Privacy Policy

INFORMATION ON DATA PROCESSING

  1. Data Controller

Name: Etyeki Kúria Kft.

Address: 2091 Etyek, Öreghegy, topographical number 2699

Representative of the Data Controller: László Babarczi

The contact details of the Controller in relation to data protection: etyek@etyekikuria.com

The present information is the commitment of the Controller regarding the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the relevant national legislation.

2.   The purposes of processing

2.1      Providing service(s) for natural persons and for that purpose:

  • Identification of the User, distinguishing them from other clients, users and interested parties
  • Communication, measurement of customer satisfaction
  • Sending system notification relating to the service
  • Participation in events and the related ancillary services

Legal ground for processing: Contract

Providing information is the condition for concluding the contract. In the event that data is not provided, the Data Controller is no longer able to perform the service ordered.

Data being processed:

  • Name
  • Permanent residence
  • Delivery address
  • E-mail address
  • Phone number
  • Unique identifier

2.2      Providing service(s) for legal persons and for that purpose:

  • Identification of the User, distinction from other clients, users and interested parties
  • Communication, measurement of customer satisfaction
  • Sending system notification relating to the service
  • Participation in events and the related ancillary services

Legal ground for data processing: Legitimate interest – The legitimate interest of the Data Controller is to register the data of the contact point for the performance of a contract.

Data which are being processed:

  • Name
  • E-mail address
  • Phone number
  • Unique identifier

2.3      Invoicing and issuing obligatory documentation relating to the performance of the service.

Legal ground for data processing: Regulatory compliance (Compliance with the Hungarian Accounting Act)

Providing information is the condition for concluding the contract. In the event that data is not provided, the Controller is no longer able to fulfil the ordered service.

Data which are being processed:

  • Name
  • Permanent residence
  • E-mail address (in the case of authorising remote invoice printing or electronic invoicing)
  • Unique identifier

2.4      Advertising service(s), providing information to registered users

  • on new or renewed services, advertising for the purposes of direct marketing or request for marketing
  • measurements taken of customer satisfaction
  • invitation to marketing events

Legal ground for data processing: Consent of the Data Subject concerned

The Data Subject concerned agrees to the processing of his personal data in writing or by e-mail, by accepting a web-based mailing list link or by ticking the appropriate box available on the application website of the Data controller under this Information.

Data which are being processed:

  • Name
  • Address for service
  • E-mail address
  • Phone number
  • Additional information provided by the User

2.5      Advertising service(s), providing information to registered Users

  • on new or renewed services, advertising for direct marketing or marketing purposes
  • measurements taken for customer satisfaction
  • invitation to marketing events

Legal ground for data processing: Legitimate interest –The legitimate interest of the controller is direct marketing

The Data Subject provided, by receiving any of the services, the following data to the Data Controller. The Data Controller informs the Data Subject in this Information that the data processed in relation to the activities specified under Points 2.1 and 2.2, and the purpose of processing will be reclassified and used for direct marketing purposes by referring to the legitimate interest.

Source of data: The Data Controller has legitimately processed the data of the Data Subjects for other data processing purposes.

Data which are being processed:

  • Name
  • Billing address
  • Delivery address
  • E-mail address
  • Phone number
  • Unique identifier

2.6      Order delivery

  • Delivery by courier service
  • Delivery to courier service point or point of transfer

Legal ground for data processing: Legitimate interest – The legitimate interest of the Data controller is to register the data of the contact point for the performance of a contract

Source of data: Based on the information provided by the legal person placing an order

Data which are being processed:

  • Name
  • Phone number
  • Unique identifier

For a commercial unit: Operating licence, excise authorisation number

2.7      Handling debit card transaction receipts

Handling respective documents proving credit card payments operated in the network of stores of the Organisation.

Legal ground for data processing: legitimate interest – settlement with a debit card provider

Data which are being processed:

  • Signature

2.8      Operation of an electronic surveillance system to protect the following:

  • Protecting the safety of the Data Controller’s establishment
  • Protecting the assets of the Data Controller
  • Protecting the physical safety and assets of the employees of and visitors to the Data Controller
  • Investigating the circumstances of accidents and crimes that may occur

Legal ground for data processing: Consent of the Data Subject that takes the form of an action, namely to enter the premises of the Data Controller despite having been formally informed of the camera surveillance.

The activity is carried out by the Data Controller in accordance with Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (“Security Services Act”).

Data which are being processed:

  • The image of the natural person, his motion picture recordings (hereinafter together the ‘recording’)

Data Subjects

3.   Data Subjects concerned

The users registered on the www.etyekikuria.com website and the contact persons provided by them.

For a commercial unit:

Customers purchasing from the stores of the Organisation, or natural or legal persons as recipients of pick-up point services.

4.   Children

Our products and services are not addressed to persons under the age of 16, and we request that persons under the age of 16 do not provide any Personal Data to the Data Controller. In the event of notice that we have collected personal data from children under the age of 16, we will take the necessary measures to erase personal data as soon as possible.

5.   The period for which the personal data will be stored

  • In the case of compliance with the law, the storage period specified in the Act on accounting
  • In the event of a contract, until the deadline provided for in the contract or 8 years after the date of expiry of the contract at the latest
  • In the event of consent, until the withdrawal of a Data Subject’s consent
  • In the case of legitimate interest, until the objection of the Data Subject
  • The Data Controller keeps the video records in the electronic system for the period specified in the provisions of Act CXXXIII of 2005 on private security and investigative services (Hungarian abbreviation: “Szvtv.”).

With respect to the recordings taken by the electronic surveillance system, the Data Controller applies the following retention periods:

  • normally 3 days
  • In the event of damage to the assets of the Data Controller or suspicion of it, in the case of using the recordings, the minimum period necessary to perform such a purpose

After the expiry of the storage period, the recordings are destroyed.

6.   Information on engaging a Data Processor

The Data Controller, at the time of processing, transfers the data to the Data Processor(s) with which it has entered into an agreement.

The categories of the recipients: courier services, transport companies, IT operators, web hosting services, web content developer, accountancy services, Magyar Posta (Hungarian Post),

Security service, online payment service provider.

7.   Persons entitled to request data

The acquired information will not be transferred to a third party by the Data Controller, with the exception of the Data Processor(s) described above under Point 6. The recorded data will only be known to the employees of the Data Controller and the employees appointed by the Data Processor(s).

The recordings will not be transferred to a third party by the Data Controller, with the exception of the Security service described above under Point 6. The recordings will only be known to the employees appointed by the Data Controller and Data Processor(s).

The recordings previously recorded by the electronic surveillance system shall only be accessed by the Data Protection Officer, Head of Security, the IT operator and the executive director. The Data Subject, at his request, shall only have access to the recordings concerning his identity in the presence of any of the persons specified above. Access must always be requested in writing from the Data Protection Officer.

The Data Controller shall draw up minutes on the facts of access in every case; these shall be stored for 1 year by the company.

7.1      Persons entitled to restrict the images of the electronic surveillance system

The restriction of the recordings recorded by the electronic observation system can only be realised if an event was noticed by the Data Controller that is likely to endanger the objectives pursued by the electronic surveillance system.

The Data Subject, upon his request, may only restrict the processing of the recordings concerning his identity. The Data Subject shall always request the Data Protection Officer to block his data in writing, indicating its purpose and the expected duration.

The Data Controller shall draw up minutes of the data blocking process at all stages, which shall be stored by the Data Controller for 1 year.

8.   The rights of Data Subjects

The Data Subject may, using the Data Controller’s contact details indicated in point 1, request

  • to be provided with information on the processing of his personal data,
  • the rectification of his personal data,
  • information on the data processing
  • the erasure of his personal data, or the restriction of processing,

The Data Subject may at any time exercise the above rights.

Furthermore, the Data Subject may transmit it to the Data Controller on any of the contact addresses indicated in Point 1.

  • may request the transfer of his data to another Data Controller where the data management is based on a contract or consent, and is handled by the Organisation under an automated procedure.
  • may avail of the withdrawal of the consent given earlier for the purpose of personal data processing

The Data Controller shall, within a period of not more than one month after the submission of the application, exceptionally within a longer period specified by law, comply with or reject (by providing a justification) the notification. The Data Subject shall be informed in writing of the results of the investigation.

8.1      Cost of the information

The Organisation shall provide the measures and necessary information free of charge for the first time.

If the Data Subject searches for the second time within one month, for the same data that have not changed during this time, the Data Controller will charge administrative costs.

  • The cost settlement of the administrative costs is based on the minimum hourly wage in effect at the time as the hourly rate.
  • The number of hours worked used for the information is settled on the above hourly rate.
  • Furthermore, in the case of a request for paper-based communication, the printing costs of the response at cost price and its mailing cost will be included.

8.2      Refusal to provide information

If the request of the Data Subject is clearly unfounded, he is not entitled to information, or the Organisation as Data Controller is able to demonstrate that the Data Subject already has all the requested information, the Data Controller shall reject the request for information.

If the request of the Data Subject, in particular due to its repetitive nature, is excessive, the Organisation may refuse to take measures on the basis of the request, if

  • the Data Subject requests the exercising of his rights under Article 15-22 on the same subject for the third time within one month.

8.3      Right to object

The data subject shall have the right to object at any time to the processing of personal data concerning him that is based on the legal basis of legitimate interest or official authority.

In this case, the Organisation shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject or are for the establishment, exercise or defence of legal claims.

If the Organiser concludes that the legal basis of the objection is well founded, it terminates the processing of data as soon as possible, including the data transfer and recording of further data. It notifies all recipients to whom the data of the Data Subject had previously been transferred concerning the objection.

The processing of the request is free of charge, except those which are unfounded or excessive, where the Data Processor shall have the right to charge a reasonable fee for the processing, taking the administrative costs into account.

If the Data Subject does not agree with the decision made by the Data Controller, the Data Subject shall have the right to apply to turn to the court.

9.   Disclosure of data

The Data Controller will not disclose the recordings of the electronic surveillance system.

10. Transfer of data to third countries or international organisations

The Data Controller WILL NOT transfer the personal data of the Data Subject and the recordings to third countries outside of the European Economic Area or to international organisations.

11. Information on security measures of processing

The Data Controller shall process the data in a closed system based on its Information Security Policy.

The Data Controller shall take measures to ensure data protection by design and by default. For this purpose, the Data Controller applies technical and organisational measures in order to:

  • precisely regulate access to data;
  • provide access only to those persons for whom the data is necessary for the accomplishment of the tasks related to the given data, and, in this case, only those data should be accessible that are the minimum necessary for the accomplishment of the task;
  • select the mandated data processors with care, and take measures to ensure the security of data with an appropriate contract on data processing;
  • take measures to protect the data from being altered (integrity), regarding its authenticity and for the protection of the processed data.

The Data Controller applies a reasonable standard of physical, technical and organisational measures for the protection of the data of the Data Subject, in particular against their accidental, unauthorised or unlawful destruction, loss, alteration, transfer, use, access or processing. In the event of known and unauthorised access to or use of the personal data that is likely to result in a high risk to the data subject, the Data Controller shall inform the data subject without delay.

Where it is necessary to the transfer the data of the Data Subject, the Data Controller takes measures for the security of the transferred data, for example by encrypting the personal data file. The Data Controller is fully responsible for the processing of the data of the Data Subject performed by third parties.

The Data Controller shall take measures to protect the data of the Data Subject against destruction or loss, by making appropriate and regular backups.

12. Analytics Services

The Data Controller uses Google Analytics services to track website statistics, user demographic data, interests and behaviour on the websites. Furthermore, the Organisation uses Google Search Console for search engine optimisation of the website and to measure user satisfaction. Google makes it possible to limit the use of analytics services. Visit Google’s webpage to subscribe to the use of data by Google Analytics. https://tools.google.com/dlpage/gaoptout

13. Remedy

Any Data Subject with a breach of a right concerning the processing of his personal data may turn to the competent court, in the capital also to the Budapest-Capital Regional Court, or may initiate an investigation at the National Authority for Data Protection and Freedom of Information.

President: dr. Attila Péterfalvi,

Address: 1024 Budapest, Szilágyi Erzsébet fasor 22/C.,

Availability: ugyfelszolgalat@naih.hu, +36 1 391 1400, www.naih.hu,

Budapest, 2018

Back to the home page