for PURCHASES in the webshop:
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the related laws and regulations of the Member States, the Controller provides the following information on the processing of personal data of natural persons with regard to purchases in the webshop.
The webshop sells alcoholic beverages. Pursuant to Section 16/A of Act CLV of 1997 on Consumer Protection, selling alcoholic beverages to persons under the age of eighteen is prohibited. Consequently, we draw the Data Subjects’ attention to the fact that if they are under 18 years old, they are not entitled to use the webshop.
Name: Etyeki Kúria Kft.
Address: H-2091 Etyek, Öreghegy, lot no. 2699
Representative of Controller: László Babarczi
Controller’s contact details with regard to data privacy: firstname.lastname@example.org
Third country: any country which is not an EEA state
2. Purpose of processing
2.1 Conclusion of contract, scope of performance
Identification of the Data Subject, differentiation from other clients, users and interested parties,
Facilitating purchases in the webshop,
Conclusion of contracts, defining content, modification, performance, monitoring of performance,
Collecting total cost of product, enforcement of Controller’s contractual claims,
Invoicing obligation of the Controller, fulfilment of tax law and accounting obligations,
Sending confirmation in connection with the services, sending system message(s),
Correspondence, notifications, disclaimers in connection with performance,
Sending notification with regard to the delivery of product,
Identifying recipients of discounts, checking conditions for providing discounts, enforcement of discount by Data Subject,
Performance of Controller’s obligations, exercising its rights,
Enforcing and protecting the Controller’s rights and claims,
Handling complaints, reviewing claims related to warranty of material defects and product warranty, legal protection against resultant claims.
2.2. Processing for marketing purposes
(in particular: maintaining contact, measuring client satisfaction, conducting questionnaires to develop services, creating databases, contacting people about new or renewed services with the purpose of direct business acquisition and for marketing purposes, sending out invitations to events, preparing analyses, statistics, service development)
2.3. Camera surveillance
Safety of the Controller’s premises,
Protecting the Controller’s assets, the health and safety of its employees and visitors and safeguarding their assets,
Prevention of potential accidents, circumstances of crimes, legal infringements, investigating and proving them
3. Scope of processed data:
The data controlled by the Company may be classified into the following groups based on the processing purpose:
3.1. Data necessary to conclude contract: the Data Subject’s family name, surname, address, telephone number, email address, method for receiving product, payment details (in particular: payment method, payment tool, bank account number, details on discount), details of the ordered product, delivery address of product, data related to potential complaints
3.2. Data necessary for fulfilment of contract
3.2.1. Delivery data: Customer’s name, telephone number, email address, method for receiving product, payment method, product type, product quantity, total cost of product (purchase price and delivery fees and costs in total), delivery address, identification of recipient (showing ID), name of recipient, signature, data on any complaints
3.2.2. Data on issuance of invoices: in fulfilling the contract the Company processes payment and invoicing details. In particular, invoice data (Customer’s name, address, issuance and performance date of the invoice, order number, type, quantity, price, delivery fee and due date of ordered product, discount details).
3.2.3. Processing data related to invoice payment: payment method, payment tool, bank account number, bank card payment details.
3.3. Communication for marketing purposes: The Controller processes the Data Subjects’ names and email addresses for marketing communication purposes. The legal basis for processing is the Data Subject’s consent and the primary aim of the processing is contact for marketing purposes, providing information, newsletters or direct communication pursuant to Section 6 (1) of Act XLVIII of 2008.
3.4. Camera surveillance data: in the Wine Bar the Controller conducts camera surveillance, recording images and video images of natural persons without sound.
4. Legal basis for processing:
4.1. For the conclusion and performance of a contract the data defined in Sections 3.1 and 3.2.1 must be processed in accordance with Article 6 (1) b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Providing data is a condition for concluding and fulfilling the contract. Failure to provide the data may result in the Controller not being able to complete the order.
4.3. The processing of the data defined in Section 3.4 is necessary to enforce the Controller’s or a third party’s legitimate interest in accordance with Article 6 (1) f) of the GDPR: The Controller and any people on the Controller’s premises have a legitimate interest in the safety of the people and equipment there, as well as in preventing and proving legal infringements, accidents, offences and crimes.
4.3. Data on invoicing and on payment of the total cost must be processed for the performance of the Controller’s legal obligations (tax law and accounting) as defined in Section 3.2.2 herein, in accordance with Article 6 (1) f) of the GDPR.
4.4. The processing of the data for marketing purposes as outlined in Section 3.3 is based on the data subject’s consent in accordance with Article 6 (1) a) of the GDPR: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
The Controller does not carry out profiling.
5. Term of processing
The Controller shall process the Data Subject’s data for the following terms:
invoicing data and documents subject to retention pursuant to the Act on Accounting, in particular accounting documents directly or indirectly supporting bookkeeping (including general ledgers, sub-ledgers and detailed records) for 8 years (Section 169 (1)-(3) of the Act on Accounting)
personal data defined in the Act on Rules of Taxation such as certificates of performance, for 5 years from the last day of the calendar year in which the tax is due (Section 78 (3)-(4) of the Act on Rules of Taxation),
data necessary for the conclusion and performance of a contract concluded with the Data Subject (pursuant to Chapter 3 a), b) until the claim on the warranty of material defects or product warranty expires,
in the case of processing based on consent: until consent is withdrawn, but no longer then the period defined in the consent,
in the case of processing based on legitimate interest: until the Data Subject’s objection (if the Data Subject’s interest, fundamental rights and freedoms override those of the Controller’s), but no longer than until the claims related to processing based on legitimate interest expire.
in the case of camera surveillance, for no longer than 3.5 months from making the recording.
6. Information on using processor(s), people entitled to forward data
The Controller does not forward the Data Subject’s personal data to third countries or international organisations.
During processing the Controller forwards the data to processors contracted with the Controller to fulfil the contract: courier company, IT operators, web storage providers, web content designer, accounting service providers, internet payment service provider.
The Controller uses Google Analytics to monitor website statistics, user demographics, users’ interests and conduct on the website. Furthermore, the Organisation uses Google Search Console for search engine optimisation on the website and for measuring user satisfaction. Google makes it possible to restrict the use of analytical services. Visit the Google page to opt out from Google Analytics using the data.
7. People entitled to access data
Recorded data may only be accessed by the Controller’s employees and the designated employees of the processor(s). The Controller will not transfer the accessed data to third parties other than the processor(s) listed in point 6.
Camera recordings may only be accessed by the designated employees of the Controller and the processor(s) as well as the Data Subject. Recordings of the electronic surveillance system may be accessed by the IT operator and the Controller’s authorised representative. At its own request, the Data Subject may access only the recordings made of him-/herself in the presence of one of the above-mentioned persons. Access must always be requested in writing. The Data Subject must provide proof of being a data subject and identify him-/herself for the Controller.
8. Common rules for exercising data subject rights, rights of data subjects
To fulfil the request, the Controller must verify that the party making the request is a Data Subject and check their identification.
Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller, while taking into account the administrative costs of providing the information or communication or taking the action requested, may:
a) charge a reasonable fee, or
b) refuse to act on the request. It must justify any refusal.
8.2. Rights of data subjects
8.2.1. Right of access by the Data Subject
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the information as per Article 15 of the GDPR.
8.2.2. Right to rectification
The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.2.3. Right to erasure (“right to be forgotten”)
The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
c) the Data Subject objects to the direct processing with the purpose of acquiring business, or to the processing, and there are no overriding legitimate grounds for the processing,
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
f) the personal data have been collected in relation to information society services offered directly to children.
The right to erasure may not be enforced if the processing is necessary
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
c) on grounds of public interest affecting areas of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
8.2.4. Right to restriction of processing
The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
8.2.5. Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
a) the processing is based on consent or a contract, and
b) the processing is carried out by automated means.
8.2.6. Right to object
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) f) of the GDPR. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
8.2.7. Right of complaint, enforcing claims in front of a court
The Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the processing of personal data relating to him or her infringes the GDPR, or to enforce his or her claim in front of a court.
Contact details of supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, P.O. Box: 5
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Etyek, 4 September 2020
Etyeki Kúria Kft.