1. THE PURPOSE OF THE DATA PROCESSING NOTICE AND THE GOVERNING LAW
The purpose of this Notice is to determine the data protection and data processing principles applied by Best Beauty Kft. as well as the data protection and data processing policy of the company which the company accepts as binding for itself.
When preparing the provisions of the Notice, the company considered in particular the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act CXII of 2011 on informational self-determination and the freedom of information (“Infotv.”), Act V of 2013 on the Civil Code (“Ptk.”) and furthermore, Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (“Grtv.”).
The scope of this Data Processing Notice covers the processing related to the website at www.bestlashespro.com (hereinafter as “Website”).
In the absence of a notice to the contrary, the scope of the Notice does not cover:
- a. the services and the processing related to the promotions, competitions, services, other campaigns of or the content published by the persons advertising on the Website or appearing thereon in any other way.
- b. the services and the processing of the websites, the service providers to where a link points from the Websites.
The scope of the Notice does not cover the processing by persons (organisations, companies) whose information, newsletters, marketing correspondence the User learns about via the Website.
2. THE PROCESSOR AND ITS ACTIVITIES
- Name of company: Best Beauty Kft.
- Registered seat: H-8000 Székesfehérvár, Bátky Zsigmond út 4. 9/34
- Telephone: +36-70-610-4850
- E-mail: email@example.com
- NAIH (National Authority for Data Protection and the Freedom of Information) number::87659/2015
- Name of contact person: Renata Fodor-Csuti
The Controller is a company duly registered in Hungary.
The Controller operates the Website which has been created for the online sale of eyelash extension, lifting and cosmetic products and tools. Certain products that can be ordered are only available for professional customers while other products are available for every registered customer.
Processing: means, independently of the method applied, any operation which is performed on personal data, in particular the collection, recording, organisation, storage, alteration, use, retrieval, use, disclosure, transmission, dissemination or otherwise making available, publishing, alignment or combination (including profiling), restriction, erasure or destruction of the personal data;
Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of the personal data;
Processor: means a natural or legal person, public authority, agency or other body which processes the personal data on behalf of the controller;
Personal data or data: means any information on the basis of which a natural person User, directly or indirectly, becomes identifiable.
User: means the natural person who registers on the Website as a Customer/Reseller and provides his/her personal data for that purpose. (see listed below).
External provider: means those third party provider partners who are – either directly or indirectly – engaged by Controller or the operator of the Website for the provision of particular services to whom the personal data are or may be transmitted for the provision of their services, and who may transmit personal data to Controller. In the scope of the web hosting services, Controller shall regard the User as an External provider having regard to the data processing activities he or she conducts in the hosted storage used by him/her.
4. THE PRINCIPLES, THE METHOD AND THE GOVERNING LAWS OF THE DATA PROCESSING
4.1. Controller shall only process the data determined by law, or the ones provided by the Users, for the purposes determined below. The scope of the processed data is proportionate to the purpose of the processing, which may not be exceeded.
4.2. The Controller shall not check the Personal data provided to it. Only the person providing the Personal data shall be liable for the adequacy thereof.
4.3. The Personal data of a person under the age of 16 can only be processed with the consent of an adult person exercising parental rights over that person. Controller is not able to verify the entitlement of the person providing the consent or to verify the contents of his/her declaration, therefore the User or the person practicing parental rights over him/her shall warrant that the consent is in compliance with the law. In the absence of a consenting declaration, Controller shall not collect Personal data related to a data subject under the age of 16.
4.4. In cases where the Controller intends to use the Personal data for purposes other than the ones they were originally obtained for, it shall inform User thereof, and shall acquire his/her prior, explicit consent, and provide an opportunity for him/her to prohibit usage.
4.5. The Controller shall not disclose the Personal data it processes to third parties with the exception of the Processors determined in this Notice, or in certain cases – as referred to in this Notice – the External providers.
An exception shall be made under the provision of this clause to the use of the data in a statistically aggregated form which may not contain any other form of data that can be used to identify the User involved, therefore it does not qualify as Processing or transmission of data.
4.6. Pursuant to the applicable provisions of the GDPR, Controller shall not be under the obligation to appoint a data protection officer.
4.7. Controller shall process the personal data in compliance with the applicable laws. The legislations pertaining to data processing are, in particular:
Act CVIII of 2001 on certain issues of electronic commerce services and information society services;
Section 169 of Act C of 2000 on accounting (pertaining to the keeping of accounting documents);
Act CXII of 2011 on informational self-determination and the freedom of information (hereinafter as “Infotv.”);
Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (hereinafter as “Grtv.”);
and Regulation (EU) 2016/679 of the European Parliament and of the Council;
5. THE LEGAL BASIS OF PROCESSING
5.1. Having regard to the nature of the activities of the Controller, the legal basis of the processing is the freely given, informed and explicit consent of the User ( Section 5(1) a) of Infotv.) Users contact the Controller out of their free will, register voluntarily and use the services of the Controller voluntarily. In the absence of a consent by the Users, the controller shall only process data when unambiguously authorised by the law. Users shall have the right to withdraw his or her consent at any time. The withdrawal of the consent shall not affect the lawfulness of processing based on consent before its withdrawal.
5.2. The Controller shall record the IP address of the User when the User visits certain websites in relation to the provision of the service, with regard to the legitimate interests of the Controller and for providing the service lawfully (e.g. filtering out unlawful use or illicit content) without a separate consent from the User.
5.3. Data transmission to the Processors determined in this Notice may be carried out without a separate consent of the User. Personal data may only be disclosed to third parties or to the authorities – unless regulated otherwise by legislation – on the basis of a legally binding decision of the authority or the prior, explicit consent of the User.
5.4. By providing his or her e-mail address or by providing any other data (e.g. username, password etc.) during the registration, Users accept the liability for the e-mail address or the data provided by him or her as being only used to render a service by him or her.
5.6. The legal basis of the processing in certain cases is a requirement of the law. The Controller shall process the data on the accounting documents issued by the Controller in compliance with the provisions of the accounting act.
6. THE PURPOSE OF THE PROCESSING
The primary purpose of the processing is the operation of the Website and providing the services of the Controller. The Controller shall only process personal data for a specific purpose, to exercise a right and to fulfil an obligation. The personal data can only be processed to the extent and for the period required to fulfill the purpose of the processing.
THE PURPOSE OF THE PROCESSING BASED ON THE ABOVE
- Identification of the User, communication with the User
- Performance of the contract concluded during the purchase on the Website, performing the contractual obligations of the Controller
- Fulfilling the obligations of the Controller, exercising the rights of the Controller
- Organising and conducting competitions
- Based on a separate consent of the User, advertising, research
The source of the data: The Controller shall only process the personal data provided by the Users, it shall not collect data from other sources. The data are provided during the registration/purchase by the User. If the User registers and provides his or her data in a promotion organised by the Controller, he or she consents to the processing of his or her personal data pursuant to the provisions of the notice of that particular promotion. In such cases, the Controller shall only process the data provided during the promotion.
The scope of the data processed: surname, first name, e-mail address, mobile phone number, delivery address (city, postal code, street, number of house, floor, door), tax number. In addition to the above, the Controller shall process the technical data, including the IP address.
THE DESCRIPTION OF THE DATA PROCESSING PROCESS
The source of the data is the User who provides the data during the registration or later when visiting the Website. It is compulsory to provide the data listed on the registration form unless expressly specified otherwise.
The User shall provide the data out of his or her free will, the Controller provides no compulsory guidance or makes content requirements in this regard. The User shall explicitly consent to the processing of the data he or she has provided. The User may provide additional data in his or her profile other than the data required by the Controller, the legal basis of the processing in this case is also the voluntary consent of the User.
The User, by registering on the Website as a Customer, provides his or her consent for the (personal) data provided during the registration and the purchase to be stored, processed and used by the business partners of the Controller engaged for the fulfilment of certain activities of the purchase (e.g. courier service) for the purpose of fulfilling the orders, handing over information related to education/training, market research, direct marketing and/or the sending of commercials.
PROCESSING RELATED TO ADVERTISING, SENDING NEWSLETTERS
If the User consents to it, the Controller shall contact the User via the contact details provided and send him or her advertisements by way of direct marketing. The advertising can be sent via post, telephone (including SMS) or e-mail. The consent of the User is in every case a prerequisite for the advertisement. The User may at any time withdraw his or her consent without an explanation.
THE PROCESSING OF TECHNICAL DATA AND COOKIES
The system of the Controller automatically records the IP address of the user’s computer, the starting time of the visit, and in certain cases – depending on the settings of the computer – the type of the browsers and the operating system. The data recorded this way cannot be linked to other personal data. The processing of the data shall be carried out only for statistical purposes. The User acknowledges that cookies are in operation on the website operated by the Controller. Cookies enable the Website to recognise earlier visitors. Cookies help the Controller as the operator of the Website to optimise the Website and to shape the services of the Website in accordance with the habits of the users.
Cookies can be used to:
- monitor the efficiency of our advertisements.
- remember the settings so that the users do not need to set them again when visiting a new page, the data entered earlier will be remembered so they will not need to be entered again.
- analyse the use of the website.
If the Controller displays various content on the Website with the help of external web-based services, it may lead to the storing of some cookies not controlled by the Controller, therefore it has no influence on what data these websites or external domains collect. The respective policies of these services provide information on such cookies.
7. DATA PROCESSING
The Controller has the right to engage the services of a processor for the performance of its activities. The processors do not make independent decisions, they only have the right to act in compliance with their contract concluded with the Controller upon the instructions received. The Controller checks the work of the processors. The processors only have the right to engage the services of further processors with the consent of the Controller.
The processors engaged by the Controller:
Development: Auretto Works Kft, H-1037 Budapest, Orbán Balázs út 37. 3. em. 7.
Server hosting: Ezit Kft. www.ezit.hu
Newsletters: Auretto Works Kft, H-1037 Budapest, Orbán Balázs út 37. 3. em. 7.
Parcel delivery: GLS and DHL Shipping company
Store: Hungary, Budapest 1094 Viola street 5
7.1 Data transmission
The Controller transmits data to third persons only if the User, having been informed of the scope of the data and the recipient of the data transmission, has provided his or her unambiguous consent thereto or if the data transmission is authorised by law.
The Controller has the right and is under the obligation to transmit every data available to it and lawfully stored by it to the competent authorities where the transmission of such personal data is required by law or a binding decision of an authority. The Controller may not be held liable for such transmissions or the outcomes resulting thereof.
7.2 External providers
During the operation of the Website, the Controller engages the services of External providers, and the Controller cooperates with such External providers. With respect to the Personal data stored in the systems of the External providers, the provisions of the respective data protection policies of the External providers shall apply.
The Controller shall inform the Users about the transmissions towards the External providers as part of this Notice.
7.3 Data security
The Controller ensures the security of the data. The Controller protects the data with adequate measures against unauthorised access, alteration, transmission, disclosure and also against the data becoming unavailable due to a change in the technology applied.
The Controller maintains an account of the data processed by it in compliance with the applicable legislation, ensuring that the data may be accessed only by those employees of the Controller and those persons acting on its behalf (data processors) whom require it for the performance of their duties and responsibilities. The employees of the controller perform individual queries and individual operations on the data only upon request of the User or only in cases where it is necessary for the providing of the service.
The Controller, when determining and applying the measures ensuring the security of the data, considers the current level of technological development. The Controller, within the scope of its information protection tasks, shall ensure especially:
- The protection of the sets of data against viruses (antivirus protection).
- Protection against unauthorised access, including the protection of the software and hardware components, and the physical protection (access security, network security).
- The measures allowing that the data sets can be recovered, including regular security backups and the separate, safe handling of copies.
- The Controller maintains the electronic registry by way of an informatics program meeting the requirements of data security. The program ensures that the data can only be accessed on a need to know basis, under controlled circumstances, by persons who need it for the performance of their tasks.
7.4 The duration of the processing
The Controller shall erase the personal data if a) it is processed unlawfully;
If it becomes known that the processing of the data is unlawful, the Controller shall erase it without delay.
b) on the request of the User (with the exception of processing required by the law);
The User may request the erasure of the data that is processed on the basis of his or her voluntary consent. In such cases the Controller shall erase the data. Erasure may only be denied in cases where the law permits the processing of the data. The Controller shall in every case send a notification if the erasure request has been rejected, including a reference to the law permitting the processing.
- c) the data is incomplete or incorrect – and this state cannot be lawfully remedied – provided that the erasure is not excluded by law;
- d) the purpose of the processing has terminated or the period for the storage of the data set forth in legislation has expired;
The newsletters sent by the Controller can be unsubscribed through the unsubscribe links contained therein. In case of unsubscribing, the controller shall erase the Personal data of the User from its newsletter database. In the absence of a request by the User, the Controller shall continue processing the data as long as the relationship between the Controller and the User is maintained and as long as the controller can provide a service to the User. The Controller shall erase every other data if it becomes apparent that the data shall not be used in the future or the purpose of the processing has terminated.
- e) it is ordered by the court or the National Authority for Data Protection and the Freedom of Information
In cases where the processing is required by the law the erasure of the data shall be governed by the provisions of that law.
8. THE RIGHTS OF THE USERS AND EXERCISING SUCH RIGHTS
8.1. The Controller shall inform the User about the processing of the data at the same time as the first communication. The User has the right to request information about the processing at any time.
Upon the request of the User, the Controller shall provide information on his or her data being processed by it or by a processor engaged by it, on the source of such data, the purpose, the legal basis and the duration of the processing, the name, address of the processor and its activities related to the processing, the circumstances of a data breach, its effects and the measures taken to avert them, and furthermore – where the personal data of the User is transmitted – the legal basis and the recipient of the transmission. The Controller shall reply to the request of the User in writing in the shortest time possible but not later than within 25 days after the request has been filed, using clear and plain language. The information shall be provided free of charge if the requester has not yet submitted a request for information about the same scope of data in the year in question. In other cases a cost may be charged. The costs paid shall be refunded if the data has been processed unlawfully or if the request for information resulted in a rectification.
8.2. The User may request from the Controller to rectify any of his or her personal data that is incorrect.
8.3. The User may request any of his or her data to be erased, with the exception of the processing required by the law. The Controller shall notify the User of the erasure.
8.4. The User may object to the processing of his or her personal data as set forth by the provisions of the Infotv.).
8.5. The User may submit his or her request for information, rectification, erasure in writing, sent by mail to the registered seat, place of business of the Controller, or via e-mail to the e-mail address of the Controller to firstname.lastname@example.org.
8.6. The User may request from the Controller the restriction of the processing of his or her Personal data:
- if the User disputes the accuracy of the Personal data being processed.
In such cases the restriction is for the period of time that is required to enable the Controller to check the accuracy of the Personal data. The Controller, in cases where the incorrectness or the inaccuracy of the disputed Personal data cannot be unambiguously determined, marks the Personal data it processes whose correctness or accuracy the User disputes.
- if the Processing is unlawful but the User objects to the erasure of the Personal data being processed and instead he or she requests the restriction of their use.
- if the purpose of the Processing has been achieved but the User requires the Controller to further process them for the submission, exercise or protection of legal claims.
8.7. The User has the right to receive from the Controller the Personal data that he or she has provided to the it, which is processed by the Controller by automated means, in a structured, commonly used machine readable-format and/or to transmit such data to another controller.
8.8. If the Controller rejects the request of the User for the rectification, restriction or erasure, it shall notify him or her about the reasons for rejecting the request for the rectification, restriction or erasure within 25 days of receiving such a request in writing. In cases where the request of the User for the rectification, erasure or restriction is denied, the controller shall inform the User of the available legal remedies and the possibility of appealing to the National Authority for Data Protection and the Freedom of Information.
8.9. The User may submit his or her statements related to the exercising of his or her rights above to the contact details of the controller determined in clause 2.
8.10. The User may file a complaint directly with the National Authority for Data Protection and the Freedom of Information (address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: email@example.com; web: www.naih.hu), as well.
9. MODIFICATION OF THE DATA PROTECTION NOTICE
9.1. The Controller maintains the right to unilaterally modify this Notice at any time.
9.2. The Users, by logging in at the next occasion, accept the provisions of the actual Notice in effect, without any further need to individually request the consent of each User.
10. DATA TRANSFER DECLARATION
I agree that the following personal data stored by the Best Beauty Kft. -32.) As a data controller.
The range of data transmitted is: surname, first name, country, phone number, email address.
The nature and purpose of the data processing activity performed by the data processor can be found in the SimplePay Data Management Guide at the following link: https://simplepay.hu/vasarlo-aff