Privacy policy
Last updated: August 19, 2024
This Privacy Policy describes how Cleaning Stuff EU (the "Site", "we", "us", or "our") collects, uses, and discloses your personal information when you visit, use our services, or make a purchase from cleaningstuff.eu (the "Site") or otherwise communicate with us regarding the Site (collectively, the "Services"). For purposes of this Privacy Policy, "you" and "your" means you as the user of the Services, whether you are a customer, website visitor, or another individual whose information we have collected pursuant to this Privacy Policy.
Please read this Privacy Policy carefully.
1. Identification and contact details of the Data Controller
OLDB EUROPE Ltd. (Kft.)
Registered office. 3., Budapest 1078
Tax number: 32008681-2-42 / HU32008681
Registration number: 32008681-4791-113-01
Contact: info@cleaningstuff.eu / info@oldb.cz / info@scrubdaddy.cz
Phone number: +36 (30) 649-8022
Registering authority: Fővárosi Törvényszék Cégbírósága
Data on the hosting company: Shopify Inc.
Company name of the data controller: OLDB EUROPE Kft. (hereinafter referred to as: "Data Controller")
Changes to This Privacy Policy
We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the "Last updated" date and take any other steps required by applicable law.
How We Collect and Use Your Personal Information
To provide the Services, we collect personal information about you from a variety of sources, as set out below. The information that we collect and use varies depending on how you interact with us.
In addition to the specific uses set out below, we may use information we collect about you to communicate with you, provide or improve or improve the Services, comply with any applicable legal obligations, enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.
What Personal Information We Collect
The types of personal information we obtain about you depends on how you interact with our Site and use our Services. When we use the term "personal information", we are referring to information that identifies, relates to, describes or can be associated with you. The following sections describe the categories and specific types of personal information we collect.
Information We Collect Directly from You
Information that you directly submit to us through our Services may include:
- Contact details including your name, address, phone number, and email.
- Order information including your name, billing address, shipping address, payment confirmation, email address, and phone number.
- Account information including your username, password, security questions and other information used for account security purposes.
- Customer support information including the information you choose to include in communications with us, for example, when sending a message through the Services.
Some features of the Services may require you to directly provide us with certain information about yourself. You may elect not to provide this information, but doing so may prevent you from using or accessing these features.
Information We Collect about Your Usage
We may also automatically collect certain information about your interaction with the Services ("Usage Data"). To do this, we may use cookies, pixels and similar technologies ("Cookies"). Usage Data may include information about how you access and use our Site and your account, including device information, browser information, information about your network connection, your IP address and other information regarding your interaction with the Services.
Information We Obtain from Third Parties
Finally, we may obtain information about you from third parties, including from vendors and service providers who may collect information on our behalf, such as:
- Companies who support our Site and Services, such as Shopify.
- Our payment processors, who collect payment information (e.g., bank account, credit or debit card information, billing address) to process your payment in order to fulfill your orders and provide you with products or services you have requested, in order to perform our contract with you.
- When you visit our Site, open or click on emails we send you, or interact with our Services or advertisements, we, or third parties we work with, may automatically collect certain information using online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies.
Any information we obtain from third parties will be treated in accordance with this Privacy Policy. Also see the section below, Third Party Websites and Links.
How We Use Your Personal Information
- Providing Products and Services. We use your personal information to provide you with the Services in order to perform our contract with you, including to process your payments, fulfill your orders, to send notifications to you related to your account, purchases, returns, exchanges or other transactions, to create, maintain and otherwise manage your account, to arrange for shipping, facilitate any returns and exchanges and other features and functionalities related to your account.
- Marketing and Advertising. We may use your personal information for marketing and promotional purposes, such as to send marketing, advertising and promotional communications by email, text message or postal mail, and to show you advertisements for products or services. This may include using your personal information to better tailor the Services and advertising on our Site and other websites. If you are an EEA resident, the legal basis for these data processing activities is our legitimate interest in selling our products, according to Art. 6 (1) (f) GDPR.
- Security and Fraud Prevention. We use your personal information to detect, investigate or take action regarding possible fraudulent, illegal or malicious activity. If you choose to use the Services and register an account, you are responsible for keeping your account credentials safe. We highly recommend that you do not share your username, password, or other access details with anyone else. If you believe your account has been compromised, please contact us immediately. If you are an EEA resident, the legal basis for these data processing activities is our legitimate interest in keeping our website secure for you and other customers, according to Art. 6 (1) (f) GDPR.
- Communicating with You and Service Improvement. We use your personal information to provide you with customer support and improve our Services. This is in our legitimate interests in order to be responsive to you, to provide effective services to you, and to maintain our business relationship with you according to Art. 6 (1) (f) GDPR.
Cookies
Like many websites, we use Cookies on our Site. For specific information about the Cookies that we use related to powering our store with Shopify, see https://www.shopify.com/legal/cookies. We use Cookies to power and improve our Site and our Services (including to remember your actions and preferences), to run analytics and better understand user interaction with the Services (in our legitimate interests to administer, improve and optimize the Services). We may also permit third parties and services providers to use Cookies on our Site to better tailor the services, products and advertising on our Site and other websites.
Most browsers automatically accept Cookies by default, but you can choose to set your browser to remove or reject Cookies through your browser controls. Please keep in mind that removing or blocking Cookies can negatively impact your user experience and may cause some of the Services, including certain features and general functionality, to work incorrectly or no longer be available. Additionally, blocking Cookies may not completely prevent how we share information with third parties such as our advertising partners.
How We Disclose Personal Information
In certain circumstances, we may disclose your personal information to third parties for contract fulfillment purposes, legitimate purposes and other reasons subject to this Privacy Policy. Such circumstances may include:
- With vendors or other third parties who perform services on our behalf (e.g., IT management, payment processing, data analytics, customer support, cloud storage, fulfillment and shipping).
- With business and marketing partners to provide services and advertise to you. Our business and marketing partners will use your information in accordance with their own privacy notices.
- When you direct, request us or otherwise consent to our disclosure of certain information to third parties, such as to ship you products or through your use of social media widgets or login integrations, with your consent.
- With our affiliates or otherwise within our corporate group, in our legitimate interests to run a successful business.
- In connection with a business transaction such as a merger or bankruptcy, to comply with any applicable legal obligations (including to respond to subpoenas, search warrants and similar requests), to enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.
We disclose the following categories of personal information and sensitive personal information about users for the purposes set out above in "How we Collect and Use your Personal Information" and "How we Disclose Personal Information":
| Category | Categories of Recipients |
|---|---|
|
|
We do not use or disclose sensitive personal information without your consent or for the purposes of inferring characteristics about you.
With your consent we share personal information for the purpose of engaging in advertising and marketing activities, as follows.
Third Party Websites and Links
Our Site may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of such sites, including the accuracy, completeness, or reliability of information found on these sites. Information you provide on public or semi-public venues, including information you share on third-party social networking platforms may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use by us or by a third party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators, except as disclosed on the Services.
Children's Data
The Services are not intended to be used by children, and we do not knowingly collect any personal information about children. If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out below to request that it be deleted.
As of the Effective Date of this Privacy Policy, we do not have actual knowledge that we “share” or “sell” (as those terms are defined in applicable law) personal information of individuals under 16 years of age.
Security and Retention of Your Information
Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee “perfect security.” In addition, any information you send to us may not be secure while in transit. We recommend that you do not use insecure channels to communicate sensitive or confidential information to us.
How long we retain your personal information depends on different factors, such as whether we need the information to maintain your account, to provide the Services, comply with legal obligations, resolve disputes or enforce other applicable contracts and policies.
Your Rights
Depending on where you live, you may have some or all of the rights listed below in relation to your personal information. However, these rights are not absolute, may apply only in certain circumstances and, in certain cases, we may decline your request as permitted by law.
- Right to Access / Know: You may have a right to request access to personal information that we hold about you, including details relating to the ways in which we use and share your information.
- Right to Delete: You may have a right to request that we delete personal information we maintain about you.
- Right to Correct: You may have a right to request that we correct inaccurate personal information we maintain about you.
- Right of Portability: You may have a right to receive a copy of the personal information we hold about you and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.
- Right to Opt out of Sale or Sharing or Targeted Advertising: You may have a right to direct us not to "sell" or "share" your personal information or to opt out of the processing of your personal information for purposes considered to be "targeted advertising", as defined in applicable privacy laws. Please note that if you visit our Site with the Global Privacy Control opt-out preference signal enabled, depending on where you are, we will automatically treat this as a request to opt-out of the "sale" or "sharing" of information for the device and browser that you use to visit the Site.
- Restriction of Processing: You may have the right to ask us to stop or restrict our processing of personal information.
- Withdrawal of Consent: Where we rely on consent to process your personal information, you may have the right to withdraw this consent.
- Appeal: You may have a right to appeal our decision if we decline to process your request. You can do so by replying directly to our denial.
- Managing Communication Preferences: We may send you promotional emails, and you may opt out of receiving these at any time by using the unsubscribe option displayed in our emails to you. If you opt out, we may still send you non-promotional emails, such as those about your account or orders that you have made.
You may exercise any of these rights where indicated on our Site or by contacting us using the contact details provided below.
We will not discriminate against you for exercising any of these rights. We may need to collect information from you to verify your identity, such as your email address or account information, before providing a substantive response to the request. In accordance with applicable laws, you may designate an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require that the agent provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us. We will respond to your request in a timely manner as required under applicable law.
Complaints
If you have complaints about how we process your personal information, please contact us using the contact details provided below. If you are not satisfied with our response to your complaint, depending on where you live you may have the right to appeal our decision by contacting us using the contact details set out below, or lodge your complaint with your local data protection authority. For the EEA, you can find a list of the responsible data protection supervisory authorities here.
International Users
Please note that we may transfer, store and process your personal information outside the country you live in. Your personal information is also processed by staff and third party service providers and partners in these countries.
If we transfer your personal information out of Europe, we will rely on recognized transfer mechanisms like the European Commission's Standard Contractual Clauses, or any equivalent contracts issued by the relevant competent authority of the UK, as relevant, unless the data transfer is to a country that has been determined to provide an adequate level of protection.
Contact
Should you have any questions about our privacy practices or this Privacy Policy, or if you would like to exercise any of the rights available to you, please call or email us at info@cleaningstuff.eu or contact us at Nefelejcs utca 7, OLDB EUROPE KFT. HU32008681, Budapest, 1184, HU.
For the purpose of applicable data protection laws and if not explicitly stated otherwise, we are the data controller of your personal information.
General information
The following information is provided by OLDB EUROPE Kft. (head office: 1078 Budapest, Nefelejcs utca 7. 2. floor. 3. door; Company Registration No.: 01-09-402368; "Data Controller"), operates the website www.scrubdaddy.hu/www.cleaningstuff.hu/oldb.hu and is intended to inform the data subjects (i.e. you as an individual visiting our website).
It also contains information about the IP addresses recorded when you visit the website.
We aim to provide accurate and fully compliant information about why and how we process the personal data of individuals who interact with the Data Controller through our website.
This notice has been prepared primarily in accordance with the following legislation:
Regulation 2016/679 of the European Parliament and of the Council ("GDPR");
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information ("the Information Act");
Act C of 2003 on Electronic Communications.
Information about the controller:
The name of the data controller is OLDB EUROPE Kft.
Contact details of the data controller: info@cleaningstuff.eu
Other contact details of the controller: +36 (30) 649-8022
Capturing IP addresses
An IP ("Internet Protocol") address is a unique set of numbers assigned to each device connected to the Internet. The IP address identifies the device you use to browse the Internet and allows it to communicate with other devices. To the extent that the IP address can identify the user (i.e. you) (either by the IP address alone or in combination with other information), the IP address may also be considered personal data.
Some cookies used on the Data Controller's website, if you have enabled them in the cookie settings, record the IP address of the device from which you have visited the website because this is necessary for their functioning. The IP address is recorded by cookies used on the website by Facebook, Google, YouTube and others.
However, the Data Controller is not able to identify you from the IP addresses collected on the website alone, it does not have a record of IP addresses and cannot target specific IP addresses. Consequently, you cannot be identified by the IP address of the Data Controller.
Data management in relation to cookies
A cookie is a small text file that the website you visit stores on your computer or other device used to browse the internet. Your device stores the cookie for a set period of time. This allows the website you visit to "remember" certain information and settings (e.g. language, font size and other display settings) for that period.
Types of cookies used
The cookies used on this website fall into the following categories:
cookies that are essential for the functioning of the website. They are strictly necessary for the technical functioning of the website (e.g. for the correct display of graphical content, navigation) and cannot be disabled, but they do not collect any information that could be considered as personal data;
performance and statistical cookies. They are used for the statistical, anonymous measurement of the number of visits to the website and the activity of users on the website, in order to continuously improve the effectiveness of the website. They can be disabled in the cookie settings;
cookies related to personal preferences - they are used to enhance the website experience by remembering certain information about the appearance and functioning of the website that you prefer. They can be disabled in the cookie settings;
marketing cookies - they track the activity of users visiting the website through profiling, helping to ensure that the most relevant, personalised content is displayed for that user.
The exact names and characteristics of all cookies used on our website can be found in the cookie authorisation area of our website.
Legal basis for cookie-related processing
With the exception of cookies that are essential for the functioning of the website (which are based on our legitimate interest in the functioning of the website), the legal basis for the use of cookies is your explicit and duly informed consent.
Cookies based on consent will only be used if you have given your consent to their use in the relevant interface. You can change your settings - and withdraw your consent in this context - at any time.
Managing cookies in your browser
In addition to a website's cookie settings, most browsers also provide the ability to view, manage, delete and disable cookies from a particular website. Remember, if you delete all cookies, you will lose the settings stored in them.
Sharing cookies with other data controllers
We share information about your website usage with our social media, advertising and analytics partners, and our partners may combine it with other information that you have provided to them or that has been collected in connection with other services you have used.
If this information constitutes personal data, the operations described in the preceding paragraph constitute separate processing by our partners.
Rights concerned
Based on the legislation in force, taking into account the specificities and legal basis of cookie processing, you have the following rights in relation to the processing of your personal data. This section summarises your rights in general terms, and the following sections describe the conditions under which you may exercise each right.
You have the right to ask the Data Controller to access, rectify, erase or restrict the processing of personal data concerning you, and to make them available in machine-readable form, provided that this does not interfere with the legal limits on the exercise of these rights.
You have the right at any time to lodge a complaint with a supervisory authority and to seek judicial redress.
Please note that the exercise of the rights detailed here may be affected by the technical specificities of cookie processing.
The right of access
You may at any time request information on whether and how your personal data are processed by the Controller, including the purposes of the processing, the recipients to whom your data have been or will be disclosed, the source from which the Controller obtained your data, the retention period of the data, your rights in relation to the processing and, in the case of transfers to third countries or international organisations, information on the safeguards relating to the transfer.
In exercising your right of access, you also have the right to request a copy of your personal data processed. In the event of a request made by electronic means, the Data Controller will provide the requested information electronically (in the form of an email or pdf file), unless you request otherwise. Where your right of access adversely affects the rights and freedoms of others, the Controller shall be entitled to refuse to comply with your request to the extent necessary and proportionate.
The right to rectification
The Data Controller will correct or complete personal data concerning you upon your request (e.g. in case of a change of data), if this is possible taking into account the technical specificities of the processing. If there is doubt about the corrected data, the Controller may request you to provide the Controller with evidence of the corrected data in an appropriate manner, in particular by means of a document. Where the personal data concerned by this right have been communicated by the Controller to another person, the Controller shall inform such recipients without undue delay after the rectification of the data, provided that this is not impossible or involves a disproportionate effort.
Upon request, the Controller shall provide information on the recipients.
Right to erasure ("right to be forgotten")
If you request the erasure of any or all of your personal data, the Controller will erase it without undue delay if:
the Controller no longer needs the personal data for the purposes for which it was collected or otherwise processed;
the processing was based on a legitimate interest of the Controller or a third party, but you have objected to the processing and there is no overriding legitimate ground for the processing;
the personal data were unlawfully processed by the Controller; or
the erasure of the personal data is necessary to comply with a legal obligation.
Where the personal data concerned by this right have been disclosed by the Controller to another person, the Controller shall inform such persons without undue delay after erasure, provided that this is not impossible or involves a disproportionate effort.
Upon request, the Data Controller shall provide information on the recipients.
Please note that the Data Controller is not always obliged to delete personal data, in particular where the processing is necessary to comply with a legal obligation.
Right to restriction of processing
You may request the restriction of the processing of your personal data in the following cases.
if you contest the accuracy of the personal data - in this case, the restriction applies for a period of time that allows the Controller to verify the accuracy of the personal data;
where the processing is unlawful but you oppose the erasure of the data and instead request the restriction of their use;
where the controller no longer needs the personal data for the purposes of processing but you require them for the establishment, exercise or defence of legal claims; or
where you have objected to the processing, in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller override your legitimate grounds.
Restriction of processing means that the personal data subject to the restriction are not processed by the Controller, except for storage. Where the personal data concerned by this right have been communicated by the Controller to another person, the Controller shall inform those recipients of the restriction of processing without undue delay, provided that this is not impossible or involves a disproportionate effort.
Upon request, the Controller shall provide information about the recipients.
Right to data portability
In relation to cookies for which the processing is based on your consent, you have the right to receive the personal data processed about you in a structured, commonly used, machine-readable format.
Right to complain, right to redress
If you consider that the processing of your personal data by the Data Controller infringes the provisions of the applicable data protection legislation, in particular the GDPR or the Infotv.
Contact details of the NAIH:
Website: http://naih.hu/
1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest Pf.9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
You also have the right to lodge a complaint with a supervisory authority established in another EU Member State, in particular the one where you have your habitual residence, place of work or place of the alleged infringement.
Irrespective of your right to lodge a complaint, you may also take legal action in the event of such a violation. The competent court for the Data Controller is the Metropolitan Court of Budapest, but you may also bring the action before the court of your place of residence. The courts can be contacted at the following link: http://birosag.hu/torvenyszekek. You may also bring the action before the competent court of the Member State of your habitual residence, if your habitual residence is in another Member State of the European Union.
You also have the right to take legal action against a legally binding decision of the NAIH that applies to you. You also have the right to a judicial remedy if the NAIH does not deal with your complaint or does not inform you within three months of the procedural developments or the outcome of the complaint you have lodged. You have the right to lodge a complaint on your behalf, to have the decision of the NAIH reviewed by the courts, to bring an action and to assert your right to compensation on your behalf with a non-profit organisation or association established in accordance with the law of one of the Member States of the European Union and whose statutory objectives are to serve the public interest and to protect the rights and freedoms of data subjects with regard to personal data.
Supporting Policies
2. The scope of the data processed, the purpose of the processing, the legal basis and the retention period
By providing the registration data to the Data Controller and by the Data Subject's acceptance of the General Terms and Conditions (GTC) provided by the Data Controller to the Data Subject, the Data Subject and the Data Controller enter into a contract, which is governed by the provisions of the Regulation on electronic commerce services and certain aspects of information society services 2011. CVIII of 2011, under which the Data Controller is obliged to provide the use of the Website and to transfer the ownership and possession of the products purchased through the Webshop to the Data Subject, while the Data Subject is obliged to pay the purchase price of the products purchased.
In connection with the above processing, the Data Controller draws your attention to the fact that the provision of the Data Subject's data, which it processes on the basis of a legal obligation or on the basis of the preparation or performance of a contract with the Data Controller, is mandatory for the establishment of a contractual relationship or the performance of certain obligations arising therefrom, without the provision of the necessary data the Data Controller would not be able to fulfil its obligations undertaken in connection with the contract or required by law.
The retention periods set out above have been determined by the Data Controller in view of the fact that for certain data, in accordance with the penultimate row of the table above, personal data may also be processed for legal claims, so that if the retention period for legal claims is longer than the retention period for other processing purposes, the latter is indicated everywhere.
The Data Controller shall make a backup of all the data processed in accordance with this Section 1.3, the purpose of which is to ensure the uninterrupted operation of the processes related to the use of the Webshop, as regulated in this Privacy Policy and the related GTC, even in the event of possible malfunctions in the IT systems. The legal basis for the backup is the legitimate interest of the Data Controller in the continuous operation of the processes related to the use of the Webshop. The Data Controller shall keep the backups for a period of one month.
The retention period may be affected by the data subject's right to object, where the legal basis for the processing to which the objection relates is the legitimate interest of the Data Controller. In such cases, the Data Controller shall determine on a case-by-case basis whether a legitimate interest can be demonstrated on the part of the Data Subject which overrides the Data Subject's right to object.
3. Recipients of personal data, categories of recipients
Standalone controller
|
Name of addressee |
Recipient status |
Reason for the data transfer/transmission/access/activity involving the recipient |
|
Barion Payment Zrt. Head office: H-1117, Budapest, Irinyi József utca 4-20. 2. floor Company registration number: 01-10-048552 Barion Payment Zrt. operates under the licence of the Magyar Nemzeti Bank in accordance with Act CCXXXV of 2013 and the EU Electronic Money Directive (EMD) of 2011. Licence ID: H-EN-I-1064/2013 | Institution ID: 25353192 Data Management Registration Number: NAIH-73794/2014 OR STRIPE |
independent controller |
It provides online payment for purchases made through the Webshop. Online credit card payments are made through the Barion system. Credit card details are not passed to the merchant. The service provider Barion Payment Zrt. is an institution supervised by the National Bank of Hungary, its licence number is H-EN-I-1064/2013.
|
|
GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (head office: 2351 Alsónémedi GLS Európa u. 2.) OR DPD |
independent controller |
Provide home delivery of products purchased through the Webshop. |
|
Packeta Hungary Kft. (székhely 1044 Budapest, Ezred utca 1-3. B2/11) |
independent controller |
Provide home delivery of products purchased through the Webshop. |
|
Our legal advisers |
independent controller |
If we are required to provide information to our advisors in connection with a legal claim, it cannot be excluded that this information may include personal data. |
|
Courts, authorities |
independent controller |
If we are requested to do so by a court or a public authority, we may be under an obligation to transfer files containing personal data to the court or authority. |
By transferring the personal data to the above recipients, OLDB EUROPE Ltd. will not transfer the Data Subjects' data to third countries outside the European Union. OLDB EUROPE Ltd. will not transfer the personal data to any person other than the above recipients, unless the transfer is required by law.
4. Special data management
In exceptional cases, in connection with the sale of products that can be purchased through the Webshop, the delivery of the purchased products to the ordering customer and the issuing of an invoice for the purchase price, the Data Controller may process special data within the scope of Article 9 (1) of EU Regulation 2016/679/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (GDPR), in particular personal data in the form of conclusions about the health of the Data Subject (health data). The Data Controller is entitled to process these special categories of personal data pursuant to Article 9(2)(g) GDPR, given that the processing based on the fulfilment of a legal obligation is necessary for reasons of substantial public interest (substantial public interest in billing or contract performance), which are proportionate to the aim pursued. The Data Controller shall respect the essential content of the right to the protection of personal data in the processing and shall provide for adequate and specific measures to safeguard the fundamental rights and interests of the Data Subject.
5. Contact data obtained from other sources
|
Scope of data processed |
Source of data processed |
|
Order ID, name, e-mail address, gross amount and time of purchase |
The financial service provider providing online payment for purchases made through the Webshop. |
6. Rights concerned
The Data Subject may request from the Data Controller access to, rectification, erasure of, and in certain cases restriction of the processing of personal data relating to him or her, and may object to the processing of personal data. The Data Subject shall also have the right to data portability and the right to lodge a complaint with a supervisory authority and the right to a judicial remedy and, in the case of automated decision-making in individual cases, the right to choose the scope of the decision and to request human intervention. In addition, where processing is based on consent, the Data Subject shall have the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
- A) The right of access
At any time, the Data Subject has the right to request information on whether and how his or her personal data are processed by the Controller, including the purposes of the processing, the recipients to whom the data have been disclosed or the source from which the data were obtained by the Controller, the retention period, any rights concerning the processing, as well as information on automated decision-making, profiling and, in case of transfers to third countries or international organisations, information on the safeguards relating thereto. In exercising the right of access, the Data Subject shall also have the right to request a copy of the data and, in the event of an electronic request, the Data Controller shall provide the requested information in electronic form (pdf format), unless the Data Subject requests otherwise. Where the Data Subject's right of access adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Data Controller shall be entitled to refuse to comply with the Data Subject's request to the extent necessary and proportionate. In the event that the Data Subject requests more than one copy of the above information, the Data Controller shall charge a reasonable fee proportionate to the administrative costs of producing the additional copies.
- B) The right to rectification
The Data Controller shall correct or supplement personal data concerning the Data Subject at the Data Subject's request. If there is doubt about the corrected data, the Controller may request the Data Subject to provide the Controller with evidence of the corrected data in an appropriate manner, in particular by means of a document. Once the corrected data has been verified, the Controller shall not keep the document used for that purpose, nor shall it store it in any form. Where the personal data concerned by this right have been communicated by the Controller to other persons (such as the addressee as data processor), the Controller shall inform those persons without undue delay after the rectification of the data, provided that this is not impossible or involves a disproportionate effort on the part of the Controller. The Data Subject shall be informed of these recipients by the Controller upon request.
- C) Right to erasure ("right to be forgotten")
-
If the Data Subject requests the erasure of some or all of his or her personal data, the Controller shall erase the data without undue delay if:
the Controller no longer needs the personal data for the purposes for which it was collected or otherwise processed;
the processing was based on the data subject's consent but the consent has been withdrawn by the data subject and there is no other legal basis for the processing;
processing which was based on a legitimate interest of the Controller or a third party, but the Data Subject has objected to the processing and there is no overriding legitimate ground for the processing, other than an objection to processing for direct marketing purposes;
the personal data were unlawfully processed by the Controller; or
the erasure of the personal data is necessary to comply with a legal obligation.
Where the personal data concerned by this right have been communicated by the Controller to another person (such as the addressee as data processor), the Controller shall inform such persons without undue delay after erasure, provided that this is not impossible or involves a disproportionate effort on the part of the Controller. The Data Subject shall be informed of these recipients by the Controller upon request. The Controller is not always obliged to erase personal data, in particular where the processing is necessary for the establishment, exercise or defence of legal claims.
D) Right to restriction of processing
The Data Subject may request the restriction of the processing of his or her personal data in the following cases:
the Data Subject contests the accuracy of the personal data - in this case, the restriction applies for a period of time that allows the Controller to verify the accuracy of the personal data;
The data subject opposes the erasure of the data and instead requests the restriction of their use;
the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
the Data Subject has objected to the processing - in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the Data Subject.
Restriction of processing means that the Data Controller does not process the personal data subject to the restriction, except for storage, or only to the extent to which the Data Subject has consented, or, in the absence of such consent, the Data Controller may process data necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State of the European Union. The Controller shall inform the Data Subject in advance of the lifting of the restriction on processing. Where the Controller has communicated the personal data of the Data Subject to whom this right applies to another person (such as the addressee as data processor), the Controller shall inform such persons of the restriction of processing without undue delay, provided that this is not impossible or involves a disproportionate effort on the part of the Controller. The Controller shall inform the Data Subject of these recipients upon request.
- E) The right to object
If the legal basis for the processing of the Data Subject is the legitimate interest of the Controller or a third party, the Data Subject has the right to object to the processing. The Controller shall not be obliged to uphold the objection if the Controller proves that
- the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject; or
the processing relates to the establishment, exercise or defence of legal claims by the Controller.
- F) The right to data portability
The Data Subject shall have the right to request that the Controller provide the Data Subject with personal data which he or she has provided to the Controller on the basis of consent or on a contractual legal basis and which are processed by the Controller by automated means (e.g. in a computer system), in a structured format, either for the purpose of transfer to another controller or, where technically feasible, directly to another controller designated by the Data Subject upon his or her request. The Data Controller shall provide the requested data as a pdf file in case of such requests. In the event that the exercise of the Data Subject's right to data portability would adversely affect the rights and freedoms of others, the Controller shall be entitled to refuse to comply with the Data Subject's request to the extent necessary. The action taken in the scope of data portability does not imply the erasure of the data only if the Data Subject simultaneously applies for erasure, failing which the Data Controller shall keep the data for as long as it has a purpose or a proper legal basis for processing them.
- G) Right to complain, right to redress
If the Data Subject considers that the processing of his or her personal data by the Data Controller violates the provisions of the data protection legislation in force, in particular the General Data Protection Regulation, he or she has the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information ("NAIH"). Contact details of the NAIH:
Website:http://naih.hu/
Address.
Postal address: 1363 Budapest, PO Box 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
The Data Subject also has the right to lodge a complaint with a supervisory authority established in another EU Member State, in particular the one where he or she has his or her habitual residence, place of work or place of the alleged infringement.
Irrespective of his or her right to lodge a complaint, the Data Subject may also take legal action in the event of a breach of the above rights. In the case of the data controller, the competent court is the Budapest District Court, but the Data Subject may also bring the action before the court of his/her place of residence. The contact details of the courts in Hungary can be found at the following link:http://birosag.hu/torvenyszekek. The Data Subject may also bring the action before the competent court of the Member State of his/her habitual residence, if the Data Subject has his/her habitual residence in another Member State of the European Union. The Data Subject also has the right to take legal action against a legally binding decision of the supervisory authority which is addressed to him or her. The Data Subject also has the right to judicial remedy if the supervisory authority does not deal with the complaint or does not inform the Data Subject within three months of the procedural developments or the outcome of the complaint lodged. The Data Subject may entrust the lodging of a complaint on his/her behalf, the judicial review of the decision of the supervisory authority, the bringing of an action and the exercise of his/her right to compensation on his/her behalf to a non-profit organisation or association established in accordance with the law of a Member State of the European Union and whose statutory objectives are to serve the public interest and to protect the rights and freedoms of Data Subjects with regard to personal data.
7. Objection
In view of the fact that the Data Controller processes certain data on the basis of legitimate interest, we expressly and separately draw the attention of the Data Subjects to their right to object to the processing of their personal data, which they may exercise at any time by means of a written statement to that effect. In such a case, the Data Subjects' objection will be deleted by the Controller without undue delay, unless the data are necessary for the protection or enforcement of legal claims or the objection is based on a compelling interest of the Controller to the processing, which overrides the interests and rights of the Data Subject. This will be considered on an individual basis for each objection.
8. Time limit for replying to the data subject's request
The Data Controller shall ensure that, in the event that the Data Subjects exercise any of their rights in relation to this processing and contact the Data Controller in this regard, the Data Controller shall respond to such requests without undue delay and at the latest within one month, not including in the case of withdrawal of consent, when it shall promptly arrange for the erasure of the data processed on the basis of consent.
Where necessary, taking into account the complexity of the request and the number of requests, the time limit set out in the previous paragraph may be extended by a further two months. In such a case, the Data Controller shall inform the Data Subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay. If the Data Subject has submitted the request by electronic means, the information shall be provided by electronic means where possible.
* * *
Date of entry into force: 2 March 2021