The seller is committed to protecting the personal data of its customers and partners, and attaches the utmost importance to respecting the right of customers to information self-determination. The Seller shall treat personal data confidentially and shall take all security, technical and organisational measures to guarantee the security of the data.
The Seller sets out below its data management principles, the expectations it has set for itself as a data controller and the standards it adheres to. Its data management principles are in accordance with the applicable legislation on data protection, in particular the following:
- Regulation 2016/679 of the European Parliament and of the Council (the Regulation)
- Act CXII of 2011 - on the Right to Informational Self-Determination and Freedom of Information (Infotv.); - - Act V of 2013 - on the Civil Code (Civil Code);
- Act CLV of 1997 - on Consumer Protection (Fgytv.);
- Act XIX of 1998 - on Criminal Procedure (Be.);
- Act C of 2000 - on Accounting (Accounting Act);
- Act CVIII of 2001 - on certain aspects of electronic commerce services and information society services (Eker. tv.);
- Act C of 2003 - on Electronic Communications (Eht.);
- Act XLVIII of 2008 - on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (Act XLVIII of 2008);
data processing: The performance of technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; restriction of processing: the marking of personal data stored for the purpose of limiting their processing in the future; controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;controller: The natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or has a processor on its behalf carry out the processing;
the marking of data with an identifier in order to distinguish them; data destruction: the total physical destruction of a data medium containing data; data transfer: the making available of data to a specified third party;
rendering the data unrecognisable in such a way that their recovery is no longer possible;
a personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;
the marking of data with an identification mark for the purpose of limiting their further processing, either permanently or for a limited period of time;
the natural or legal person, public authority, agency or any other body with whom or to which the personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the framework of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities should comply with the applicable data protection rules in accordance with the purposes of the processing;
any natural person identified or identifiable, directly or indirectly, on the basis of personal data;
data subject's consent: a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her; third party, third person: a natural or legal person, public authority, agency or any other body which is not the same as the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data; third country: any State which is not an EEA State.
disclosure: making the data available to any person;
'filing system' means a set of personal data, structured in any way, whether centralised, decentralised or structured according to functional or geographical criteria, which is accessible on the basis of specified criteria
any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person; relevant and reasoned objections: An objection to a draft decision, raised on the grounds of whether the Regulation has been infringed or whether the envisaged action by the controller or processor is in compliance with the Regulation; the objection must clearly demonstrate the significance of the risks posed by the draft decision to the fundamental rights and freedoms of data subjects and, where applicable, to the free flow of personal data within the Union;
personal data means any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; objection means a statement by the data subject objecting to the processing of his or her personal data and requesting the erasure of the data processed or the cessation of such processing.
PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA
Personal data may be processed where
a) the data subject consents to the processing of his or her personal data for one or more purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a party or is necessary for the purposes of taking steps at the request of the data subject prior to entering into that contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) it is required by law or, where authorised by law and within the scope specified therein, by an ordinance of a local authority for a purpose in the public interest (mandatory processing);
(e) processing is necessary for the protection of the vital interests of the data subject or of another natural person; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
The declaration of an incapacitated minor or a minor with limited capacity to act under the age of 16 requires the consent of his or her legal representative. Where the data subject is unable to give his or her consent due to incapacity or for other reasons beyond his or her control, personal data of the data subject may be processed to the extent necessary to protect his or her vital interests or those of another person or to prevent or respond to an imminent threat to the life, physical integrity or property of a person, as long as the obstacles to consent persist.
The processing of personal data shall be lawful, fair and transparent for the data subject. Personal data may be processed only for specified purposes, for the exercise of a right and for the performance of an obligation. The processing must comply with this purpose at all stages and the collection and processing of data must be fair.
Only personal data which is necessary for the purpose of the processing, is adequate for the purpose, and is processed only to the extent and for the duration necessary for the purpose.
The data subject must be informed before the processing starts whether the processing is based on consent or whether it is mandatory. The data subject must be informed, in a clear, plain and detailed manner, of all the facts relating to the processing of his or her data, in particular the purposes and legal basis of the processing, the identity of the controller and of the processor, the duration of the processing, whether the controller is processing the personal data of the data subject with the consent of the data subject and for the purposes of complying with a legal obligation to which the controller is subject or for the purposes of the legitimate interests of a third party, and the identity of the third parties to whom the data may be disclosed. The information should also cover the rights and remedies of the data subject in relation to the processing.
The processing should ensure that the data are accurate, complete and up-to-date and that the data subject can be identified only for the time necessary for the purposes for which the data are processed.
Personal data may be transferred to a controller in a third country or to a processor in a third country if the data subject has given his or her explicit consent or if the conditions for processing set out above are met and the third country ensures an adequate level of protection of personal data during the processing of the data transferred. Transfers to EEA States shall be considered as transfers within the territory of Hungary.
THE SCOPE OF PERSONAL DATA, THE PURPOSE, THE LEGAL BASIS AND THE DURATION OF THE PROCESSING
DATA PROCESSING IN THE ONLINE SHOP
4.1. Legal basis for data processing: voluntary consent of the data subject, Section 169 (2) of the Act on Accounting. Data processed: date, time, name, address, billing address, delivery address, telephone number, e-mail address, date of birth, name of the products purchased/ordered, quantity, purchase price. Duration of data processing: in the case of ordering products, the name and telephone number of the purchaser until the notification, until the purchase of the product, and for the remaining data, in accordance with Article 169 (2) of the Act on Accounting, eight years. The data subject's name, billing and delivery address and telephone number can be voluntarily extended by saving the data until the deletion of his/her user account.
In case of payment by card, the credit card and card payment transaction data are processed by OTP Mobil or PayPal.
Online credit card payments are made through the Barion system. Credit card details are not passed on to the merchant. The service provider Barion Payment Zrt. is an institution supervised by the National Bank of Hungary, licence number H-EN-I-1064/2013.
- In case of payment by credit card, the payer's ID, the amount, date and time of the transaction are transmitted to the Bank. The legal basis for the data transfer is Article 6(6) of the Data Protection Act and the voluntary consent of the data subject.
- To the courier service for home delivery/parcel point to point delivery (GLS). The legal basis for the data transfer is the consent of the data subject.
4.2. HANDLING OF QUALITY COMPLAINTS
The purpose of the processing is to handle quality complaints regarding the services provided by the seller.
Legal basis for data processing: voluntary consent of the data subject, Section 169 (2) of the Act on the Payment of Bills and Section 17/A (7) of the Act on the Protection of the Right to a Fair Trading.
Data processed: name, address of the consumer, name of the consumer goods, purchase price, date of purchase and date of notification of the defect, description of the defect, the claim the consumer wishes to assert and the method of settlement of the complaint.
Duration of processing:
- Eight years for return receipts in accordance with Section 169 (2) of the Act on the Sale of Goods,
- five years in respect of the minutes of the complaint and copies of the replies to written complaints pursuant to Section 17/A(7) of the Act on the Protection of the Rights of Persons with regard to the Processing of Complaints,
- two years for copies of entries in the customer register.
The seller, as the operator of the andyourstories.com website, places and reads back a small package of data, known as a cookie, on the user's computer in order to provide a personalised service. When the browser returns a previously saved cookie, the cookie provider has the possibility to link the user's current visit to previous visits, but only in relation to its own content.
The purposes of the processing are: to identify and distinguish users, to identify users' current session, to store the data provided during that session, to prevent data loss, to identify and track users, to display personalised offers using the data recorded during the website visit.
Legal basis for processing: consent of the data subject.
Data processed: identification number, date, time.
Legal basis for processing: consent of the data subject.
Graphical measuring points have been placed on the site, the measurement results of which are recorded by the website server. The graphical measuring points do not allow visitors to the website to be identified subsequently.
4.4. ONLINE SHOP REGISTRATION, ORDERING
The purpose of the data processing is: shopping in the webshop on the andyourstories.com website, issuing invoices, registering and distinguishing customers, fulfilling orders, documenting purchases and payments, fulfilling accounting obligations, maintaining customer relations, analysing customer habits, providing a more targeted service. Legal basis for data processing: the voluntary consent of the data subject, § 13/A of the Eker. tv., § 169 (2) of the Számv. tv. and § 169 (2) of the Grt. Article 169, paragraph (2) of the Data Protection Act, § 6 (5). The data processed include: name, address, delivery address, billing address, e-mail address, telephone number, date of birth, e-mail address and password for logging in, data on individual purchases (date, time, product purchased, value of the purchase), billing address, delivery address, consent to direct marketing enquiries. Duration of data processing: - four years from the last login or purchase in respect of profile data, - eight years in respect of purchase data pursuant to Section 169 (2) of the Act on Accounting.
In the case of card payments, the data of the credit card and the card payment transaction are processed by OTP Mobil.
Transmission of data: - if you choose to pay by credit card, the payer's ID, the amount, date and time of the transaction to the Bank. Legal basis for the transfer: voluntary consent of the data subject.
CONTACTING THE SELLER
4.5. CORRESPONDENCE FROM THE SELLER'S CUSTOMER
If you have any questions when using the services, you can contact the data controller using the contact details provided in this information notice or on the website and the form available in the "Contact" section of the website. The seller shall delete all e-mails received by it, together with the sender's name, e-mail address, date, time and other personal data provided in the message, after a maximum of five years from the date of the communication.
Any processing not listed in this notice will be notified by the seller at the time of the recording of the data. The court, the prosecutor, the investigating authority, the law enforcement authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law may request the controller to provide information, to communicate or transfer data or to provide documents. The vendor shall disclose to the public authorities - if the public authority has indicated the precise purpose and scope of the data - personal data only to the extent and to the extent strictly necessary for the purpose of the request.
METHOD OF STORAGE OF PERSONAL DATA, SECURITY OF PROCESSING
The seller's computer systems and other data storage locations are located at its headquarters. The vendor shall select and operate the IT tools used to process personal data in the course of providing the service in such a way that the data processed:
(a) is accessible to authorised persons (availability);
(b) its authenticity and authenticity are ensured (authenticity of processing);
(c) its integrity can be verified (data integrity);
d) protected against unauthorised access (data confidentiality).
The vendor shall take appropriate measures to protect the data, in particular against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction, damage and loss of accessibility due to changes in the technology used.
The vendor shall ensure, by appropriate technical means, that the data stored in its various registers are not directly associable and attributable to the data subject, except where permitted by law, in order to protect the data files managed electronically.
The vendor shall ensure the security of data processing by technical, organisational and organisational measures, taking into account the state of the art, which provide a level of protection appropriate to the risks associated with the processing.
The seller shall, during the processing, keep
(a) confidentiality: it shall protect the information so that only authorised persons have access to it;
b) integrity: to protect the accuracy and completeness of the information and the method of processing;
(c) availability: ensures that the authorised user has effective access to the information required when he needs it and that the means to access it are available.
The IT system and network of the vendor and its partners are protected against computer fraud, espionage, sabotage, vandalism, fire and flooding, computer viruses, computer intrusions and attacks that lead to denial of service. The operator ensures security through server-level and application-level protection procedures.
In the event of a data protection incident, the vendor, as data controller, shall notify the supervisory authority without undue delay, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.
Electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.) are vulnerable to network threats that could lead to fraudulent activity, contract disputes, or the disclosure or modification of information. The controller will take all reasonable precautions to protect against such threats. It monitors systems in order to record and provide evidence of any security incidents. System monitoring also allows the effectiveness of the precautions taken to be checked.
DATA CONTROLLER'S DETAILS, CONTACT DETAILS
Name: ANDYOURSTORIES Hungary Kft.,
Company registration number: 01-09-372494: ,
Tax number: 28753522-1-42,
Telephone number: 0036709359711 (regular rate)
DATA PROCESSORS' DETAILS, CONTACT DETAILS
The seller reserves the right to use data processors, the identity of which shall be notified individually before the processing begins, subject to the right to object.
RIGHTS OF THE DATA SUBJECT, REMEDIES
The data subject shall have the right to obtain feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access to the personal data and information relating to the processing of his or her personal data. The data subject may, at any time, request information on the processing of his or her personal data, the rectification of his or her personal data, the restriction of processing, or, except for mandatory processing, the erasure or blocking of personal data, and object to the processing of his or her personal data, by the means indicated when the data were collected or by contacting the controller at the contact details indicated.
Withdrawal of consent to processing shall not affect the lawfulness of the processing carried out prior to the withdrawal.
The data subject shall have the right to receive personal data concerning him or her in a structured, commonly used, machine-readable format, to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data (data portability).
The controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For additional copies requested by the data subject, the controller may charge a reasonable, predetermined fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.
At the request of the data subject, the vendor, as controller, shall provide information on the data processed by it or by a processor on its behalf, the source of the data, the purposes, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing and, in the case of a transfer, the legal basis and the recipient of the transfer. The controller shall provide the free information in an intelligible form, in writing at the request of the data subject, as soon as possible after the request has been made, but not later than 30 days.
The data subject shall have the right to obtain from the controller, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.
The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller where the data subject contests the accuracy of the personal data, in which case the restriction shall be for a period of time which allows the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; orthe data subject has objected to the processing; in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject. The controller shall inform in advance the data subject whose request for restriction of processing has been complied with as set out above of the lifting of the restriction of processing.
The controller shall inform all recipients to whom or with whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.
The vendor shall block the personal data if the data subject so requests or if, on the basis of the information available to him or her, it is likely that erasure would harm the data subject's legitimate interests. The blocked personal data may be processed only for as long as the processing purpose which precluded the deletion of the personal data persists. The vendor shall mark the personal data it processes where the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.
The data subject shall have the right to obtain from the controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the controller shall be obliged to erase personal data relating to the data subject without undue delay where one of the following grounds applies. The vendor shall erase personal data where the processing is unlawful, the data subject requests it, the data subject withdraws his or her consent, the processed data is incomplete or inaccurate and cannot be lawfully rectified, provided that erasure is not excluded by law, the purpose of the processing has ceased to exist or the statutory time limit for storing the data has expired, the data subject objects to the processing and there are no overriding legitimate grounds for further processing, or it has been ordered by a court or the National Authority for Data Protection and Freedom of Information, or it must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller. The controller has 30 days to erase, block or rectify the personal data. If the controller does not comply with the data subject's request for rectification, blocking or erasure, it shall give the reasons for its refusal in writing within 30 days.
The vendor shall notify the rectification, blocking, flagging and erasure to the data subject and to all those to whom the data were previously disclosed for processing. It shall refrain from such notification where the legitimate interests of the data subject would not be prejudiced having regard to the purposes of the processing.
The data subject may object to the processing of his or her personal data if
(a) the processing or further processing of the personal data is necessary for the fulfilment of a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, unless the processing is required by law;
(b) the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes;
(c) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(d) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child;
(e) in other cases provided for by law. In the above case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The seller shall examine the objection, decide whether it is justified and inform the applicant in writing of its decision within the shortest possible period of time from the date of the request, but not exceeding 15 days. If the controller establishes that the data subject's objection is justified, the controller shall terminate the processing, including further collection and further transmission, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data covered by the objection have been disclosed and who are obliged to take measures to enforce the right to object. If the data subject disagrees with the controller's decision, he or she may, within 30 days of its notification, challenge it in court.
The seller may not erase the data subject's data if the processing is required by law. However, the data may not be transferred to the data importer if the controller has consented to the objection or if the court has ruled that the objection is justified. The data subject may take legal action against the controller in the event of a breach of his or her rights.
The seller shall compensate any damage caused to another party by unlawful processing of the data subject's data or by a breach of data security requirements. In the event of a violation of the data subject's right to privacy, the data subject may claim damages (Civil Code, Section 2:52). The data controller is also liable to the data subject for damage caused by the data processor. The controller shall not be liable if the damage was caused by an unavoidable cause outside the scope of the processing.The controller shall not compensate the damage and no compensation may be claimed if the damage was caused by the intentional or grossly negligent conduct of the data subject or the infringement of the right to privacy.
Legal remedies and complaints may be lodged with the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Address for correspondence: Hungary1530 Budapest, Pf.: 5.
Phone: 003613911400 Fax: 003613911410