FREQUENTLY ASKED QUESTIONS AND ANSWERS ON DATA PROTECTION AND DATA PROCESSING
1. Which laws provide for data protection?
The primary law in the hierarchy of legal instruments is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as: the Regulation).The most important Hungarian law is Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as: Privacy Act). In addition, other laws also contain data protection provisions, such as Act CVIII of 2001 on Electronic Commerce and on Information Society Services (hereinafter referred to as: Electronic Commerce Act), or Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, or the provisions of other laws indicated at the beginning of the Notice shall also be relevant - in part - from a data protection perspective.
2. What is personal data?
As defined in the Regulation, any data which allows for the direct or indirect identification of a natural person. Not only the data contained in the various documents (identity card, passport, driving licence) is included, but also any other data, which could be used to identify the data subject. For example, audio recordings, camera recordings, computer IP address, telephone number, email address, vehicle licence plate number, but also special data such as blood test results, a final report or a medical report.
In terms of our online store, such personal data may include the data (e.g. name, e-mail address) provided by the natural person who makes a purchase in the online store or subscribes to a newsletter. In addition, the address or telephone number of the data subject (customer) is also considered to be personal data. However, the various data of companies: name, VAT number, company registration number, registered seat, etc. are not covered by the definition and scope of the Regulation.
3. Who is a data subject?
As defined in the Regulation: personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Namely, natural persons who can be identified by any information or data relating to them.
4. May I request the erasure of my previously provided data as a data subject?
There are times when it does e.g. data processed on the legal basis of voluntary consent. For example, in case of a newsletter subscription. However, there are data whose processing by the Data Controller is not based on the consent of the data subject, but on another legal basis, e.g. legal obligation. For example, Section 169, paragraph (2) of Act C of 2000 on the retention of invoices (hereinafter referred to as: Accounting Act) specifies that accounting documents be retained for eight years. Therefore, such data cannot be erased upon the request of the data subject until the statutory retention period has expired. In the case of other legal bases, erasure is also not automatic at the request of the data subject, e.g. processing for lawful interests or when processing is necessary for the performance of a contract.
5. Is my personal data provided to the online store for various reasons secure?
Yes, we always strive to fully comply with the provisions of the Regulation (principles, legal bases, prior information obligation, etc.) when operating our online store. As stated in the Data Security chapter (item VI), IT security - the implementation of the technical and organisational measures listed therein - is treated as a priority in order to ensure secure data processing. Under the Regulation, we conclude a cooperation agreement with our data processors, and our own staff members, who process personal data are solely allowed to do their job after signing a confidentiality agreement. We will certainly not disclose or sell our Customers' personal data to any third parties, except for legitimate requests from various authorities.
6. Does the online store transfer the personal data I have provided to anyone and if so, why?
Yes, but we only forward personal data to those recipients (e.g. courier services) for whom we have the opportunity or obligation to do so based on one of the legal grounds listed in item V of the Notice. For each processing operation, item V of this Notice indicates what data is transferred to whom and for what purpose. When transferring data, we will only provide the data that is required for the particular partner (e.g. accountant, hosting provider, courier service) to perform its task.
7. What rights and remedies do I have as a data subject?
Should you, as a data subject, have any questions or requests regarding the processing of your personal data, do not hesitate to contact us. We will pay particular attention not only to fulfilling your purchases, but also to fully comply with the privacy rules binding on us, as well as to respond to requests of data subjects and to resolve any problems that may arise in this regard. Contacting us will not only provide you with the fastest possible solution to the specific privacy problem or issue, but will also allow you to avoid unnecessary and unfounded legal proceedings. The rights and remedies data subjects are entitled to are set out in detail in items IX and X of this Notice. Kindly read these chapters thoroughly.
8. When and how can I request the erasure, amendment, rectification of my data or information on my data being processed?
You may request information on your data being processed or the amendment, rectification or erasure thereof through any of the contact details provided in item II of this Notice. In the item IX of the this notice we provide a summary overview in a table, as well as a detailed description of all data subject rights and in item X, we provide legal remedies.
9. Are there any costs or conditions involved if I ask for my data to be amended, rectified or erased, or if I just request to be informed about how my data is being processed?
No. Your request will be addressed free of charge. Certainly, these rights cannot be abused either (e.g., to take an extreme example, to make a repeated request every month), in which case the Regulation allows the Data Controller to charge administrative costs or to refuse to comply with a manifestly unfounded request.
10. How long will my data be stored?
The retention period of data varies according to the purpose of data processing and the legal basis thereof. Personal data processed under the legal basis of voluntary consent until the withdrawal of the data subject's consent is received (otherwise this is indicated with a special highlighting in item IV for the legal bases and in item V for each processing). However, until the date specified in a specific law for the legal basis of performance of a legal obligation. Such laws include Section 169, paragraph (2) of the Accounting Act, or Section 17/A, paragraph (7) of Act CLV of 1997 on Consumer Protection (hereinafter referred to as: Consumer Protection Act), which provides for a 3-year retention period. In these latter cases, the rights of the data subject are restricted, since he or she obviously cannot request their erasure before the expiry of the above mentioned periods.
11. If I have any questions or requests about the processing of my personal data, when will I receive a meaningful response?
Article 12, paragraph (3) of the Regulation provides a deadline of 1 month for responding (which may be extended by a maximum of 2 months in justified cases). However, we always try to respond to your request within 1 month.
12. What is the difference between data transfer to countries outside the EEA and data transfer to countries within the EEA from a data security perspective?
Article 44 of the Regulation stipulates that personal data, i.e. any information relating to natural persons which can be associated with them, may only be transferred outside the European Economic Area if a level of protection guaranteed by the GDPR is ensured.
The Regulation sets out several stages as conditions for a lawful transfer.
Stage 1 under Article 45 of the Regulation: transfer under an adequacy decision, i.e. does the third country outside the EEA offer an adequate level of protection? A list of countries that currently possess a relevant adequacy decision is available on the website of the European Commission under the following URL: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_hu.
Stage 2: under Articles 46 to 47 of the Regulation, in the absence of an adequacy decision, a transfer may take place if the recipient controller or processor provides appropriate safeguards for the processing of data. This includes, for example, binding corporate policies, approved codes of conduct or certification mechanisms.
Stage 3: which may be applied if neither an adequacy decision nor the appropriate safeguards listed under the previous item are available. Article 49 of the Regulation lists the conditions under which data may be transferred, even in the absence of the conditions mentioned in Stages 1 and 2. The satisfaction of terms and conditions laid down in Article 49, paragraph (1), items a) and b) of the Regulation, referred to below, which in this case allow the transfer of data, is highlighted in bold under items V/6 and V/10 of the Notice, among the processing of data concerning the delivery outside the EEA and newsletter sending.
- the data subject has given his or her explicit consent to the intended transfer after having been informed of the potential risks of the transfer due to the lack of an adequacy decision and appropriate safeguards;
the transfer of data is required for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject;
Dear Customers / Visitors!
If you have a data protection issue and in the data protection prospectus or if no answer is found in the above summary, please contact the Data Controller at one of the contact details provided in the GTC and the Prospectus.