Data management information

 

The GHI-CSENDES Ltd. (4200 Hajdúszoboszló, Dózsa György Street. 57/a., cg: 09-09-025579, tax number: 24826279-2-09) (hereinafter called: Service provider, Data manager) subjects itself to the followings. We provide the information below for natural persons about personal data management, including the protection and the free flow of data and about repealing the 95/46/EK regulation (General Data Protecting Regulation ? regulation of the Council of the European Union (EU), 27 april 2016).

 

This data management information applies  to the data management os the following sites: https://lovedekcsapda.hu

 

Contact information of the Data manager:

 

Name: GHI-CSENDES Ltd.

Registered office: Dózsa György Street. 57/a., 4200 Hajdúszoboszló, Hungary

E-mail: info@lovedekcsapda.hu

Telephone number: +36 70 631 9190 

 

 

Definitions

 

  1. ?personal data?: shall mean any data referring to an identified or identifiable natural person (?affected?); a natural person is identifiable if they can be directly or indirectly identified  especially according to a particular identifier, for example name, number, residency data, online identifier or one or more things referring to the natural person?s phisical, physiological, genetic, psychic, economical, cultural or social identity 

 

  1. ?data management?: shall mean any operation or complex of operations made on personal data or data files in an automated or not automated way, like collection, recording, organization, proportioning, storing, transformation, query, introspection, usage, for or alteration , message forward, spreading, or other ways of making it available, coordination or interconnection, deletion and destruction; 

 

  1. ?data manager?: shall mean natural or legal person, public authority, agency or any other authority that defines the aims and instruments of managing personal data independently or with others; if the instruments of data managing are defined by the union or national law, the data manager or the special aspects of selection of the data manager can be defined by the union or national data too;

 

  1. ?data-processor?: shall mean a natural or legal person, public authority, agency or any other authority that manages personal data on behalf of the data manager;

 

  1. ?recipient?: shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not. Authorities which may receive data in the framework of a particular inquiry in conformity with union and national law shall not be regarded as recipients; the management of this data by tpublic authorities shall comply the applicable data protection rules in accordance with the aims of data management;

 

  1. ?the data subject?s consent? shall mean any freely given specific and informed indication of his or her wishes by which the data subject clearly signifies his or her agreement to personal data relating to him or her being processed;

 

  1. ?privacy incident?: shall mean any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

 

Principles on the processing of personal data

 

Personal data:

a)    must be processed lawfully, fairly and in a transparent manner in relation to the data subject (?lawfullness, fairness and transparency?);

b)    sholud be collected only for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; in accordance with Article 89(1) further data management for public interest archiving,  scientific, historical or statistical research purposes is not considered as incompatible with the original purpose. (?purpose limitation?);

 

c)    must be adequate, relevant and not excessive for the purpose for which they were collected (?data economy?);

 

 d)    must also be accurate and in case of need kept up to date: every reasonable step must be taken to ensure that data which are inaccurate or incomplete are erased or rectified (?accuracy?);

 

 e)    must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 89(1) (?limited storage?);

 

 f)      must be managed in such a way as to ensure the adequate level of protection of personal data (included the protection against personal data processed unauthorised or unlawful access, accidental loss, destruction or demage) by the implement appropriate technical and organisational measures and procedures (?integrity and confidentiality?).

 

 

The Data Manager is responsible for complying with the principles above, and must be able to demonstrate this compliance (?accountability?).

 

Data managements

 

 

 

Data management relating to the application of a web shopWeb

 

 

 

  1. The fact of collecting data, the scope of the data processed and the purpose of data processing:

 

 

 

Personal data

Purpose of data management

Surname and forename

Necessary for contact, purchase and  appropriate billing.

E-mail address

Contact.

Telephone number

Contact, better consulation of billing or delivery issues.

 

 

 

In case of the e-mail adress, it?s not necessary to include personal data.

 

 

 

  1. Data subjects: All registrated/purchaser of the webshop website are data subjects.

 

 

 

  1. Time period of data management, deadline of deleting data: immadiately after deleting registration. Except in cases of accounting documents, as it is in the Article 2 of Law C. No 168 of 2000 about accouting.

 

The accounting document that directly or indirectly proving the accounting (including general accounts, analytical and exhausive accounts) must be retained at least for 8 years in a legible and retraceable (based on reference of accounting documents) form.

 

 

 

  1. Identity of possible data managers entitled to be apprised of data, addresses of personal data: Personal data can be managed by the sales and marketing associates of he Data manager, on the basic of the principles above.

 

 

 

  1. Description of rights of data subjects in connection with data management:

 

 

 

  • The data subject can request from the controller rectification or erasure of personal data concerning the data subject and

 

 

 

  • object to the processing of such personal data and

 

 

 

  • has the right of data portability and the withdrawal of consent in any time.

 

 

 

  1. The data subject can initiate the access, deletion, alteration, portability of personal data or limitation of management of it and objection against data managements in the following ways:

 

 

 

?        by post to Dózsa György Street. 57/a., 4200 Hajdúszoboszló, Hungary

 

?        by e-mail to  info@lovedekcsapda.hu,

 

?        by telephone on the following number: +36 70 631 9190.

 

 

 

  1. The legal basic of data management:

 

 

 

7.1. Consent of the data subject, Article 6 (1) (a), Article 5.(1) in Act CXII of 2012,

 

 

 

7.2. Article CVIII.(13/A) Act CVIII. of 2001 on certain aspects of ecommerce services and services referring to information society:

 

 

 

The service provider can manage personal data that technically essential for providing the serrvice. In case of likelihood of other conditions, the service provider must choose and operate the instruments used to provide services in connection with information society in a form that personal data should only processed if it is essential for providing the service and to fulfil other objectives defined in this law, but only in extent and time necessary in this case too.

 

 

 

7.3. In case of issuing an invoice in accordance with the accounting law, Article 6(1)(c).

 

 

 

 

 

  1. We would inform you that

 

 

 

  • data management is based on your consent.
  • you shall provide the required personal data so that we can fill your order.
  • non-providing of data results that we can?t process your order.

 

 

 

 

 

Usage of cookies

 

 

 

  1. In case of usage of cookies specific to webshops, the so-called ?cookie used for passport-protected workflow?, ?cookie needed for the shopping cart? and ?security cookies?, it?s not necessary to ask for prior consent from data subjects.

 

 

 

  1. The fact of data management, scope of data managed: unique identification number, dates.

 

 

 

  1. Scope of persons affected: All persons visiting the website.

 

 

 

  1. Purpose of data management: Identification of users, registration of shopping cart, monitoring of users.

 

 

 

  1. Time period of data management, deadline of deleting data:

 

 

 

 

 

Type of cookies

The legal basic of data management

Time period of data management

Managed data

Workflow cookies (session)

 

Article.
(13/A)(3) in Act CVIII. of 2001 on certain aspects of ecommerce services and services referring to information society

Until closing the given workflow.

 

connect.sid

 

 

 

 

  1. Entitled persons to be apprised of personal data: The data manager doesen?t manages personal data by using cookies.

 

 

 

  1. Presentation of the rights in connection with data management of data subjects: Data subjects have the right to delete cookies under ?Data protection? in Tools/Setting menu in browsers.

 

 

 

  1. The legal basic of data management: No consent necessary from the data subject, if the only purpose of using cookies is the transmission of a communication over an electronic communication network or if specifically requested by the subscriber or user, the service provider necessarily needs to provide service in connection with information society.

 

 

 

Application of Google Analytics

 

 

 

  1. This website uses the Google Analytics application that is the web-analysis service of Google Inc. (?Google?). The Google Analytics uses so-called ?cookies?, text files which are saved on the computer so they promote the analysis of the website visited by the User.

 

 

 

  1. Information generated by cookies from the website the User visits normally get and be stored in a server of Google in the USA. By activating IP-anonymisation on the website, the Google previously shorter the IP-address of the User in the Member States of the European Union or in other  States which are a party to the European Economic Area Agreement.

 

 

 

  1. The transmission of the full IP-address to the server of the Google in the USA and shortening of it there, shall only take place in exceptional circumstances. Google will use these pieces of information on behalf of the operator of this website to evaluate how the User used the website, to create reports about the activity of the website for the operator and to fulfil further services in connection with website- and internat-usage.

 

 

 

Within the framework of Google Analytics, the IP-address transmitted by the browser of the user is not connected with other data of Google. The User can block the storage of cookies with the appropriate setting of their browser, but we draw the attention that in this case not all the functions of the website will be fully avaiable. It is also possible to block Google to collect and process the pieces of data in connection with website usage of the User (included the IP-address), by downloading the plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu

 

 

 

Complaint-handling

 

 

 

  1. The fact of data management, scope of data managed:

 

 

 

Personal data

Purpose of data management

Surname and forename

Identifying, contact.

E-mail address

Contact.

Telephone number

Contact.

Billing name and address

Identifying, handling the complains, questions and problems in connection with the product ordered.

 

 

 

  1. Scope of persons affected: Persons who ordered on the wepshop website and made a complaint.

 

 

 

  1. Time period of data management, deadline of deleting data: Copies of the protocol recorded of the complaint, the transcript, and the response to it shall be retained for 5 years on the basis of Article (17/A)(7) in Act CLV. of 1997 about consumer protection.

 

 

 

  1. Entitled persons to be apprised of personal data: Personal data is managed by the sales & marketing associates of the data manager respecting the principles above.

 

 

 

  1. Description of rights of data subjects in connection with data management:

 

 

 

  • The data subject can request from the controller rectification or erasure of personal data concerning the data subject and object to the processing of such personal data and has the right of data portability and the withdrawal of consent in any time

 

 

 

  1. The data subject can initiate the access to data, the deletion, alteration or the limitation of processing it, the portability of data and  the objection of data management in the following forms:

 

 

 

?        by post to Dózsa György Street. 57/a., 4200 Hajdúszoboszló, Hungary

 

?        by e-mail to  info@lovedekcsapda.hu ,

 

?        by telephone on the following number: +36 70 631 9190.

 

 

 

  1. The legal basic of data management: conset of the data subject, Article (6)(1/c), Article (5)(1) in Act CXII of 2011 and Article (17/A)(7) in Act CLV. of 1997 about consumer protection.

 

 

 

  1. We inform you that

 

 

 

  • providing personal data is based on contractual obligation.
  • management of personal data is the prerequisite of concluding the contract.
  • you?re obligated to provide personal data so that we can handle your complaint.
  • the lack of providing data results that we can?t handle your complaint.

 

 

 

Social networks

 

 

 

  1. The fact of data management, scope of data managed: name of the registrated person on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram ect. social networks and the public profile picture of the user.

 

 

 

  1. Scope of persons affected: Persons who has registrated on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram ect. social networks, and has ?liked? the website.

 

 

 

  1. Purpose of data collection: Sharing, ?liking? and promoting the website, certain content of the website, products, sales on social networks.

 

 

 

  1. Time period of data management, deadline of deleting data, entitled persons to be apprised of personal data and the description of rights of data subjects in connection with data management: Data subjects can get informed about the source and management of data, and also about the forms and legal basics of data exchange on the appropriate social network. Data management takes place on social networks, so the time period and the form of the data management, furthermore the opportunities of deletion and alteration are regulated by the given social network.

 

 

 

  1. Legal basic of data management: voluntary contribution of the data subject to their personal data to be processed on social networks.

 

 

 

Customer relations and data managements

 

 

 

  1. If the data subject had any questions or problems during the usage of the data management service, they can contact the Data manager in any way given ont he website (telephone, e-mail, social networks ect.).

 

 

 

  1. The data manager delets the e-mails, messages received on telephone, Facebook ect. included the name, e-mail address and further voluntary given personal data given by the questioning in maximum a 2 year period after managing data.

 

 

 

  1. We give information about data managements hadn?t mentioned above during the data collection.

 

 

 

 

 

  1. In case of exceptional authority request or request of other body authorised by law the Service provider must give information, disclose and transfer data and provide documents necessary.

 

 

 

  1. In those cases the Service provider only provides personal data for the requesting body ? if they defined the exact purpose and the scope of data – in extent required by the purpose of the request.

 

 

 

Rights of data subjects

 

 

 

  1. Right to access

 

 

 

You are entitled to get feedback from the Data manager if their personal data is being processed, and if the data management is in process, you are entitled to have access to personal data and pieces of data listed in the regulation.

 

 

 

  1. Right to rectification

 

 

 

You are entitled to request that the Data manager correct inaccurate personal data referring, without undue delay. In view of the purpose of data management, you are entitled to request ? inter alia by means of supplementary declaration – the supplement of incomplete personal data.

 

 

 

  1. Right to deletion

 

 

 

You are entitled to request that the Data manager delete personal data referring, without undue delay. Furthermore the Data manager must delete personal data referring to you without undue delay under the conditions established.

 

 

 

  1. Right to be forgotten

 

 

 

If the Data manager has disclosed personal data to public, and has to erasel it, they must do every reasonable step ? including technical measures – taking into account the costs of technology available and implementation, to inform Data managers managing data , that you have requested to erase any links to, or copy or replication of the personal data.

 

 

 

  1. Right to limitation of data management

 

 

 

You have the right to request that the Data manager limitate processing data, if any of the following conditions is satisfied:

 

 

 

  • You contest the accuracy of personal data, in this case, the limitation refers to the period of time that enable the Data manager to check the accuracy of personal data;

 

 

 

  • The data management is unlawful and the data subject opposes their erasure and demands the limitation of their processing;

 

 

 

  • The Data manager no longer needs the personal data for the accomplishment of its task but You want them to be retained for presentation, enforcement or protection of  law claims;

 

 

 

  • You have objected to data management; in this case the limitation refers to the time period until it is concluded if the legal justifications of the data manager prevail over your legal justifications or not.

 

 

 

  1. Right to data portability

 

 

 

You have the right to get personal data referring to you, provided to a data manager in a well-structured, widely used, machine-readable form, furthermore to provide these pieces of data to another data manager without being blocked by the data manager which you provided personal data for

 

 

 

  1. Right to object

 

 

 

You have the right to object processing your personal data any time for personal reasons, included profiling based on the provision mentioned.

 

 

 

  1. Objection in case of direct marketing

 

 

 

If data management is being made related with direct marketing, You have the right to object processing personal data referring to you any time for this purpose, including profiling if it?s connected with direct marketing. If You object processing personal data made for the purpose of direct marketing, Your personal data is not allowed to being processed any more.

 

 

 

  1. Automated decisions in individual cases, included profiling

 

 

 

You have the right not to be covered by the scope of solely automated data management (included profiling) based decisions which produce legal effects concerning the individual or significantly affects them.

 

 

 

The previous paragraph shall not be applied if the decision is:

 

 

 

  • Necessary for the conclusion or performance of the contact between You and the Data manager;

 

 

 

  • is being allowed by the Union or national law  referring tot he Data manager which also defines the appropriate measures of the protection of your rights, freedom and legitimate interests; or

 

 

 

  • based on Your explicit consent.

 

 

 

Deadline set for measure

 

 

 

The Data manager shall inform You about the decision on the request without an undue delay, but in any case within 1 month of receiving the request.

 

 

 

This period may be extended by 2 months, if necessary. The Data manager shall inform you about the extension of the deadline within 1 month after receiving the request with setting out the reasons for the delay.

 

 

 

If the Data manager doesn?t take measures following Your request without a delay but no later than within a month after receiving the request, You may be informed about the reasons for no action and Your possibility to lodge a complaint to a supervisory authority or to exercise Your right to appeal.

 

 

 

Security of data management

 

 

 

Having regard to the state of the art and the cost of implementation, the data manager and the data processor shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will ensure the protection of the rights of the data subject, included

 

 

 

  1. a)    Anonymisation and encryption of personal data;

 

 

 

  1. b)    ensurance of continuous confidentiality, integrity, availability and resistance of systems and services used for managing personal data;

 

 

 

  1. c)    the ability to re-establish access and availability of personal data in time in case of physical or technical incident;

 

 

 

  1. d)    procedure for testing, measuring and assessing the efficiency of technical and organisational measurements taken to ensure the security of data management.

 

 

 

The Data manager uses SSL encryption on the website and protect personal data with password. The website uses SHA-512 encryption.

 

 

 

Information of the data subject about privacy incidents

 

 

 

If the privacy incident is likely to be a high risk to the rights and freedoms of natural persons, the Data manager shall inform them about the privacy incident without an undue delay.

 

 

 

In the information given for the data subject affected, must include the nature of the privacy incident, the name and contact of the data protection officer or other contact point giving further information, the predicted consequences of the privacy incident, the measurements proposed by the data manager to remedy the privacy incident including measurements to lighten possible negative consequences.

 

 

 

The data subject doesn?t have to be informed if any of the following conditions is fulfilled:

 

 

 

  • the data manager made the appropriate technical and organisational measurements, and they applied these measurements  to data affected by the privacy incident, especially the measurements ? as usage of encryption ? which make the data incomprehensible for persons not entitled to access to personal data;

 

 

 

  • the data manager made further measurements after the privacy incident which ensure that the high risk to rights and freedoms of the data subject will possibly not aris any more;

 

 

 

  • informing would require a disproportionate effort. In such cases data subject affected shall get informed by publicly shared information or the data manager shall make a similar measurement which ensures the equally efficient information of data subject affected.

 

 

 

If the Data manager hasn?t informed the data subject affected about the privacy incident yet, the supervisory authority may order the information of the data subject affected after estimating if the privacy incident prevents a high risk or not.

 

 

 

Reporting privacy incident to the authority

 

 

 

The Data manager shall report the privacy incident to the competent authority based on Article (55) without an undue dely and possibly no later than 72 hours after becoming aware of the incident, unless the privacy incident probably doesn?t present a hight risk to the rights and freedoms of natural persons. If the incident hadn?t been reported within 72 hours, reasons for the delay must be also annexed.

 

 

 

Opportunity of making a complaint

 

 

 

In case of infringement of the data manager, complaint can be made to the Data Protection Commissioner’s

 

 

 

Data Protection Commissioner’s Office

 

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

 

Post address: 1530 Budapest, Postafiók: 5.

 

Telephone: +36 -1-391-1400

 

Fax: +36-1-391-1410

 

E-mail: ugyfelszolgalat@naih.hu

 

 

 

Afterword

 

 

 

By making this information we incorporated the following regulations:

 

 

 

?        Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

 

?        Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information

 

?     Act CVIII. of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services (E- Commerce Act), especially Article (13/A)

 

?        Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers 

 

?        Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising (Especially Article (6))

 

?        Act XC of 2005 on the Freedom of Information by Electronic Means. 2005. évi XC. törvény az elektronikus információszabadságról

 

?        Act C of 2003 on Electronic Communications (specifically Article (155))

 

?        Regulation (EU) NO 16/2011 – Recommendation of EASA-IAB on the good practice of behavioural advertising

 

?        A Nemzeti Adatvédelmi és Információszabadság Hatóság ajánlása az előzetes tájékoztatás adatvédelmi követelményeiről

 

?        Recommendation of the National Agency for Data Protection on the data protection requirements of prior information