#StayDifferent #MensPlayground

Mini Cart

DECLARATION

FOR THE CREATION OF THE DATA PROTECTION POLICY AND BEING SUBJECT TO THE DATA PROTECTION POLICY

Seraphstore.com Korlátolt Felelősségű Társaság (Company registration number: 01-09-186026, tax number: 24854391-2-43, registered seat: 1114 Budapest, Móricz Zsigmond körtér 4. , IV. em. 3., hereinafter as Service Provider (controller) as of this day has created the following data protection policy to which it has concurrently subjected itself. 

Seraphstore.com Kft. warrants and represents that every data protection operation related to its activities complies with this policy, the applicable national laws, and the requirements determined in the legal acts of the European Union, with special regard to the following legislations:

- Data protection regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

- Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (mainly Section 13/A);

- Act C of 2003 on Electronic Communications (specifically Section 155);

- Act XC of 2005 on the Freedom of Electronic Information;

- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

- Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices towards Consumers;

- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (especially Section 6.§);

- Act CXII of 2011 on Informational Self-determination and the Freedom of Information (hereinafter as “Infotv.”);

- Opinion no. 16/2011. on EASA/IAB Best Practice Recommendation on Online Behavioral Advertising;

- The recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements related to providing preliminary information;

- Section 169 (2) of Act C of 2000 on Accounting

This data protection policy applies to the http://www.srph.de website.

The data protection policy is available at: https://www.srph.de/index.php/com_de/privacy-policy-de

Seraphstore.com Kft. maintains the right to modify this policy at any time. Future modifications to the policy will come into force by an announcement at the above address. Seraphstore.com Kft. is committed to the protection of its customers and business partners, and places great importance on respecting its customers’ right to informational self-determination. It shall handle personal data as confidential and shall take every security, technical and organizational measure that ensures the protection of the data.

Seraphstore.com Kft. will introduce its data processing practices in the following.

DATA AND CONTACT DETAILS OF CONTROLLER:

Name: Seraphstore.com Korlátolt Felelősségű Társaság

Registered seat: 1114 Budapest, Móricz Zsigmond Körtér 4., IV. em. 3.

E-mail: info@seraphstore.com

Telephone: [+3619988005]

Company registration number: 01-09-186026

Tax number: 24854391-2-43

Electronic availability of company: 24854391#cegkapu

PURPOSE OF THE DATA PROCESSING POLICY

The purpose of this Data Processing Policy is to determine the scope of the personal data processed

by Controller, the mode of processing, and, in compliance with the applicable laws, to ensure that

the privacy of natural persons is respected, to ensure that the requirements of data protection and data

security are met, and to prevent unauthorized access to the personal data of the User, or the alteration,

unlawful disclosure or use of the personal data.

CONTROLLER WARRANTS AND REPRESENTS THAT ITS PROCESSING COMPLIES WITH THE FOLLWOING PRINCIPLES

a) Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;

b) Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public

interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes;

c) Data minimization: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) Accuracy: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject;

f) Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures; 

g) Accountability: The controller shall be responsible for the above, and shall be able to demonstrate compliance therewith.

DEFINITIONS

personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

data processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

consent of the data subject: means any freely given, specific, informed and unambiguous indication of the

data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement

to the processing of personal data relating to him or her;

personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration,

unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

DATA PROCESSING

THE LEGAL BASIS FOR DATA PROCESSING The legal basis for the processing carried out by Seraphstore.com Kft. is based on voluntary consent [GDPR Article 6. (1) a)]. Processing occurs on the basis of the freely given, specific, informed and unambiguous declaration of consent by the data subject, in which declaration the data subject grants his or her explicit consent for the processing of their personal data provided during the use of the Website (with respect to all or specific to certain operations).

USERS(VISITORS, REGISTERED USERS, SUBSCRIBERS): With special regard to the subject as in Article 1(1)(2) the REGULATION (EU) 016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 2 April 1 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), visitors of http://seraphstore , and  registered users of http://seraphstore website are regarded as data subjects. A Seraphstore.com Kft. (as Controller) during the operation of the http://seraphstore website processes the data of the visitors and the registered users of the http://seraphstore website, and subscribers to the newsletters (as data subjects).

Data subjects, with regard to technical data, shall accept the provisions of this Data Processing Policy as binding by

visiting the http://seraphstore website for information and/or by logging in on the website. With regard to every other data, data subjects shall accept the provisions of this data processing policy by providing their consent during the registration process. In this latter case, the data subject, pursuant to Article 6 (1) a) and Article 7 of the General Data Protection Regulation (GDPR), by ticking all of the required checkboxes, grants to controller his or her consent to process his or her personal data in accordance with the provisions of GDPR and its own data processing notice, provided that he or she may at any time withdraw his or her consent, even with a click, pursuant to Article 7 (3).

Data subject shall be required to provide truthful and valid data to Controller (Data subject shall be liable for damages

arising from providing false data). Any damage arising out of providing incorrect or incomplete data shall be

solely borne by Data subject. Controller shall not check the data or the truthfulness thereof.

The SCOPE OF THE DATA PROCESSED: name (surname and first name), electronic mail address, country, county, city, zip code, street, house number, invoicing details, phone number, the URL of the webpage visited and the IP address of the user’s computer, and the data related to the operating system and the browser of the user. During visits to the http://seraphstore webpage, Service Provider shall collect visitors’ data to check the operation of the service, to provide a personalized service, to prevent misuse, and to allow forwarding to the service provider companies it mediates for Legal grounds for processing: consent of data subject and Section 13/A (3) of Ekertv.

THE PURPOSE OF PROCESSING The purpose of processing related to the visits to the page, registration and orders is to perform the orders, to provide a quality service with regard to content and information technology, to provide content, to display personalized content and to provide customer relations and to issue invoices in accordance with the accounting rules.

The data subjects expressly consent to the processing of their data, which they have provided and which can be found in the uploaded/submitted registration, by Controller, within the framework of the applicable laws and for the purposes determined herein. Processing of the data is carried out by Controller in its IT systems, and it also engages the services of a webhosting provider who stores the data as part of its webhosting services (processor). If data subject exceeds the scope of personal data and provides special category of data (e.g. in an email), he or she shall have consented to the processing of such data by accepting this data protection policy, however, Controller informs data subject that it shall only process the data that Controller has requested. Data subject shall regard the acceptance of this policy as if it was accepted in writing. Controller declares that it shall process the data provided to it by data subjects with a limitation to its purpose, and shall not use them for purposes other than those determined. In case of requests by the authorities or when required by law, Controller has an obligation to reveal the data to the requester (e.g. the authority) which data subjects accept and acknowledge by accepting this data processing policy, and

which they hereby explicitly consent to, and in this regard Controller shall have no further obligation to acquire

consent from the data subjects to do so. Data subjects shall not pursue claims against Controller in this regard. Controller is not responsible for the data it has received. In cases where the Controller intends to use the data

 provided to it for purposes other than those for which they were originally collected, it shall inform data subjects of this fact and acquire his or her prior, explicit consent, and shall provide an opportunity for him or her to forbid such use. Processing is carried out in Hungary.

 CONSENT OF THE DATA SUBJECT

(I.) visitors to the http://seraphstore website, with regard to the technical data, by visiting the page, automatically;

(II.) registered users of the http://seraphstore website , with regard to the technical and other data provided with his or her consent, by finalizing the registration,

consent to

the processing of their data, subject to the provisions of this Policy. Data subjects shall not pursue any claims for

damages, compensation, aggravated damages or other against the Controller in cases where processing occurs in accordance with this policy.

DATA PROCESSING

DATA PROCESSING RELATED TO THE OPERATION OF THE WEBSTORE

Personal data                                            Purpose of data processing

Password                                                     Safe login to user account

Full name (first and surname)            Necessary for communication, purchases and issuing a proper invoice.                                                                        

Electronic mail address (email           Communication with Client.

address)

Phone number                                         Communication with Client. Effective arrangement of issues related to

invoicing and delivery.

Invoicing name and address               Issuing a proper invoice, entering into contract, determining and modifying its content, monitoring its performance, invoicing fees resulting from it, pursuing claims related to it

 

Shipping name and address                Allowing delivery/shipping.

Time of purchase/registration           Performing technical operations.

IP address at purchase/registration Performing technical operations.

TECHNICAL DATA

Data that is generated while the service is being used, which the IT system of Controller records as result

of information technology processes. Such data are especially, but without limitation, the time of the visit, the IP address of the data subject, the type of the browser, the URL of the website visited previously. (IP address is a numeric sequence by which the computers of the users on the Internet can be clearly identified. IP addresses even allow the visitor using that computer to be geographically located. The URL of the pages visited, and the date,

and time are separately not suitable to identify the data subjects, however, when combined with other data

(e.g. data provided during registration), they allow conclusions to be drawn with regard to the user.) The system automatically logs the automatically recorded data at login and logout without a separate relevant declaration or act by data subject. The electronically managed databases in separate registries are not linked and cannot be directly associated with the data subjects, except where it is permitted by the law. The data shall be accessed by Controller

only (data are stored by the webhosting provider). The data and the technical data of the data subjects who register are included in the same registry in order to accomplish the purposes of the processing. Data subjects explicitly consent to this by registering on the Website and by accepting this policy.

 

Personal data                                                              Purpose of data processing

IP-address                                                                    Data used to enhance the level of the service.

The data of the sub-pages visited when

browsing on http://seraphstore.

 The time spent browsing on

 

Data used to enhance the level of the service.

the http://seraphstore website

 

Data used to enhance the level of the service.

Type of browser                                                         Data used to enhance the level of the service.

Type of operating system                                       Data used to enhance the level of the service.

Email addresses are not required to contain personal data.

Data subjects: Any data subject registering/purchasing in the webshop.

Duration of processing and deadline for the data to be deleted: Immediately when the registration is deleted. The Controller shall inform the data subject by electronic means if any personal data he or she has provided is deleted,

pursuant to Article 19 of GDPR. If the request of the data subject for the erasure applies to the email address he or she has provided, controller shall delete the email address after the information has been provided. With the exception of accounting documents, as pursuant to Section 169 (2) of Act C of 2000 on Accounting, they must be preserved for a term of 8 years.

Accountancy documents directly or indirectly supporting accounting settlements (including invoices in the ledger,

analytical and detailed registries, as well) must be retained for a term of at least 8 years in a readable format, retrievable on the basis of references to the accounting records.

Persons acting as controller authorized to access the data, recipients of personal data: Personal data may be processed by the sales and marketing employees of the controller, in compliance with the above principles. Rights of the data subjects related to the processing of their data:

• Data subject may request Controller to allow access to the data concerning him or her, and to correct, delete, limit processing of such data, and

• may object to the processing of such data, and

• data subject has the right to data portability and the right to withdraw his or her consent at any time.

Data subject may request access to, erasure of, alteration of or limiting the processing of the personal data, or the

portability of the data, or object to the processing in the following ways:

- by post to: 1114 Budapest, Móricz Zsigmond Krt. 4. 4/3.

- via email at info@seraphstore.com ,

- on the phone at +36 1/9988005.

Legal basis of the processing: Article 6 (1) b) of GDPR, Section 5 (1) of Infotv; Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter as “Ekertv.”):

Service provider may process the personal data that are technologically indispensable for the provision of the service. Service provider, where other conditions are identical, shall have to select and operate the means for providing the information society services in a way that personal data are processed if it is indispensable for the provision of the service and for fulfilling the other purposes required in this law, and only for as long as and to the extent that it is necessary.

For the issuing of invoices in accordance with the accounting rules, Article 6 (1) c).

Please be advised that processing is necessary for the performance of the contact and for making quotes. Personal data must be provided for the performance of your order. When data is not provided, as a result of this we will not be able to process your order.

PROCESSING OF COOKIES  

Cookies are alphanumerical data packages with various content, sent be the web server, which is recorded on the device of the user and is stored until its predetermined expiry date. By using cookies, certain data of the visitors may be queried and it allows the tracking of their activities on the Internet.

This means that cookies allow to accurately determine the areas of interest, Internet habits, browsing history of the users. Since cookies also function as a kind of label that allow websites to recognize returning visitors, by using cookies the usernames and passwords valid on the page can also be stored.

If the user’s browser sends back the cookie that was stored on the hard drive of the user’s device during the visit to the site, the service provider that sent it is able to connect the current visit with the previous one, however, as cookies are associated with domains, it can only do so in case of its own content. Cookies on their own cannot be used to identify a user, they only allow the identification of the visitor’s computer.

There are a number of different cookies based on their expiry and origin:

cookies used for password-protected sessions

security cookies

necessary cookies

functional cookies

cookies responsible for website statistics

 

Existence of data processing, the scope of the processed data: Unique identifier, dates, times

Data subjects: Every visitor of the website.

The purpose of processing: Identification of users and keeping track of visitors.

Duration of processing and deadline for the data to be deleted:

Type of cookie              Legal basis of processing                                         Duration of processing      Processed data

 

Session cookies             Section 13/A (3) of Act CVIII of 2001                          The period until the              recording the  

                                        on Certain Issues of Electronic                    current session of the          content of the

                                        Commerce Services and Information                         visitor is closed.                      cart, data to help

                                        Society Services (hereinafter as “Ekertv.”):                                                                  navigation

 

 

Persistent or                   Section 13/A (3) of Act CVIII of 2001                      until the data subject           user behavior

saved cookies               on Certain Issues of Electronic                     is deleted                                  browsed pages

                                        Commerce Services and Information

                                        Society Services (hereinafter as “Ekertv.”):

Type of cookie                         Legal basis of processing                                         Duration of processing        Processed data

 

Life span of other cookies is 480 hours.

Rights of the data subjects related to the processing of their data: Data subjects may delete the cookies

under the Devices/Settings menu of their browser, usually under the Data protection menu.

Legal basis of the processing: The consent of the data subject is not required where the use of

the cookies aims to transmit the data over an electronic communications network, or where it is essentially required by the service provider for the provision of information society services explicitly required by the user or the subscriber.

PROCESSING BY EXTERNAL SERVICE PROVIDERS:

DATA PROCESSORS ENGAGED

I. Shipping

Operations carried out by processor: Delivery of goods, shipping

Name and contact details of processor:

General Logistic System Hungary Kft.

Registered seat: 2351 Alsónémedi, GLS Európa u. 2.

Telephone: 36 29/886694

E-mail: dataprotection@gls-hungary.com

Data processing notice:

General Logistic System Czech Republic s.r.o.

Registered seat: PrumySlové 5619/1 CZ-58601 Jihlava

Telefon: +420 567 77 11 33

E-mail: info@gls-czech.com

General Logistic System Slovakia s.r.o.

Registered seat: Lieskovská cesta 13

96221 Lieskovec

Szlovákia

Telephone: +421 45 5242 502

E-mail: info@gls-slovakia.com

General Logistic System Romania SLR

Registered seat: Strada Dorobanlitor 106, Sibiu 550231 Románia

Telephone: +40 269 501 900

E-mail: info@gls-romania.com

General Logistic System d.o.o.

Telephone: +385 1 2042 672

E-mail: info@gls-croatia.com

Existence of data processing, the scope of the processed data: Delivery name, delivery address, phone number, email address.

Data subjects: Every data subject requesting delivery.

The purpose of processing: Delivery of the goods ordered.

Duration of processing and deadline for the data to be deleted: Until the delivery is completed.

The legal basis of the processing: consent of the User, Article 6 (1) a) of GDPR, Section 5 ( 1) of Infotv.

WEBHOSTING PROVIDER

Operations carried out by processor: Providing webhosting service

Name and contact details of processor:

Media Center Hungary Kft.

Registered seat: 6000 Kecskemét, Sosztakovics u. 3.

Branch office: 6000 Kecskemét, Sosztakovics u. 3.

Mailing address: 6000 Kecskemét, Sosztakovics u.

Email: mediacenter@mediacenter.hu

EZIT Kft.

Székhely: 1132 Budapest, Victor Hugo u. 18-22. V. em 5021.

Email: info@ezit.hu

Email: info@shoprenter.hu

Existence of data processing, the scope of the processed data: Every personal data provided by data subject.

Data subjects: Every data subject using the website.

The purpose of processing: Providing access to and the proper operation of the website.

Duration of processing and deadline for the data to be deleted: Until the agreement between controller and webhosting provider terminates, or until data subject requests the erasure of his or her data from the webhosting provider.

Legal basis of processing: Article 6 (1) f) of GDPR, and Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.

USE OF GOOGLE ANALYTICS

This website uses the Google Analytics system which is a web analytics service provided by Google Inc. (“Google”).

Google Analytics uses so-called cookies which are text files saved onto your computer and by doing so enable the analysis of the website visited by the User. The information that is generated with the cookies related to the websites visited by the User is usually sent to and stored in a server of Google located in the USA. By activating IP anonymization on the website, Google first shortens the IP addresses of the Users in the member states of the European Union and other states of the agreement on the European Economic Area. Full IP addresses are sent to the Google servers located in the USA or are shortened there only in exceptional cases. Google, as requested by the operator of this website, shall use this information to assess how the User has used the website, and also to prepare reports in connection with the activities of the website for the operator of the website, and to provide further services related to the usage of the website and the Internet. In the framework of Google Analytics, it shall not associate the IP address transmitted by the User’s browser with the other data held by Google. Users may ban the use of the cookies by setting their browsers accordingly, however, please be advised that in this case not every function of the website may be fully available. You may also prevent Google from collecting and processing the data from the cookies related to the website usage of the User  (including the IP-address , too), if you download and install

the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

PROCESSING RELATED TO HANDLING COMPLAINTS

Existence of data processing, scope of the processed data, and purpose of processing:

  

Personal data                                                                                         Purpose of data processing

First name and surname                                                                    Identification, communication.

Email address                                                                                         Communication.

Telephone number                                                                              Communication.

Data subjects: Users lodging a complaint.

Duration of processing and deadline for the data to be deleted: It shall preserve the copies of the protocol, the

transcript and the reply given to it for 5 years, pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

Persons acting as controller authorized to access the data, recipients of personal data: Personal data may be processed by the sales and marketing employees of the controller, in compliance with the above principles.

Rights of the data subjects related to the processing of their data:

• Data subject may request Controller to allow access to the data concerning him or her, and to correct, delete, limit processing of such data, and

• may object to the processing of such data, and

• data subject has the right to data portability and the right to withdraw his or her consent at any time.

Data subject may request access to, erasure of, alteration of or limiting the processing of the personal data,

or the portability of the data, in the following ways:

by post to 1114 Budapest, Móricz Zsigmond Krt. 4. 4/3.,

via email at info@seraphstore.com,

on the phone at +36 1 /99 88 005.

Legal basis of processing: data subject’s consent, Article 6 (1) c) of GDPR, Section 5 (1) of Infotv,  and Section

17/A (7) of Act CLV of 1997 on Consumer Protection.

Please be advised that

• providing personal data is based on contractual obligation.

• processing of the personal data is required for the conclusion of the contract.

you are required to provide your personal data to enable us to process your complaint.

• when data is not provided, as a result of this we will not be able to process your complaint we received from you.

SOCIAL SITES

Existence of data processing, scope of the processed data: Your name as registered on Facebook, Instagram, YouTube social sites, and the public profile photo of the users.

Data subjects: Every data subject who has registered on Facebook, Instagram, YouTube social sites and has “liked”

the website.

Purpose of data processing: Sharing, “liking”, promoting the website and certain elements of the content, the products, the promotions of the website on social media sites.

Duration of data processing, the deadline for the data to be deleted, the identity of the potential controllers

authorized to access the data and the rights of data subjects related to processing: The data subject may collect information on the sources of the data, its processing, transmission and its legal basis on that particular social media site. Processing is carried out on the social site, therefore the duration and manner of processing, and the means of erasing or altering the data are regulated by the policies of that particular social site.

Legal basis of the processing: the voluntary consent of the data subject to the processing of his or her personal data on the social site.

CUSTOMER RELATIONS AND OTHER PROCESSING

Should data subjects have any questions or problems while using the services of the controller, they may contact the controller at the contact details (telephone, email, social sites etc.) provided on the website. Controller shall delete the emails and the messages it received, and the data that was provided on the phone or via Facebook etc. including the requester’s name and email address, and any other data provided to it voluntarily, 2 years after the data was provided.

We will provide information on further processing not included in this notice at the time when the data is collected.

When requested by authorities in exceptional cases, or when requested by other bodies authorized by law, the Service Provider shall be required to provide information, to provide or hand over data, or to hand over documents.

In such cases, the Service Provider shall only reveal personal data to the requester - provided that the exact purpose

and the scope of the data are communicated - to the extent and scope that is essentially required to realize the

purpose of the request.

RIGHTS OF DATA SUBJECTS

Right to access

You have the right to obtain information from Controller whether personal data concerning you is being processed and if your personal data is being processed, you have the right to gain access to the personal data and the information listed in the Regulation.

Right to rectification

incorrect personal data Having regard to the purpose of the processing, you have the right to request incomplete personal data to be completed, among other means, by way of a supplementary declaration.

Right to erasure

You have the right to obtain from the controller the erasure of your personal data without undue delay and the

controller shall have the obligation to erase your personal data without undue delay if certain conditions are fulfilled.

The right to be forgotten

Where the Controller has made the personal data public and is obliged to erase the personal data, the Controller,

taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Right to restrict processing

You have the right to obtain from the controller the restriction of the processing if any of the following applies:

 

• You contest the accuracy of the personal data, in this case the restriction lasts for the period that enables the controller to verify the accuracy of the personal data;

• the processing is unlawful and you object to the erasure of the data and instead require the limitation of their processing;

• the controller no longer needs your personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims;

• you have objected to the processing, in this case, processing shall be restricted for the period until it can be verified whether the legitimate grounds of the controller override your legitimate interests.

Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a controller,

in a structured, commonly used and machine-readable format and, in addition, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Right to object

In case of processing where the legal basis is legitimate interests or the exercise of official authority, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling based on afore-mentioned provisions.

Objection to direct marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, including profiling, to the extent it is related to such direct marketing. Where you object to the processing of your personal data for direct marketing purposes, the personal data can no longer be processed for such purposes.

Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling,

 which produces legal effects concerning you or similarly significantly affects you.

The previous provision shall not apply if the decision:

• is necessary for entering into, or the performance of, a contract between you and the controller;

• is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

• is based on your explicit consent.

DEADLINE TO TAKE ACTION

Data controller shall inform data subject without delay but in every case within 1 month after the request has been received of the measures taken as result of your requests.

This period may be extended by two months where necessary. The controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on your request, the controller shall inform you without delay and at the

latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

SECURITY OF DATA PROCESSING

Taking into account the current standing of science, technology, and the costs of implementation, and also the

nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the

rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures, in order to ensure that the data security provided is in line with the magnitude of the risks, including, among others, the following:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services used for the processing of the personal data;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

INFORMING DATA SUBJECTS OF PERSONAL DATA BREACHES

If the personal data breach will likely cause high risk to the rights and freedoms of the natural person, controller shall communicate the data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the name and contact details of the data protection officer or the point of contact who can provide further information; shall describe the likely consequences resulting from the data breach; shall describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Communication to the data subject is not required if any of the following conditions are met:

• the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

• communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

REPORTING PERSONAL DATA BREACHES TO THE AUTHORITY

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than

72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

LODGING COMPLAINTS

Complaints against an infringement of the controller shall be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

        1125 Budapest, Szilágyi Erzsébet fasor 22/C.

        Mailing address: 1530 Budapest, Post box: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

Email: ugyfelszolgalat@naih.hu

2018.05.22. 

Seraphstore.com