Data protection

1. Introduction

ANDYOURSTORIES Hungary Kft. (Hungary 1033 Budapest Szentendrei út 95.; Company registration number: 01-09-372494, tax number: 28753522-2-41; hereinafter seller, data controller), as data controller, acknowledges the content of this legal notice as binding on itself. It undertakes that all data processing related to its activities complies with the expectations set out in this policy and in the applicable laws. The data protection policies related to the seller's data processing activities are continuously available at www.andyourstories.com webcímen. The seller reserves the right to change this notice at any time. Any changes will be communicated to buyers and prospective contractual partners, as the persons concerned by the data processing, in due time in a separate notice in the footer section of the andyourstories website, at least 8 (eight) days before the changes take effect.

The seller is committed to protecting the personal data of its customers and partners, and considers it especially important to respect customers' right to informational self-determination. The seller handles personal data confidentially and takes all security, technical, and organizational measures necessary to guarantee the safety of the data.

The seller sets out its data processing principles below, and presents the expectations it has formulated for itself as a data controller and complies with them. Its data processing principles are in accordance with the applicable data protection laws, in particular the following:

- Regulation (EU) 2016/679 of the European Parliament and of the Council (Regulation)

- Act CXII of 2011 – on the right to informational self-determination and freedom of information (Infotv.); - - - Act V of 2013 – on the Civil Code (Ptk.);

- Act CLV of 1997 – on consumer protection (Fgytv.);

- Act XIX of 1998 – on criminal procedure (Be.);

- Act C of 2000 — on accounting (Accounting Act);

- Act CVIII of 2001 – on certain issues of electronic commerce services and services related to the information society (Eker. Act);

- Act C of 2003 – on electronic communications (Eht.);

- Act XLVIII of 2008 – on the fundamental conditions and certain limitations of commercial advertising activities (Grt.);

 

  1. DEFINITIONS

 

  • data processing: performing technical tasks related to data processing operations, regardless of the method and tool used for executing the operations, as well as the place of application, provided that the technical task is carried out on the data;

  • is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

  • any operation or set of operations performed on personal data or data sets, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or otherwise making available, alignment or combination, restriction, erasure, or destruction; restriction of processing: the marking of stored personal data with the aim of restricting their future processing; controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific rules for the designation of the controller may be laid down by Union or Member State law; controller: the natural or legal person, or organization without legal personality, who or which, alone or jointly with others, determines the purposes of the processing of data, makes and implements decisions concerning the processing (including the tool used), or has such processing carried out by a processor appointed by them;

  • the labeling of data with an identifier for the purpose of distinguishing it; data destruction: the complete physical destruction of the data carrier containing the data; data transmission: making the data accessible to a specific third party;

  • the irretrievable destruction of data in such a way that it can no longer be restored;

data breach: a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed;

  • the marking of the data with an identifier in order to finally or for a specified period limit its further processing;

  • az a natural or legal person, public authority, agency or any other body to whom or with whom the personal data are disclosed, regardless of whether they are a third party. The public authorities which may have access to personal data in the context of a specific inquiry in accordance with Union or Member State law are not to be regarded as recipients; the processing of those data by those public authorities must comply with the applicable data protection rules relevant to the purposes of the processing;

  • any identified natural person or natural person identifiable — directly or indirectly — by any specified personal data;

the data subject's consent: the data subject's voluntary, specific and informed expression of will, clearly indicating by declaration or by an unambiguous affirmative action that they agree to the processing of their personal data; third party, third person: a natural or legal person, public authority, agency or any other body which is not identical to the data subject, the data controller, the data processor or the persons who, under the direct authority of the data controller or data processor, have been authorised to process personal data; third country: any state that is not an EEA state.

disclosure: making the data accessible to anyone;

registry system: a collection of personal data organized in any form – centralized, decentralized, or by functional or geographical criteria – that is accessible based on specified characteristics

  • any form of automated processing of personal data consisting of the evaluation of certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; relevant and well-founded objection: an objection lodged against the draft decision alleging that the Regulation has been infringed and/or that the proposed measure concerning the controller or processor is not in accordance with the Regulation; the objection must clearly demonstrate the significance of the risks to the data subject’s fundamental rights and freedoms and, where applicable, to the free movement of personal data within the Union posed by the draft decision;

personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; objection: a statement by the data subject by which they contest the processing of their personal data and request that the processing be discontinued and the processed data be erased.

 

  1. PRINCIPLES DURING DATA PROCESSING

 

Personal data may be processed if

a) that the data subject consents to the processing of his or her personal data for one or more specific purposes;

b) processing of personal data is necessary for the performance of a contract to which the data subject is a party, or is necessary to take steps at the request of the data subject prior to entering into a contract;

c) the processing of data is necessary for the data controller to fulfill its legal obligations;

d) that it is ordered by law or - based on authorization by law, within the scope defined therein - by municipal ordinance for a purpose of public interest (mandatory data processing);

e) the processing is necessary to protect the vital interests of the data subject or another natural person; or

f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

The consent of the legal representative is required for the declaration of an incapacitated person and a minor under 16 with limited legal capacity. If the data subject is unable to give consent due to incapacity or another unavoidable reason, the personal data of the data subject may be processed to the extent necessary to protect the vital interests of the data subject or another person, and to avert or prevent an immediate threat to persons' lives, physical integrity, or property while the obstacles to consent persist.

Personal data must be processed lawfully and fairly, and in a manner transparent to the data subject. Personal data may be processed only for specified purposes, and for the exercise of rights and the fulfillment of obligations. At every stage, data processing must comply with this purpose, and the collection and processing of data must be fair.

Only personal data that is essential for achieving the purpose of processing, suitable for achieving that purpose, and processed to the extent and for the duration necessary for the purpose may be processed. Personal data may only be processed with consent based on appropriate information.

Before starting the processing of personal data, the data subject must be informed whether the processing is based on consent or is mandatory. The data subject must be informed — clearly, understandably and in detail — of all facts related to the handling of their data, in particular the purpose and legal basis of the processing, the person authorized to process and to carry out data processing, the duration of the processing, whether the controller processes the data with the data subject’s consent or for the purpose of fulfilling a legal obligation applicable to the controller or to safeguard a legitimate interest of a third party, and who may have access to the data. The information must also cover the data subject’s rights and available remedies related to the processing.

During data processing, the accuracy, completeness and currency of the data must be ensured, and the data subject must be identifiable only for the time necessary for the purpose of processing.

Personal data may be transferred to a controller carrying out data processing in a third country or disclosed to a processor performing data processing in a third country only if the data subject has explicitly consented to it, or the conditions for data processing specified above are met, and adequate protection of personal data is ensured during the processing and handling of the transferred data in the third country. Data transfers to EEA states shall be treated as if the transfer were taking place within the territory of Hungary.

 

  1. THE SCOPE OF PERSONAL DATA, THE PURPOSE, LEGAL BASIS AND DURATION OF DATA PROCESSING

 

The seller’s data processing activities are based on voluntary consent. Data subjects expressly consent to the processing of the personal data they provide by accepting this Privacy Notice before finalizing their order; this consent is a prerequisite for concluding the contract, as the service cannot be provided without supplying the personal data specified in this section. In certain cases, the processing, storage, and transmission of a subset of the provided data is required by law; if such a circumstance arises, the seller will separately notify the data subjects. Data providers are only authorized to supply their own personal data for the purpose of data processing. The data provider is responsible for the accuracy and correctness of the data they supply. The seller does not use the provided personal data for automated decision-making or profiling.

 

ONLINE STORE DATA PROCESSING

4.1. CUSTOMER DATA Purpose of processing: purchase and ordering via the seller's website (www.andyourstories.com), issuing invoices, maintaining a record of customers, distinguishing customers from one another, order fulfillment, documenting purchase and payment, fulfilling accounting obligations, customer communication, analysis of customer habits, and more targeted service. Legal basis for processing: the data subject's voluntary consent, Section 169 (2) of the Accounting Act. Scope of processed data: date, time, name, residential address, billing address, delivery address, phone number, e-mail address, birthday, the names, quantities and purchase prices of purchased/ordered products. Duration of processing: for product orders, the buyer's name and phone number are processed until notification and until the product is purchased; other data are retained for eight years in accordance with Section 169 (2) of the Accounting Act. The data subject may voluntarily extend the retention period for their name, billing and delivery addresses, and phone number by saving the data until the deletion of their user account.

For card payments, the credit card and card payment transaction data are handled by OTP Mobil or PayPal.

Online card payments are processed through the Barion system. Card details are not transmitted to the merchant. The service provider, Barion Payment Zrt., is an institution supervised by the Magyar Nemzeti Bank; authorization number: H-EN-I-1064/2013.

Data transfer:

- In the case of card payments, the payer's identifier, the transaction amount, date and time will be forwarded to the Bank. The legal basis for data transfer: Section 6 (6) of the Infotv. and the data subject's voluntary consent.

- To the courier service that performs home delivery/parcel shop delivery (GLS). The legal basis for the data transfer is the data subject's consent.

4.2. HANDLING QUALITY COMPLAINTS

The purpose of data processing: handling quality complaints arising in connection with the services provided by the seller.

The legal basis for data processing: the data subject's voluntary consent, Section 169 (2) of the Accounting Act, and Section 17/A (7) of the Act on Consumer Protection.

The scope of processed data: the consumer's name, address, the name of the commodity, purchase price, the date and time of the purchase and of the fault notification, a description of the fault, the claim the consumer wishes to enforce and the method of resolving the complaint.

Duration of data processing:

- regarding return merchandise documents, eight years in accordance with Section 169 (2) of the Accounting Act,

- as for the copies of the records taken regarding complaints and the responses given to written complaints, five years pursuant to Section 17/A (7) of the Fgytv.,

- two years regarding duplicates of entries made in the customers' book.

 

4.3. Website COOKIE MANAGEMENT for andyourstories.com

As the operator of the andyourstories.com website, the seller places and reads a small data package, called a cookie, on the user's computer to provide personalized service. If the browser returns a previously saved cookie, the provider that manages the cookie can link the user's current visit with previous ones, but only in relation to its own content.

The purpose of data processing: identifying users, distinguishing them from each other, identifying users' current sessions, storing the data provided during those sessions, preventing data loss, identifying and tracking users, and displaying personalized offers using data recorded during website visits.

The legal basis for data processing: the data subject's consent.

The scope of processed data: identification number, date, time.

The legal basis for data processing: the consent of the data subject.

 

The user can delete cookies from their own computer and can also disable the use of cookies in their browser. Cookies are usually managed in the browser's Tools/Settings menu under Privacy settings, labeled as cookie or cookies.

Graphic measurement points have been placed on the site, and the website's server records the measurement results. Based on the graphic measurement points, visitors to the website cannot be identified later.

4.4. ONLINE STORE REGISTRATION, ORDER

Purpose of data processing: purchasing in the online store on andyourstories.com, issuing invoices, registering customers, distinguishing them from each other, fulfilling orders, documenting purchases and payments, fulfilling accounting obligations, customer communication, analyzing customer habits, and providing more targeted service. Legal basis for data processing: the data subject's voluntary consent, Section 13/A of the Eker. Act, Section 169 (2) of the Accounting Act, and Section 6 (5) of the Grt. The scope of processed data: name, address, delivery address, billing address, e‑mail address, telephone number, date of birth, the e‑mail address and password required for login, data of individual purchases (date, time, purchased product, purchase value), billing address, delivery address, consent given for direct marketing contact. Duration of data processing: - for profile data, four years from the last login or purchase, - for purchase data, eight years in accordance with Section 169 (2) of the Accounting Act.

In the case of card payments, the bank card and the card payment transaction data are handled by OTP Mobil.

Data transfer: - in case of choosing card payment method, the payer's identifier, the transaction amount, date, and time are transferred to the Bank. Legal basis for the data transfer: the data subject's voluntary consent.

CONTACT THE SELLER

4.5. SELLER CUSTOMER CORRESPONDENCE

If you have any questions while using the services, you can contact the data controller using the contact details provided in this notice, those posted on the website, or by using the form found in the website’s “Contact” menu. The seller will delete every e‑mail received by it, together with the sender’s name, e‑mail address, the date and time data, and any other personal data provided in the message, no later than five years after the communication of the data.

OTHER DATA HANDLING

E The seller provides information about any personal data processing not listed in this notice at the time the data is collected. Courts, prosecutors, investigative authorities, administrative offense authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law may contact the data controller to request information, disclosure, transfer of data, or provision of documents. The seller will disclose personal data to authorities only to the extent and in the amount that is strictly necessary to achieve the purpose specified by the requesting authority, provided the authority has indicated the precise purpose and the scope of the data.

 

  1.  

METHOD OF STORING PERSONAL DATA, SECURITY OF DATA PROCESSING

 

The seller's computer systems and other data storage locations are located at its headquarters. When processing personal data in the provision of the service, the seller selects and operates the IT tools used so that the processed data:

a) accessible to authorized persons (availability);

b) its authenticity and authentication are ensured (authenticity of data processing);

c) its immutability can be verified (data integrity);

d) be protected against unauthorized access (data confidentiality).

The seller protects the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental loss, damage, and becoming inaccessible due to changes in the technology used.

The seller ensures, by means of appropriate technical solutions, that the electronically managed data sets in its various records are protected so that the stored data — except where permitted by law — cannot be directly linked to and assigned to the data subject.

The seller, taking into account the state of the art of the technology at any given time, shall ensure the protection of data processing security by means of technical, organizational and managerial measures that provide a level of protection appropriate to the risks associated with data processing.

 

The seller retains during data processing

a) confidentiality: protects information so that only authorized persons can access it;

b) integrity: protects the accuracy and completeness of the information and the processing method;

c) availability: ensures that when an authorized user needs it, they can actually access the desired information and that the tools related to this are available.

 

Az eladó and its partners' IT systems and network are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer intrusions and attacks leading to denial of service. The operator ensures security with server-level and application-level protective procedures.

In the event of a data breach, the seller, as the data controller, shall notify the supervisory authority without undue delay, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Electronic messages transmitted over the Internet, regardless of protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that can lead to fraudulent activity, disputes over contracts, or the disclosure or alteration of information. To protect against such threats, the data controller takes all reasonable precautions. Systems are monitored so that any security deviations can be recorded and evidence can be provided in the event of any security incident. In addition, system monitoring enables verification of the effectiveness of the precautions taken.

 

  1. THE DATA CONTROLLER'S DETAILS, CONTACT INFORMATION

 

Name: ANDYOURSTORIES Hungary Ltd.,

Headquarters: 1149 BUDAPEST EGRESSY ÚT 74.

Company registration number: 01-09-372494: ,

Tax number: 28753522-1-42,

Phone number: 0036709359711 (callable at standard rates)

E-mail: info@andyourstories.com

 

  1. DATA PROCESSORS' DETAILS AND CONTACT INFORMATION

 

The seller reserves the right to engage data processors, and will provide individualized information about the identity of such data processors before the processing begins, ensuring the opportunity to raise objections.

 

  1. YOUR RIGHTS, REMEDIES AND POSSIBLE COURSES OF ACTION

 

The data subject has the right to be informed whether the processing of their personal data is taking place, and if such processing is underway, they are entitled to access the personal data and information related to the processing of their personal data. The data subject may at any time request information about the processing of their personal data, request correction of their personal data, restriction of processing, or — except for mandatory processing — deletion or blocking, and may object to the processing of their personal data in the manner indicated when the data were collected or via the contact details provided by the data controller.

The withdrawal of consent to data processing does not affect the lawfulness of the data processing carried out prior to the withdrawal.

The data subject has the right to receive the personal data concerning them in a structured, commonly used, machine-readable format, and to transmit those data to another data controller without being prevented by the data controller to whom the personal data were provided (data portability).

The data controller will provide the data subject with a copy of the personal data subject to processing. For any additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs, communicated in advance. If the data subject submitted the request electronically, the information must be provided in a widely used electronic format, unless the data subject requests otherwise.

At the request of the data subject, the seller, as the data controller, shall provide information about the data it processes or that is processed by a processor it has engaged, including their sources, the purpose, legal basis and duration of the processing, the name and address of the data processor and the processing activities related to data management, and in case of data transfers, the legal basis for the transfer and the recipient. The data controller shall provide this information free of charge in a clear and comprehensible form — in writing upon the data subject's request — as soon as possible after receipt of the request, but no later than within 30 days.

The data subject has the right to request that the data controller rectify inaccurate personal data concerning them without undue delay. Taking into account the purposes of the data processing, the data subject also has the right to request the completion of incomplete personal data — including by means of an additional statement.

The data subject has the right to request that the data controller restrict processing if the data subject contests the accuracy of the personal data; in this case the restriction applies for the period that allows the data controller to verify the accuracy of the personal data; if the processing is unlawful and the data subject opposes the erasure of the data and instead requests restriction of their use; if the data controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defense of legal claims; or if the data subject has objected to the processing; in this case the restriction applies for the period until it is determined whether the data controller’s legitimate grounds override the data subject’s legitimate grounds. The data controller shall inform the data subject whose request led to a restriction of processing in advance of the lifting of the restriction.

The data controller informs all recipients to whom the personal data have been disclosed about the rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. At the data subject's request, the data controller provides information about these recipients.

The seller will lock personal data if the data subject requests it, or if the information available to the seller suggests that deletion would prejudice the data subject's legitimate interests. Locked personal data may only be processed for as long as the data-processing purpose that prevented deletion continues to exist. The seller will mark personal data it processes if the data subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be determined conclusively.

The data subject has the right to request that the data controller erase personal data concerning them without undue delay, and the data controller is obliged to erase personal data concerning the data subject without undue delay if any of the following grounds apply. The seller shall erase personal data if its processing is unlawful, the data subject requests it, the data subject withdraws consent, the processed data are incomplete or incorrect — and this cannot lawfully be remedied — provided that the law does not preclude erasure, the purpose of processing has ceased, the statutory retention period for the data has expired, the data subject objects to the processing and there is no overriding lawful ground for further processing, or a court or the National Authority for Data Protection and Freedom of Information has ordered erasure, or if erasure is required to fulfill a legal obligation imposed by applicable EU or Member State law on the data controller. The data controller has 30 days to erase, block, or rectify personal data. If the data controller does not comply with the data subject’s request for rectification, blocking, or erasure, it must communicate the reasons for rejection in writing within 30 days.

The seller shall notify the data subject about rectification, restriction, flagging and erasure, and shall also notify everyone to whom the data had previously been disclosed for processing purposes. Notification may be omitted if, considering the purpose of the processing, it does not harm the data subject's legitimate interests.

The data subject may object to the processing of their personal data if

a) the processing or transfer of personal data is permitted only to fulfill a legal obligation applicable to the data controller or to protect the legitimate interest of the data controller, the data recipient, or a third party, except where the processing of data is mandated by law;

b) the personal data is used or transmitted for the purposes of direct marketing, public opinion polling, or scientific research;

c) necessary for carrying out a task performed in the public interest or in the exercise of official authority vested in the data controller;

d) the data processing is necessary for the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a child;

e) in other cases specified by law. In the above case, the data controller may not continue to process the personal data, except where the data controller demonstrates that the processing is necessary for compelling legitimate reasons which override the interests, rights and freedoms of the data subject, or which relate to the establishment, exercise or defense of legal claims.

 

The seller will examine the objection as soon as possible after the request is submitted, but no later than 15 days, decide on its merits, and notify the requester of its decision in writing. If the data controller finds the data subject’s objection to be well-founded, it will cease the data processing — including any further data collection and data transfers — and lock the data, and it will inform all parties to whom it previously transferred the personal data concerned by the objection about the objection and the measures taken on that basis, and those parties are obliged to take action to uphold the right to object. If the data subject disagrees with the data controller’s decision, they may bring the matter before a court within 30 days of its communication.

The controller may not delete the data of the data subject if the data processing was ordered by law. However, the data may not be transferred to the recipient if the controller agreed with the objection, or if the court has established the validity of the objection. The data subject may bring legal action against the controller in court if their rights are violated.

The seller shall compensate for any damage caused to another person by unlawfully processing the data of the data subject or by violating data security requirements. In the event of an infringement of the data subject's personal rights, the data subject may claim damages for non-pecuniary harm (Civil Code 2:52. §). The data controller is also liable for damage caused by the data processor in relation to the data subject. The data controller shall be exempt from liability if the damage was caused by an unavoidable reason outside the scope of data processing. The data controller shall not compensate for the damage and no claim for non-pecuniary damages can be made to the extent that the damage or the infringement of personal rights was caused by the data subject's intentional or grossly negligent conduct.

With the possibility of legal remedy, complaints can be made to the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Registered office: Hungary 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: Hungary1530 Budapest, P.O. Box: 5.

Phone: 003613911400 Fax: 003613911410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu