Privacy Policy

May 1, 2021 

Dora Silagyi Jewellery Privacy Policy 

1. INTRODUCTION 

This privacy policy (hereinafter referred to as the Policy) is in accordance with the General Data Protection Regulation (GDPR).1, the Infotv.2, and other relevant legislation for the operation of the Webshop. The list of legislation is contained in Annex 1 of the Information, and the most important terms are described in Annex 2. 

The scope of this information is operated by Szilágyi Dorottya Zita EV. (hereinafter referred to as the Data Controller). www.dorasilagyi.hu It covers all data processing carried out in connection with the operation of the webshop (hereinafter referred to as the “Webshop”) available on the website. The Data Controller uses a Data Processor during certain data processing activities, information about which is provided in Annex 3. 

1. Data processing related to the payment of the price of an ordered product

2. Data processing related to the delivery and personal receipt of ordered products

3. Staying in touch

4. Personal data processed for accounting purposes

5. Complaint handling

6. Personal data processed for contact purposes

 

The Notice is effective from May 1, 2021 until withdrawn. The Data Controller reserves the right to unilaterally change the Notice at any time. In the event of a change to the Notice, the Data Controller will immediately post a notice on the Webshop interface and inform registered users thereof. 

 

1 GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council 

2 Infotv: Act CXII of 2011 on the right to informational self-determination and freedom of information

 

1. DATA CONTROLLER INFORMATION

Name of the data controller	Dorottya Zita Szilágyi EV.
Title	7623 Pécs, Rét Street 35.
Tax number	56802915-1-22
E-mail	studio@dorasilagyi.hu
Further contact details	www.dorasilagyi.hu

 

 

III. DATA PROCESSING 

III.1. Data processing related to the payment of the price of an ordered product 

The following payment methods can be used to pay for products ordered on the Webshop. 

	a) Purchase price personal   settlement by personal collection  in case of	b) Direct bank transfer
Data management   purpose	Paying the purchase price of the ordered product
Scope of data processed	1. last name and first name  2. company name  3. product identifier  4. product value  payment time.	1. last name and first name  2. company name  3. bank account number  4. order ID  5. ordered product   its equivalent  6. payment time
Legal basis	a) In the case of a natural person customer:  GDPR Article 6(1)(b) – conclusion and performance of a contract for the sale of the product.  If personal data is not provided or is not provided correctly, the order cannot be fulfilled.
	b) In the case of a customer contact person who is not a natural person: Article 6(1)(f) of the GDPR – the Data Controller's legitimate interest in selling the product.
Period	Data controller of accounting documents Obliged for 8 years to preserve
Data processor	–	Raiffeisen Bank Ltd.

 

1. b) Direct bank transfer 

If you choose this payment method, you are obliged to transfer the value of the ordered product(s) from your own current account to the account held by the Data Controller at Raiffeisen Bank Zrt. (registered office: 1133 Budapest, Váci út 116-118.; company registration number: 01 10 041042.). Further information regarding the data processing of which at this link  available. 

Raiffeisen Bank Zrt., as the Data Controller and the account-keeping bank, has primary access to personal data processed in connection with direct bank transfers. If proceedings have been initiated before a court or other authority, within the framework of which it becomes necessary to transfer personal data to the aforementioned bodies, then the court or authority may also have access to the personal data. 

Rights of the data subject (detailed explanation in the Information) Point V included): 

1. the right to transparent information – with this information, the data controller provides information about the circumstances of data processing, i.e., among other things, who processes your personal data and for what purpose, 

 

on what basis and for how long it is processed, as well as what rights you have in connection with data processing, and who you can contact with questions or complaints regarding data processing; 2. the right to access your personal data – you can ask the data controller at any time whether your personal data is being processed, you can request full information about the data processing, and you can also request to receive a copy of your personal data; 

3. the right to rectify your personal data – you may request that the data controller correct your inaccurate personal data or, if incomplete, complete them;  
4. the right to restrict data processing – you may request (e.g. for the purpose of asserting, exercising or defending legal claims) that the data controller only stores your personal data and does not process it in any other way; 
5. information on the identity of the recipients of the information about the rectification, erasure or restriction of data processing – upon request, we will inform you of the referred recipients;  6. right to data portability – You may request that the personal data you have provided to the controller be provided to you in a structured, commonly used and machine-readable format. 

If you wish to exercise any of your data subject rights, please submit your request to the following address for quick processing:  studio@dorasilagyi.hu by electronic mail address, or contact details given in point II. please notify the Data Controller via one of the following:

 

III.2. Data processing related to the delivery and personal receipt of ordered products 

The following methods are available to receive the product ordered on the Webshop. 

	Foxpost	Personal collection
Data management   purpose	Data processing for the purpose of delivering the ordered product to the specified address or collecting it in person.
Scope of data processed	1. Shipping name  2. Shipping address  3. Phone number  (home delivery)   mandatory)  4. Email address (required)	1. Recipient name  2. Other voluntarily provided personal information   data (availability)
Legal basis	a) In the case of a natural person customer:  GDPR Article 6(1)(b) – conclusion and performance of a contract for the sale of the product.  If personal data is not provided or is not provided correctly, the order cannot be fulfilled.
	b) In the case of a customer contact person who is not a natural person: Article 6(1)(f) of the GDPR – the Data Controller's legitimate interest in selling the product.
Period	Personal data is processed by the Data Controller and the Data Processor below for the product until the time of receipt The data controller is obliged to keep accounting documents for 8 years.
Data processor	Foxpost Ltd.		–

 

1. a) Foxpost Ltd. 

The personal data processed for the purpose of delivering the product is primarily processed by the Data Controller, or FoxPost Zrt. (3300 Eger, Pacsirta utca 35/A. cjsz: 10-10-020309 tax number: 25034644-2-10, https://foxpost.hu/csomagkuldes, foxpost_igazgatosag@foxpost.hu) may access it. If proceedings have been initiated before a court or other authority, within the framework of which it becomes necessary to transfer personal data to the aforementioned bodies, then the court or authority may also access the personal data. 

1. b) Personal collection 

The Data Controller has primary access to personal data processed for the purpose of personal collection. If proceedings have been initiated before a court or other authority, in the framework of which it becomes necessary to transfer personal data to the aforementioned bodies, In that case, the court or the authorities may also have access to the personal data. 

Rights of the data subject (detailed explanation in the Information) Point V included): 

1. the right to transparent information – with this information, the data controller provides information about the circumstances of data processing, including who processes your personal data, for what purpose, on what basis and for how long, as well as what rights you have in connection with data processing and who you can contact with questions or complaints regarding data processing; 
2. the right to access your personal data – you can ask the data controller at any time whether your personal data is being processed, you can request full information about the data processing, and you can also request to receive a copy of your personal data; 
3. the right to rectify your personal data – you may request that the data controller correct your inaccurate personal data or, if incomplete, complete them;  
4. the right to erasure of your personal data – you may request that your personal data be deleted by the data controller; 5. the right to restrict data processing – you may request (e.g. for the purpose of asserting, exercising or defending legal claims) that the data controller only stores your personal data and does not process it in any other way; 
5. information on the identity of the recipients of the information about the rectification, erasure or restriction of data processing – upon request, we will inform you of the referred recipients;  7. right to data portability – You may request that the personal data you have provided to the controller be provided to you in a structured, commonly used and machine-readable format. 8. right to object – may only be exercised by the contact person of the non-natural person customer 

If you wish to exercise any of your data subject rights, please submit your request to the following address for quick processing:  studio@dorasilagyi.hu by electronic mail address, or contact details given in point II. please notify the Data Controller via one of the following:

 

III.3. Contact 

Purpose of data processing	Contact and communication between the data controller and the customers. This includes, for example, contact necessary for the details of the jewelry order.
Scope of data processed	first and last name, email address (if necessary)
Legal basis	a) In the case of a natural person customer:  GDPR Article 6(1)(b) – conclusion and performance of the contract for the purchase of the product.
	b) In the case of a customer contact person who is not a natural person:  GDPR Article 6(1)(f) – the legitimate interest of the Data Controller in the proper sale of the product.
Period	The data controller stores personal data until the obligation to delete them arises, but no longer than 5 years (general limitation period for civil law claims).

 

Personal data processed for the purpose of maintaining contact may be accessed primarily by the Data Controller, or by Hostinger International Limited (61 Lordou Vironos Street 17. Lumiel Building, 4th floor 18. Larnaca, CY 6023, Cyprus) in the performance of its tasks related to the development of the Webshop, or as a hosting service provider. If proceedings are initiated before a court or other authority, within the framework of which it becomes necessary to transfer personal data to the aforementioned bodies, then the court or authority may also have access to the personal data. 

Rights of the data subject (detailed explanation in the Information) Point V included): 

1. the right to transparent information – with this information, the data controller provides information about the circumstances of data processing, including who processes your personal data, for what purpose, on what basis and for how long, as well as what rights you have in connection with data processing and who you can contact with questions or complaints regarding data processing; 
2. the right to access your personal data – you can ask the data controller at any time whether your personal data is being processed, you can request full information about the data processing, and you can also request to receive a copy of your personal data; 
3. the right to rectify your personal data – you may request that the data controller correct your inaccurate personal data or, if incomplete, complete them;  
4. the right to erasure of your personal data – you may request that your personal data be deleted by the data controller; 5. the right to restrict data processing – you may request (e.g. for the purpose of asserting, exercising or defending legal claims) that the data controller only stores your personal data and does not process it in any other way; 
5. information on the identity of the recipients of the information about the rectification, erasure or restriction of data processing – upon request, we will inform you of the referred recipients;  7. right to data portability – You may request that the personal data you have provided to the controller be provided to you in a structured, commonly used and machine-readable format. 8. right to object – may only be exercised by the contact person of the non-natural person customer

 

If you wish to exercise any of your data subject rights, please submit your request to the following address for quick processing:  studio@dorasilagyi.hu by electronic mail address, or contact details given in point II. please notify the Data Controller via one of the following:

 

III.4. Personal data processed for accounting purposes 

Purpose of data processing	Fulfillment of the obligation to preserve accounting documents directly and indirectly supporting the accounting settlement, as specified in Act C of 2000 on Accounting (Accounting Act).
Scope of data processed	– last and first name, address, ordered product, order identifier, location of personal collection, payment method, price of ordered product.
Legal basis	GDPR Article 6(1)(c) – Data controller fulfillment of a legal obligation  – Section 169 (2) of the Accounting Act.
Period	Data controller of accounting documents Obliged for 8 years to preserve.

 

The accounting documents directly and indirectly supporting the accounting settlement are primarily used by the Data Controller for the purpose of fulfilling the legal obligation specified in the Accounting Act. If proceedings have been initiated before a court or other authority, within the framework of which it becomes necessary to transfer the personal data to the aforementioned bodies, then the court or authority may also have access to the personal data. 

Rights of the data subject (detailed explanation in the Information) Point V included): 

1. the right to transparent information – with this information, the data controller provides information about the circumstances of data processing, including who processes your personal data, for what purpose, on what basis and for how long, as well as what rights you have in connection with data processing and who you can contact with questions or complaints regarding data processing; 
2. the right to access your personal data – you can ask the data controller at any time whether your personal data is being processed, you can request full information about the data processing, and you can also request to receive a copy of your personal data; 
3. the right to rectify your personal data – you may request that the data controller correct your inaccurate personal data or, if incomplete, complete them;  
4. the right to restrict data processing – you may request (e.g. for the purpose of asserting, exercising or defending legal claims) that the data controller only stores your personal data and does not process it in any other way; 
5. information on the identity of the recipients of the information about the rectification, erasure or restriction of data processing – upon request, we will inform you of the referred recipients;  

If you wish to exercise any of your data subject rights, please submit your request to the following address for quick processing:  studio@dorasilagyi.hu by electronic mail address, or contact details given in point II. please notify the Data Controller via one of the following:

 

III.5. Complaints handling 

Purpose of data processing	Handling quality - customer - objections and complaints related to products sold by the data controller.
Scope of data processed	– last and first name, address, telephone number, e-mail address, product data (name, purchase price), claim to be asserted, error, method of settlement, date of recording of the report, any other personal data included in the complaint, unique identification number of the complaint.
Legal basis	GDPR Article 6 (1) point c) – Data controller  fulfillment of a legal obligation  – Act CLV of 1997 on Consumer Protection, Section 17/A
Period	The data controller shall provide the minutes of the complaint and a copy of the response Obliged for 3 years to be preserved and presented to the inspection authority upon request [Fgy. tv. 17/A. § (7)].

 

Only the Data Controller has access to personal data processed for the purpose of handling complaints. If proceedings are initiated before a court or other authority, in the framework of which it becomes necessary to transfer personal data to the aforementioned bodies, then the court or authority may also have access to personal data. 

Rights of the data subject (detailed explanation in the Information) Point V included): 

1. the right to transparent information – with this information, the data controller provides information about the circumstances of data processing, including who processes your personal data, for what purpose, on what basis and for how long, as well as what rights you have in connection with data processing and who you can contact with questions or complaints regarding data processing; 
2. the right to access your personal data – you can ask the data controller at any time whether your personal data is being processed, you can request full information about the data processing, and you can also request to receive a copy of your personal data; 
3. your personal data to correct right – you may request that the data controller correct your inaccurate personal data or, if incomplete, complete them;  
4. the right to restrict data processing – you may request (e.g. for the purpose of asserting, exercising or defending legal claims) that the data controller only stores your personal data and does not process it in any other way; 
5. information on the identity of the recipients of the information about the rectification, erasure or restriction of data processing – upon request, we will inform you of the referred recipients;  

If you wish to exercise any of your data subject rights, please submit your request to the following address for quick processing:  studio@dorasilagyi.hu by electronic mail address, or contact details given in point II. please notify the Data Controller via one of the following:

 

III.8. Personal data processed for the purpose of contacting you 

Purpose of data processing	Informal contact with the data controller for the purpose of placing an order.
Scope of data processed	First and last name, email address, message content.
Legal basis	a) In the case of a natural person customer:  GDPR Article 6(1)(a) – voluntary consent of the data subject.  Your consent can be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.
	b) In the case of a customer contact person who is not a natural person:  GDPR Article 6(1)(f) – the Data Controller  legitimate interest in the proper sale of the product.
Period	The data controller processes personal data until the obligation to delete them arises, but no longer than 6 months after the contact. Consent can be withdrawn or deleted at any time: studio@dorasilagyi.hu by sending an email or by clicking on the link in the newsletter.

 

The Data Controller may primarily access personal data processed for the purpose of maintaining contact. If proceedings have been initiated before a court or other authority, within the framework of which it becomes necessary to transfer personal data to the aforementioned bodies, then the court or authority may also access personal data. 

Rights of the data subject (detailed explanation in the Information) Point V included): 

1. right to withdraw consent – the data subject has the right to withdraw his/her consent at any time if the data controller's data processing is based on the data subject's consent. The withdrawal of consent does not affect the lawfulness of the data processing based on consent prior to its withdrawal. 
2. the right to transparent information – with this information, the data controller provides information about the circumstances of data processing, including who processes your personal data, for what purpose, on what basis and for how long, as well as what rights you have in connection with data processing and who you can contact with questions or complaints regarding data processing; 
3. the right to access your personal data – you can ask the data controller at any time whether your personal data is being processed, you can request full information about the data processing, and you can also request to receive a copy of your personal data; 
4. the right to rectify your personal data – you may request that the data controller correct your inaccurate personal data or, if incomplete, complete them;  
5. the right to erasure of your personal data – you may request that your personal data be deleted by the data controller; 6. the right to restrict data processing – you may request (e.g. for the purpose of asserting, exercising or defending legal claims) that the data controller only stores your personal data and does not process it in any other way; 
6. information on the identity of the recipients of the information about the rectification, erasure or restriction of data processing – upon request, we will inform you of the referred recipients;  8. right to data portability – You may request that the personal data concerning you, which you have provided to the controller, be received from the controller in a structured, commonly used and machine-readable format, or, where technically feasible, that the controller provide it to you in a transfer it to another data controller. This right only applies to data processed on the basis of consent or contract, provided that the data processing is carried out by automated means; 9. right to object – may only be exercised by the contact person of the non-natural person customer 

If you wish to exercise any of your data subject rights, please submit your request to the following address for quick processing: studio@dorasilagyi.hu by electronic mail address, or contact details given in point II. please notify the Data Controller via one of the following:

1. DATA SECURITY 

The Data Controller and the data processors are entitled to access personal data to the extent necessary to perform their duties. The Data Controller takes all security, technical and organizational measures to guarantee the security of the data. 

Organizational measures 

Access to the Data Controller's IT system is enabled by a person-specific authorization, the allocation of which is subject to the "principle of necessary and sufficient rights". According to this, each user may use the Data Controller's IT systems and services only to the extent necessary to perform their tasks, with the appropriate authorizations and for the necessary period of time. Access to IT systems and services may only be granted to a person who is not subject to restrictions for security or other reasons and who has the professional, business and information security knowledge necessary for the safe use of the IT system. 

The data controller and its data processors undertake strict confidentiality rules in a written declaration, which they are obliged to adhere to with increased compliance. 

Technical measures 

The Data Controller stores the data – with the exception of data stored by data processors – on its own devices, in a data center. The Data Controller stores the IT devices storing the data in a closed server room equipped with an alarm system, protected by a multi-stage access control system for authorization verification. 

The Data Controller protects its internal network with multi-level firewall protection. A hardware firewall (so-called border protection device) has been installed at all entry points of the public networks used. The Data Controller stores the data in several locations, protecting it from destruction, loss, damage, and unlawful destruction resulting from the failure of the IT device. 

The data controller protects its internal networks from external attacks with multi-level, active, complex protection against malicious codes (e.g. virus protection). External access to IT systems and databases operated by the data controller is essential only via an encrypted data connection (VPN).3 can be implemented. 

The data controller ensures that its IT tools and software continuously comply with technological solutions generally accepted in market operations. 

 

3 Virtual Private Network (VPN)

 

1. RIGHTS OF THE CONCERNED 

V.1. Right to transparent information 

The data controller hereby complies with its obligation to provide information on the Data Controller, the purpose and legal basis of data processing, its duration, the rights of the data subject and the legal remedy, and if the data does not originate from the data subject, the source of the data. Oral information may also be provided at the request of the data subject, provided that he or she proves his or her identity. 

V.2. Right of access of the data subject 

The data subject may request access to the personal data concerning him or her from the controller, including a copy of the personal data which are the subject of the processing. The data subject has the right to obtain from the controller information as to whether or not his or her personal data is being processed and, where such processing is taking place, access to the personal data and the following information: 

1. a) the purposes of data processing; 
2. (b) the categories of personal data concerned; 
3. (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; 
4. (d) where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period; 
5. e) the right of the data subject to request from the controller the rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data; 
6. f) the right to lodge a complaint with a supervisory authority; g) if the data were not collected from the data subject, all available information on their source; 
7. h) the fact of automated decision-making, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject. 

V.3. Right to rectification 

The data subject shall have the right to obtain from the controller, at his or her request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

 

V.4. The right to erasure – “right to be forgotten” 

Personal data must be deleted if: 

1. a) the purpose of the data processing has ceased to exist; 
2. b) the data subject has withdrawn his/her consent and there is no other legal basis for the data processing; 
3. c) the processing is based on a legitimate interest or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and the data subject objects to the processing; d) the processing is unlawful; 
4. (e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject; 
5. f) the data were collected in relation to information society services offered directly to children. 

V.5. Right to restriction of data processing 

The data controller shall restrict data processing at the request of the data subject if a) the data subject disputes the accuracy of the personal data; 

1. b) the data processing is unlawful and the data subject opposes the erasure of the data; c) the data controller no longer needs the personal data, but the data subject requires them for the establishment, exercise or defence of legal claims; d) the data processing is based on a legitimate interest or is necessary for the performance of a task carried out in the public interest/in the exercise of official authority vested in the data controller and the data subject objects to the data processing. 

V.6. Notification obligation related to the rectification or erasure of personal data or the restriction of data processing  

The controller shall inform any recipient to whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The data subject shall be informed of these recipients upon request. 

V.7. Right to data portability  

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and has the right to transmit these data to another data controller without hindrance from the data controller to which the personal data have been provided, where the data processing is based on consent or a contract and the data processing is carried out by automated means. 

When exercising the right to data portability, the data subject has the right to request, where technically feasible, the personal data controller to provide the personal data to the controller. direct transmission between. The exercise of this right shall not prejudice the right to be forgotten.  

V.8. The right to object 

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her based on legitimate interests or where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, including profiling based on those legal grounds. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 

V.9. Rights of the data subject in the event of automated decision-making 

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This provision not applicable in the following cases: 

1. a) necessary for the conclusion or performance of a contract between the data subject and the data controller; 
2. (b) it is permitted by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or 
3. (c) it is based on the explicit consent of the data subject. 

The data controller must ensure that the data subject has at least the right to request human intervention on the part of the data controller, to express his or her position and to object to the decision. 

1. LEGAL REMEDIES 

The data subject is entitled to the following alternative remedies. 

1. a) Thepossibility of contacting the data controller

Data subjects may contact the Data Controller for all matters relating to the processing of their personal data and the exercise of their rights under the GDPR. If the Data Controller does not take action on the data subject's request, it shall inform the data subject without delay, but no later than one month from the date of receipt of the request, of the reasons for the failure to take action and of the possibility of lodging a complaint with a supervisory authority and of exercising its right to a judicial remedy.

1. b) Can be initiated at the National Data Protection and Freedom of Information Authority examination

Anyone can initiate an investigation by filing a report with the National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority) on the grounds that a violation of the law has occurred in connection with the processing of personal data or that there is an immediate risk of such a violation. It is important that the report is not anonymous, otherwise the Authority may reject the report without a substantive investigation. Further grounds for rejection are contained in Section 53 of the Infotv. The Authority's investigation is free of charge, and the Authority shall advance and bear the costs of the investigation. As a general rule, it shall make a decision within two months of receipt of the report. 

Contact details of the Authority: 

1363 Budapest, P.O. Box 9. 

Website: www.naih.hu 

Phone: +36-1-391-1400 

1. c) Judicial enforcement

In the event of a violation of his or her rights, the data subject may bring proceedings against the Data Controller if, in his or her opinion, his or her rights under the Regulation have been violated as a result of the processing of his or her personal data not in accordance with the GDPR. The action against the Data Controller or the data processor shall be brought before the court of the Member State in which the Data Controller or the data processor is established. Such proceedings may also be brought before the court of the Member State in which the data subject has his or her habitual residence, unless the data controller or the data processor is a public authority of a Member State acting in the exercise of its public authority. In Hungary, the action shall be brought – at the choice of the data subject – in the court of the place of residence or residence of the data subject 

can also be initiated before a court.  

The data subject may claim compensation/damages from the data controller in the lawsuit:  – if the data controller causes damage to another person by unlawfully processing the data subject's data or by violating data security requirements, he or she is obliged to compensate for the damage; 

– If the data controller violates the data subject's personal rights by unlawfully processing the data subject's data or by violating data security requirements (e.g. communicating personal data to an unauthorized person or making it public), the data subject may claim damages from the data controller. 

ANNEXES VII 

1. Annex No. – List of laws 

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (hereinafter referred to as "Regulation (EU) 2016/679 of the European Parliament and of the Council")GDPR"), 
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information ("Info TV".) 
• Act V of 2013 on the Civil Code ("Civil".) 
• Act CXXX of 2016 on the Code of Civil Procedure ("Pp.") 
• Act CVIII of 2001 on certain issues of electronic commerce services and information society services ("TV".) • Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities (“Advertising Act”) 
• Act C of 2000 on Accounting ("Account TV".) 
• Act CL of 2017 on the Taxation System (“Art.”) 
• Act CLV of 1997 on Consumer Protection ("Consumer TV".) 
• Decree 19/2014. (IV. 29.) of the Ministry of Justice on the procedural rules for handling warranty and guarantee claims regarding things sold under a contract between a consumer and a business (“Fgy. NGM rend.”);

2. Annex No. – Definitions 

• personal data"identified or identifiable natural person" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Natural persons may also be associated with online identifiers provided by the devices, applications, tools and protocols they use, such as IP addresses and cookie identifiers, as well as other identifiers such as radio frequency identification tags. This may create traces which, when combined with unique identifiers and other information received by the servers, can be used to create a profile of natural persons and to identify that person; 
• "data controller"controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or national law, the controller or the specific criteria for the designation of the controller may also be determined by Union or national law; 
• "data processor"Processor" means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; • "data processing" means any operation or set of operations which is performed on personal data or data sets, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 
• "concerned"a person identified or identifiable - directly or indirectly - on the basis of personal data, which must always be a specific person. Only natural persons are considered data subjects, not legal persons, and therefore data protection only protects the data of natural persons. However, personal data also includes, for example, the data of a sole proprietor or a company representative (e.g. telephone number, email address, place of birth, time, etc.). 
• "consent of the person concerned"opt-in" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her; 
• "restriction of data processing": marking of stored personal data with the aim of restricting their future processing; 
• "data breach”: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed. 
• "pseudonymization": processing of personal data in such a way that the personal data can no longer be identified without further information, provided that that such additional information is stored separately and technical and organizational measures are taken to ensure that this personal data cannot be linked to identified or identifiable natural persons; 
• "addressee"recipient" means the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or national law shall not be considered recipients; the processing of such data by such public authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing; 
• "cookies": a cookie is a short text file that our web server sends to your device (whether it's a computer, mobile phone or tablet) and reads it back. There are temporary (session) cookies that are automatically deleted from your device when you close your browser, and there are longer-lived cookies that remain on your device for a longer period of time (this also depends on the settings of your device); 
• "third party"": a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data; 
• "third country”: a country that is not a member state of the European Union and the European Economic Area. Member States of the European Union may conclude international agreements covering the transfer of personal data to third countries or international organisations, provided that these agreements do not affect the GDPR or other provisions of Union law; 
• "profiling": any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; 
• "international organization"": an organization governed by public international law or its subordinate organs, or any other body established by or on the basis of an agreement between two or more countries; 
• "registration system": a collection of personal data, structured in any way – centralized, decentralized, functionally or geographically – which is accessible based on specific criteria; 
• "undertaking"": any natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity;

3. Annex No. – Data Processors

Activity	hosting, newsletter service
Name of data processor	Hostinger International Limited
Headquarters	1 Lordou Vironos Street 17. Lumiel Building, 4th floor 18. Larnaca, CY 6023, Cyprus
Company registration number	CY10301365E
E-mail	gdpr@hostinger.com
Website	www.hostinger.com

 

Activity	bank transfer
Name of data processor	Raiffeisen Bank Ltd.
Headquarters	1133 Budapest, Vaci Street 116-118.
Company registration number	01 10 041042
E-mail	info@raiffeisen.hu
Website	https://www.raiffeisen.hu/

 

Activity	Delivery
Name of data processor	Foxpost Ltd.
Headquarters	3300 Eger, Pacsirta Street 35/A.
Company registration number	10-10-020309
Tax number	25034644-2-10
E-mail	foxpost_igazgatosag@foxpost.hu
Website	https://foxpost.hu/csomagkuldes