to handle your complaint.

Recipients of personal data
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

    1. Data processors (processing data on behalf of the controller)

In order to facilitate data controller’s data processing activities and the fulfilment of contractual and legal obligations, data controller shall involve data processors.

Data controller is particularly keen on using only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

The data processor and any person having access to personal data, acting under the direction of the controller or the processor, shall process the personal data contained in this Policy only in accordance with the instructions of the controller.

The controller shall have legal responsibility for the data processors activities. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

The processor shall make no substantial decisions regarding the processing of the data.

Data controller may involve a storage service provider for providing information technology, or a courier service for delivering the ordered products, as data processors.


    2. Individual data processors

Data processing activity Name, address, contact information
Storage service Rackhost Zrt., 6722 Szeged Tisza Lajos krt. 41. info@rackhost.hu Phone: +36-1-445-1200
Other data processor (e.g. online invoicing, web development, marketing) Online invoicing: Billingo Zrt. 1133 Budapest, Árbóc u.6. III. Phone: +36-1-500-9491, Péter Polák
self-employed entrepreneur, 9330 Kapuvár, Fő tér 14.,
Newsletter sending platform: Mailchimp www.mailchimp.com c/o The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 www.mailchimp.com MOSS No. EU372008134

 
  3. Transmission of data to third parties

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Third party data controllers process the persona data we transmit to them on their own behalf and in accordance with their own privacy policy.

Data controller activity information Name, address, contact
Delivery service

DPD Hungária Futárpostai Csomagküldő Szolgáltató Korlátolt Felelősségű Társaság

registered seat: 1158 Budapest, Késmárk u. 14/B.
+36 (1) 501-6200
+ 36 (40) 100-373
dpd@dpd.hu

Csomagküldő.hu Kft., 1031 Budapest, Vizimolnár utca 10. 6/54., +36-1-400-8806
Online payment
Sixpay rendszer, Novopayment Kft. 1034 Budapest, Tímár u.20. IV. em. Call center +36-1-490-
0234
PayPal
Parent company: eBay Incorporated registered seat: San Jose, California, USA
Contact: https://www.paypal.com/

    
 

Social Networking Sites
        1. The existence of data collection, the scope of the data processed: The username registered at social networking sites like Facebook/Twitter/Pinterest/YouTube/Instagram etc., and the user’s public profile picture.
        2. The scope of data subjects: All data subjects who are registered at social networking sites like Facebook/Twitter/Pinterest/YouTube/Instagram, etc. and “liked” Service Provider’s social networking page, or contacted the data controller via the social networking site.
        3. The purposes of the data collection: To have the website, or specific contents, products, promotions shared, liked, tracked or promoted on social networking sites.
        4. The duration of the data processing, the deadline for the erasure of the data, the potential data controllers to whom the data may be disclosed, and the description of the data subject’s rights related to the data processing: the data subject can find all information related to the process and the legal basis of the source, the processing and the transmission of the data on the relevant social networking site. The data processing takes place in the given social networking site, so the duration and the method of data processing, as well as the options for erasure and modification of the data are governed by the rules of the given social networking site.
        5. Legal basis of the data processing: the voluntary consent of the data subject to the processing of his or her personal data on the social networking sites.

Customer relationships and other data processing
    1. If questions arise in the course of rendering data controller’s services, or the data subject has a problem, the data subject may contact the data controller via the contact information provided on the website (phone number, email, social networking sites, etc.).
    2. The data controller shall erase all emails and messages, all data provided via phone, Facebook, etc. including the name and email address of the data subject together with any additional personal data voluntarily provided within a maximum of 2 years from the date of the disclosure of the data.
    3. Any data processing not included in this policy shall be described at the recording of the data.
    4. Service Provider is obliged to provide information, disclose and transfer data, and hand over documents upon request by an authority of an exceptional nature, or upon request by another body under the authority of a legal act.
    5. In such cases, Service Provider shall disclose personal data to the requesting body – where it has specified the precise purpose and scope of the data requested – only to the extent that is strictly necessary for the purpose for which it was requested.


Rights of the Data Subjects
    1. The right of access

You shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to obtain access to that personal data and information included in the GDPR.

    2. Right to rectification

You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

    3. Right to erasure

You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase your personal data without undue delay where the legally specified conditions apply.

    4. Right to be forgotten

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

    5. Right to restriction of processing

You shall have the right to obtain from the controller restriction of processing where one of the following conditions applies:

you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
you have objected to the processing; pending the verification whether the legitimate grounds of the controller override yours.

    6. Right to data portability

You shall have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (...)

    7. Right to object

In the case of data processing based on legitimate interests and the exercise of public powers as legal basis, you shall have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data (...), including profiling based on those provisions.

    8. Objection in the case of direct marketing

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

    9. Automated individual decision-making, including profiling

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The above paragraph shall not apply if the decision:
is necessary for entering into, or performance of, a contract between you and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.


Deadline for actions
The controller shall provide you information on actions taken upon request without undue delay and in any event within one month of receipt of the request.


It may be extended by 2 months if necessary. The controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on your request, the controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

        1. the pseudonymisation and encryption of personal data;
        2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
        3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
        4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
        5. The processed data must be stored in such a manner that they cannot be subject to unauthorized access. In the case of paper-based media, this can be achieved by establishing a system for physical storage and archiving, and in the case of electronically processed data, via a centralized privilege management system.
        6. The information technology used for storing the data must be selected in a way that ensures that the erasure of the data can be carried out at the deadline for erasure, even in the case of various deadlines, or at any other time deemed necessary for any reasons. It must be impossible to restore the erased data.
        7. Personal data contained in paper-based media shall be destroyed via a shredder or a third-party service provider specialized in the destruction of documents. In the case of electronic media, physical destruction must be carried out in accordance with the rules pertaining to the disposition of electronic media, including a preliminary secure and unrestorable deletion of the data, where necessary.
        8. Data controller shall apply the below specific data security measures:

In order to ensure the security of personal data processed on a paper basis, Service Provider shall apply the following measures (physical protection):

    1. The documents are stored in a safe, lockable and dry room.
    2. Where personal data processed on a paper basis shall be digitalized, the rules pertaining to digitally stored documents shall be applied.
    3. In the course of working, the data processing employee of Service Provider shall only leave the room where the processing is carried out if locking away the media entrusted to him or her, or locking the room itself.
    4. The personal data may be accessible only to authorized persons, and shall not be accessible to third parties.
    5. Service Provider’s premises and facilities are equipped with fire protection and security equipment.
IT protection

    1. Computers and mobile devices (other media) used in data processing are properties of Service Provider.
    2. The computer system used by Service Provider for storing personal data is protected against viruses.
    3. To ensure the security of digitally stored data, Service Provider applies backup and archiving techniques.
    4. The central server machine may be accessed only by the designated persons with the proper authorization.
    5. The data stored on the computers may only be accessed with a user name password.

Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the following information: the name and contact details of the data protection officer or other contact point where more information can be obtained; the likely consequences of the personal data breach; the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions are met:

  • the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Notification of a personal data breach to the supervisory authority
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Review in the case of mandatory data processing
In the case of mandatory data processing, where the period for which the personal data are processed, and the intervals for reviewing the necessity of the processing are not determined by the law, municipal decree or a legally binding legal measure of the European Union, data controller shall review at least every three years from starting the processing, whether the personal data processed by data controller or a data processor acting on data controller’s behalf or under data controller’s instruction is necessary for the realization of purpose of the data processing.

The circumstances and results of this review shall be documented by the data controller, the relevant documentation shall be retained for 10 years following the review, and it shall be made available to the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter referred to as: Authority) upon request.

Complaint procedures
You can lodge a complaint in the case of any violation by data controller to the Hungarian National Authority for Data Protection and Freedom of Information:

Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information)
1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

Closing remarks
The following legislation was taken into consideration when preparing this policy:

THE 2016/679 DECREE OF THE EUROPEAN PARLIAMENT AND COUNCIL (EU) (dated April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Act CXII of 2011 on Informational Self-Determination and Freedom of Information ("Privacy Act");
Act CVIII of 2001 on certain issues of electronic commerce services and information society services; and with other pertinent regulations (specifically paragraph 13/A.);
Act XLVII of 2008 on the prohibition of unfair business-to-consumer commercial practices;
Act XLVII of 2008 on the prohibition of unfair business-to-consumer commercial practices (specifically paragraph 6);
Act XC of 2005 on the freedom of Information by electronic means;
Act C of 2003 on electronic communications (specifically paragraph 155);
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising;
Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of preliminary information.

 

For our webshop, Worldline – SIX Payment Services provides the possibility to accept your card. When you pay by card, at the time of making your payment you will be redirected to the service provider’s payment site – Saferpay – so the payment takes place directly on the site operated by the service provider in accordance with the regulations and safety requirements of the international card networks.

The webshop shall not receive your card information (e.g. number or expiry date) and the related bank account information in any form and shall have no access to these whatsoever.

Please prepare your card for making the payment. In order to pay by card, you will need the following information:

• Card number (13–19-digit number printed or embossed on the front of the card)

• Expiry date (mm/yy format number printed or embossed on the front of the card)

• Security code (the last three digits of the number sequence in the signature field on back of the card {CVV2 or CVC2}). (Some Maestro cards are not suitable for online purchase. In such cases, please contact the bank issuing your card.)

To further enhance the security of online card acceptance, Worldline – Six Payment Services introduced the 3D Secure, i.e. Verified by Visa/MasterCardSecure Code (VbV/MSC) service. Under this service, the bank issuing the card used for payment provides an additional means of authentication for the card holder, which is verified in the course of the transaction to unambiguously identify the person using the card.

If the VbV/MSC service is not available at the bank issuing your card, or you have not requested it, the payment process will not change. The webshop shall redirect you to the Saferpay site of Worldline – SIX Payment Services, where you shall provide your card information (card number, expiry date, security code).

If your card has the VbV/MSC service activated, the payment process will change. After you enter your card information (card number, expiry date, security code), the bank issuing your card will automatically redirect you to the appropriate site for completing the authentication procedure. Following the successful authentication, the payment transaction continues, you shall receive a notification of the successful transaction, and you shall be redirected to the webshop. In case the authentication cannot be carried out, the transaction shall fail.