WineHub Holding Kft. – WWW.WINEHUB.HU
Valid from 27.07.2022
1. Introduction, principles, purpose and scope of the Guide
1.1 The purpose of this Privacy and Data Protection Notice (hereinafter referred to as the “Notice“) is to set out the privacy policy of WineHub Holding Limited Liability Company (registered office: 1036 Budapest, Fényes Adolf utca 24-26., company registration number: Cg.01-09-867419, Tax No.: 13675811-2-41, legal representative: Carlos Coelho, Managing Director, hereinafter referred to as the “Service Provider” or the “Data Controller“), and the Service Provider’s privacy and data protection policies and practices for the protection of personal data, which the Service Provider, as the data controller, recognizes as binding on itself with respect to personal data collected through the ww.winehub.hu website (the “Website“).
1.2 The purpose of this Policy is to ensure that the Data Controller complies with the constitutional principles of data protection, data security requirements, prevents unauthorized access to data and unauthorized alteration, loss or disclosure of data.
1.3 This Policy applies to all natural persons who visit the Website and to all customers (whether natural persons or entities, whether incorporated or unincorporated, who use the Website to place an order or a reservation) of products and services marketed through the Website (the “Data Subject“).
1.4 The Data Controller respects the rights of the Data Subject(s) to the protection of their personal data.
1.5 This Notice summarises in a concise and simple manner what data the Data Controller collects, how it may use that data, the tools used by the Data Controller and the Data Subject’s data protection and data protection enforcement rights.
1.6 The scope of the Notice is limited to the processing of data by the Controller, i.e. it does not cover the processing activities that may be related to information published by third parties that advertise on the Website or otherwise appear on it.
1.7 Detailed rules are set out in the said Regulation and related legislation, for further information you are advised to consult the Regulation or to contact the Data Controller in confidence using the contact details also indicated in this Notice.
2. Applicable legislation
2.1 The Service Provider is committed to fully complying with the applicable data protection rules, including but not limited to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter referred to as “GDPR” or “Regulation“) and Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (hereinafter referred to as “Info law“), at all stages of the processing of personal data.
2.2 The general objective of the GDPR is to ensure the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data, while ensuring the free flow of personal data within the EU (Article 1). To this end, the Controller sets up a set of rules on the processing of personal data and on the flow of data, one of the most important elements of which is the focus on the responsibility of the controller. The principles of data protection shall apply to all information relating to an identified or identifiable natural person.
2.3 The scope of the Regulation covers “the processing of personal data wholly or partly by automated means and the processing of personal data which form part of a filing system or are intended to form part of a filing system by non-automated means.”
3. Principles of data management
3.1 The data controller shall process personal data in accordance with the provisions of the GDPR and applicable laws. The Service Provider shall comply with the principles of the GDPR Regulation in its data processing, which are:
3.1.1 Principle of lawfulness, fairness and transparency;
3.1.2 Purpose limitation: personal data are collected and processed only for specified and explicit purposes;
3.1.3 Data minimisation: its processing is limited to what is relevant and necessary;
3.1.4 Accuracy: it will use reasonable efforts to keep data accurate and up to date, and will promptly delete or rectify inaccurate personal data;
3.1.5 Limited storage: personal data is stored and processed only for the time necessary to achieve the purposes for which it is processed;
3.1.6 Integrity and confidentiality: ensure adequate security of personal data, including protection against accidental loss, destruction, unlawful destruction, unauthorised access, unauthorised use, damage, by appropriate technical and organisational measures;
3.1.7 Accountability: is prepared to demonstrate compliance with the above;
3.1.8. protection of the data of a person under the age of 16. The personal data of a person under the age of 16 may only be processed with the consent of the person who has parental authority over him/her. The Service Provider is not in a position to verify the right of the person giving consent or the content of his/her declaration, so the Data Subject or the person having parental authority over him/her guarantees that the consent is in accordance with the law. In the absence of a consent form, the Service Provider will not collect personal data relating to a data subject under the age of 16.
3.2 The Data Controller shall inform the Data Subject of the data processing rules in a timely manner and in the prescribed manner before the processing starts. The Data Controller shall collect, store and use personal data only for specified purposes in accordance with the purpose limitation requirement. The personal data collected shall always be adequate, relevant and sufficient for the purpose for which it is collected, and the Data Controller shall comply with the principle of data minimisation by complying with this rule.
3.3.In the spirit of data accuracy, the Data Controller shall take reasonable steps to ensure that the personal data of the Data Subject are complete, accurate, up-to-date and reliable to the extent necessary for the purposes for which they are collected.
3.4 The Data Controller shall use personal data for marketing purposes only with the consent of the Data Subject and shall give the Data Subject the opportunity to opt-out of such communication.
3.5 The Data Controller shall take proportionate and complete steps to ensure the protection of the Data Subject’s personal data as detailed in this Privacy Notice, including in cases where it transfers them to third parties.
3.6 The Service Provider will not transfer the personal data it processes to third parties other than the Data Processors and External Service Providers specified in the Notice.
4. How to access and amend the Prospectus
4.1 The current version of the Prospectus is available at all times electronically via the Website. The Service Provider shall be entitled to amend the Prospectus unilaterally at any time without prior notice, as necessary, and the amended Prospectus shall enter into force immediately upon uploading to the Website.
4.2 By accessing the Website, the Data Subject accepts the current version of the Prospectus, and no further consent of the Data Subject is required unless otherwise provided for in the Prospectus.
5. Interpretative provisions
Regulation, GDPR: Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
Info law: Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information;
Szv law: Act CXXXIII of 2005 on the rules of personal and property protection and private investigation;
Art.:Act CL of 2017 on the Rules of Taxation;
Sztv: Act C of 2000 on Accounting;
VAT law: Act CXXVII of 2007 on Value Added Tax;
Civil Code: Act V of 2013 on the Civil Code;
Elker law.: Act CVIII of 2001 on certain aspects of electronic commerce services and information society services;
Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special categories of data: personal data revealing racial or ethnic origin, political opinions or political party affiliations, religious or philosophical beliefs, membership of an interest group, sex life, health, pathological or pathological addictions and personal data concerning criminal offences.
Genetic data: any personal data relating to the inherited or acquired genetic characteristics of a natural person which contain specific information about the physiology or state of health of that person and which result primarily from the analysis of a biological sample taken from that natural person;
Biometric data: any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures which allow or confirm the unique identification of a natural person, such as facial image or dactyloscopic data;
Health data: personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which contain information about the health of the natural person;
Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
Register of processing operations: a register of the processing activities carried out by the Controller pursuant to the obligation under Article 30(1) of the GDPR, which, in addition to the data relating to the Controller, contains the name of the processing, the purposes of the processing, the categories of data subjects, the categories of personal data processed, the recipients to whom the data will be disclosed, where possible, the name and contact details of the processor(s) and, where possible, the time limit foreseen for the erasure of each category of data,
Recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, with whom or to which the personal data are disclosed. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not considered recipients;
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Consent of the data subject: a voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her by means of a statement or an unambiguous act of affirmation;
Profiling: any form of automated processing of personal data by which personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person;
Privacy incident: IT error, data breach.
IT Error: a disruption or slowdown in the operation of an IT system that interferes with work, causes an abnormal operation, service disruption or slowdown, which does not constitute a data breach but may compromise the confidentiality, integrity or availability of the IT system;
Data Breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Authority: National Authority for Data Protection and Information Security, www.naih.hu
6. Data controller (service provider), contact details
Company name: WineHub Holding Korlátolt Felelősségű Társaság
Registered office: 1036 Budapest, Fényes Adolf utca 24-26.
Company registration number: 01-09-867419
Tax number: 13675811-2-41
representative: Carlos Coelho, ügyvezető igazgató
Registering authority/court: Fővárosi Törvényszék Cégbírósága
Email: hello@winehub.hu
7. Data Protection Officer
7.1. Under the GDPR, the Service Provider is not obliged to appoint a Data Protection Officer, given that the Service Provider is not a public authority or other body with public responsibilities and its activities do not involve processing operations which, by their nature, the nature, scope and/or purposes of the activities of the Service Provider do not involve systematic and systematic large-scale monitoring of Data Subjects and do not cover decisions on criminal liability of Data Subjects and the scope of personal data and special categories of personal data relating to criminal offences.
8. Purpose of data processing, legal basis, scope of data processed, duration of data processing, data subjects entitled to access data in relation to data subjects using the services provided through the Website (webshop).
(The processing of data related to the use of anonymous User identifiers by the Website is detailed in sections 8.8-8.19)
8.1. Purpose and legal basis for processing
8.2 We use the following legal bases for processing in accordance with the GDPR:
8.2.1 Consent-based processing: the consent of the visitor to the Website or of the Customer, which is voluntary, specific, informed and unambiguously authorises the Data Controller to process personal data concerning him/her (e.g.: sending a newsletter, promotional purpose, marketing purpose);
8.2.2.2 Processing for the performance of a contract: the performance of a contract to which the Data Subject (customer) is a party in respect of an order placed through the Website;
8.2.3. processing for the performance of a legal obligation: processing necessary for the performance of a legal obligation to which the controller is subject (e.g.: accounting, bookkeeping (Sztv., VAT Act, Art.), complaint handling (Act CLV of 1997 on Consumer Protection), answering general enquiries)
8.2.4 Processing for legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party;
8.2.5. processing pursuant to Article 13/A of the Act on the Protection of Information Society Services, according to which the Data Controller may process the Customer’s natural person identification data (name, name at birth, mother’s name at birth, place and date of birth) and address for the purposes of creating, defining the content of, amending, monitoring the performance of, invoicing the fees arising from, and enforcing claims in connection with the provision of information society services. The Controller may process natural identifiers, address and data relating to the time, duration and place of use of the information society service for the purposes of billing for charges resulting from a contract for the provision of an information society service.
8.3 Scope of data processed, duration of data processing, persons entitled to access data
8.4. The Website can be visited and the services of our online store can be used by Data Subjects in two categories: (i) visitor status, in which case no order is placed via the Website; and (ii) customer status, in which case an order is placed via the Website. The scope of personal data processed and recorded in respect of the two categories is disclosed below.
8.5 The Data Controller collects and processes personal data as set out in the table(s) below for the retention period indicated:
Data processed only for customers
| Conclusion of a contract (to which the data subject is a party), performance of the contract and data processed on the basis of legitimate interest | Name of personal data | Retention/Storage period |
| Name, tax ID/tax number, mother’s name, place/date of birth, bank account number, name of the bank holding the account, telephone number, e-mail address, number, date and time of the purchase transaction; website through which the purchase was made | The retention period is 5 years after the date of performance, termination or cessation of the legitimate interest in accordance with the relevant statutory provision (Civil Code 6:22§)
(Info law, GDPR regulation, Elker tv. § 13/A) |
|
| Personal data contained in general requests (all personal data brought to the attention of the Data Controller by the data subject) | 5 years after the legitimate interest ceases.
(Info law, GDPR regulation, Elker tv. § 13/A) |
| Data processed pursuant to a legal requirement (legal obligation) | Name of personal data | Retention/Storage period |
| Accounting voucher data: invoice name, invoice address, tax number/tax identification number, invoice item name, unit price, total price. | At least 8 years pursuant to Art. 169 (2) of the State Act
(Info law, GDPR regulation, Elker tv. § 13/A) |
|
| Name, address, e-mail address | According to CLV Act of 1997 on Consumer Protection, paragraph 17/A (7) 5 years |
| Data processed with the voluntary consent of the data subject
|
Name of personal data
|
Retention/Storage period |
| Name, e-mail address, telephone number | Retention period until unsubscription, withdrawal of consent
(Info law, GDPR regulation, Elker tv. § 13/A) |
8.6 Data relating to Data Subjects may come into the possession of the Data Controller directly or indirectly from Data Subjects in accordance with the provisions of this Notice:
8.7. Method of storage: both electronic and paper-based.
Data processed exclusively for visitors
Please note that if you also place an order on the Website, the Data Controller will process the data detailed below.
8.8. Ha Ön a Honlapot pusztán látogatóként veszi igénybe, nem ad le megrendelést, látogatóként Önre vonatkozó semmilyen személyes adat, amely alapján Ön beazonosítható nem kerül a birtokunkba, illetve ezen esetben adatokat Önről nem tárolunk
8.9. Adatkezelő rögzíti és felhívja az Önök figyelmét, hogy a Honlapra látogatók, a Honlap használatakor egy technikai azonosítót, úgynevezett sütit/ cookie-t hozunk létre, amely azonban nem Önhöz kötődő információkat gyűjt, hanem arról a számítógépre vonatkozó felhasználási szokásokról közvetít információkat a részünkre, amelyről Ön éppen bejelentkezett.
8.10. Az Adatkezelő a webszerver által küldött, változó tartalmú, alfanumerikus, a felhasználó számítógépén rögzülő és előre meghatározott érvényességi ideig tárolásra kerülő információ csomagokat, azaz sütiket vagy cookie-kat használhat a szolgáltatásokhoz és a weboldalhoz.
8.11. A cookie is a series of signals that are placed on the Data Subject’s computer by service providers, which can be used to uniquely identify the Data Subject and to store profile information. It is important to note that such a sequence of signals is not in itself capable of identifying the Data Subject in any way, but only of recognising the Data Subject’s computer. In the networked world of the Internet, personalised information and tailored service can only be provided if service providers can identify the habits and needs of their customers. Service providers are turning to anonymous identification to learn more about their customers’ information usage patterns in order to further improve the quality of their services and to offer their customers customisation options.
8.12. Cookies are used, for example, to store the preferences and settings of Data Subjects; to help them log in; to display personalised advertisements and to analyse the functioning of the Website. For this purpose, the Data Controller may use services to collect and track data on the activities of the data subjects, such as relevance, recommendations, searches, openings, most important and frequently used features.
8.13. Flash cookies are used by website operators to tell, for example, whether the Data Subject has ever visited the website, and to help identify the functions/services that the Data Subject may be most interested in. Search and Flash cookies enhance your online experience by retaining the Data Subject’s preferred information while you are on a particular page. Neither the search engine nor the Flash cookies can identify the Data Subject personally, and the Data Subject can refuse browser cookies through the browser settings, however, without such cookies, he will not be able to use all the services of the website.
8.14. The legal basis for the use of cookies is your consent, since by clicking the “I accept” button on the pop-up window when you visit the site, you give your consent to the legal use of the former. However, you can also delete cookies from your own computer or block their use in your browser. Cookies can usually be managed in the Tools/Settings menu of the browsers under the Data protection settings, with the name cookie or cookie, which is considered as a withdrawal of your consent in this way.
Cookies used on the Website
| Cookie name | Purpose | Personal data you are concerned about | Legal basis for data processing | Expiration |
| Strictly required cookies | Enabling navigation | During the use of the website: the IP address of the Data Subject’s computer; data relating to their activity on the website concerned. | Data subject’s consent | After leaving the website. No personal data is stored. |
| Performance cookies | Collecting information about website usage (Google Analytics) | Collection of information regarding the use of the website Personal data of the Data Subject: When using the website: the IP address of the Data Subject’s computer; start and end time of time spent on the website; Depending on the settings of the Data Subject’s computer, the type of browser and operating system; Data regarding the Data Subject’s activity related to the website. | Data subject’s consent | Personal data is stored for the duration of the session, depending on the type of cookie: 2 years/24 hours/1 minute/90 days/365 days |
| Targeting and advertising cookies | Identifier creation and storage, display of targeted ads. (Google Analytics, Facebook tracking code) | IP address of affected device | Data subject’s consent | Personal data is stored for the duration of the session, depending on the type of cookie: 90 days/18 months/2 years8.15. Amennyiben az Érintett nem szeretné, hogy ilyen azonosító jel kerüljön a számítógépére, módja van a böngészőjét úgy beállítani, hogy az ne engedje meg az egyedi azonosító jel elhelyezését, továbbá módja van bármikor az engedélyét visszavonni, az egyedi azonosító jelet törölni, ebben az esetben azonban lehetséges, hogy a szolgáltatásokat nem vagy nem olyan formában éri majd el az Érintett, mintha engedélyezte volna az azonosítók elhelyezését. |
8.16. The services are used by a large number of users in a variety of software and hardware environments, with different purposes and areas of use. The development of the services can best be adapted to the needs and possibilities of the users if the Website operator has a comprehensive picture of their usage habits and needs. However, due to the large number of users, in addition to personal inquiries and feedback, an effective additional method is for the Website operator to collect and analyze their habits and data on the running environment of the services using an automated method.
8.17. The purpose of data management: to ensure the proper and high-quality operation of the website, to monitor and improve the quality of the Data Controller’s services, to identify malicious visitors attacking the website, and to measure traffic.
8.18. Those entitled to access the data: employees responsible for the supervision and maintenance of the Data Controller’s IT system and any data processors.
8.19. Data storage method: electronic, but in the event of a data protection incident, it may also be stored on paper.
9. Purpose of data processing, scope of data processed, duration of data processing, data subjects entitled to access data in relation to the contact persons and employees of business organisations that come into contact with the Data Controller in the course of their economic (business) activities
9.1. Purpose and legal basis of data processing
9.2. The Data Controller processes personal data for legitimate interest in the following cases: intention to enter into a contract, conclusion and performance of a contract.
9.3. The Data Controller processes Personal Data in order to fulfill a legal obligation, based on statutory provisions, in the following cases: fulfillment of invoicing, accounting, bookkeeping obligations (Sztv, Áfa tv., Art.).
9.4. The Data Controller processes personal data based on the express and voluntary consent of the Data Subject in the following cases: Marketing purpose: Sending a newsletter
9.5. Scope of processed data, duration of data processing, persons entitled to access data
The Data Controller collects and processes personal data as set out in the following table(s) for the specified retention period – depending on the quality of the Data Subject:
| Data processed based on legitimate interest | Name of personal data | Retention/storage time |
| Name, email address, phone number
In the case of partner contacts, also: position held at the partner company |
Retention period: 5 years following the date of performance, termination of the contract or termination of the legitimate interest, in accordance with the related statutory provision (Section 6:22 of the Civil Code)
(Info law, GDPR Regulation, Elker Act 13/A. §) |
| Data processed based on legal requirements | Name of personal data | Retention/storage time |
| Data shown on accounting documents: Name, position held, email address, telephone number. | At least 8 years according to Section 169 (2) of the Civil Code
(Info law, GDPR Regulation, Elker Act 13/A. §) |
| Data processed with the voluntary consent of the data subject | Name of personal data | Retention/storage time |
| Name, email address, phone number, in the case of contacts – position held at the partner company | Retention period until unsubscribe or withdrawal of consent
(Info law, GDPR Regulation, Elker Act 13/A. §) |
9.6. Data relating to the Data Subjects may come into the possession of the Data Controller as follows:
- directly or indirectly from the Data Subjects, in accordance with the provisions of this Data Processing Notice,
- by receiving data from other data controllers,
- from public sources.
9.7. Method of storing data: both electronic and paper-based.
10. Data processors, external service providers
10.1. The Data Controller is authorized to use a data processor to perform its activities, the list of the data processors used is included in Annex 1 to this Information.
10.2. Those entitled to access the data: The Data Controller may forward the data to its employees and agents performing tasks related to customer service and activities, as well as to its employees and data processors performing accounting and taxation tasks, as recipients. In the event of an official request from an investigating authority or other authority within the framework of an official procedure, the Provider is obliged to provide the requested data, in accordance with the provisions of the relevant legislation.
10.3. The Data Controller shall conclude a data processing agreement with the data processor in accordance with the legislation, in which it regulates the relationship between the data processor and the data controller and guarantees the security of personal data in the possession and management of the data processor. In this context, in particular:
- the data processor processes personal data on the basis of the data controller’s mandate and instructions;
- it and its employees involved in the processing of personal data are bound by confidentiality;
- it implements appropriate organizational and technical measures to guarantee data security;
- the data processor facilitates and enables audits and on-site inspections;
- if the data processor uses the assistance of an additional data processor, the same obligations apply to it as those originally established by the contract between the data processor and the data controller;
- upon the expiry of the data processing agreement, the data processor returns all personal data to the data controller or deletes or erases existing copies, with one exception if Member State or Union law requires the storage of the data.
11. Data transmission
11.1. Data transfer: making data available to a specific third party.
11.2. The data transferor must check the conditions of data transfer (legal basis, purpose limitation, data security) with the Service Provider in each case. Personal data may only be transferred if the Data Subject has consented to it in writing or if permitted by law and if the conditions for data processing are met for each personal data. Data transfer is only possible with appropriate information from the data subject, is purpose-limited and is supported by an appropriate legal basis.
11.3. Data transfer that cannot be classified as repetitive and only concerns a limited number of data subjects may be permitted due to a compelling legitimate interest pursued by the data controller, provided that the interests or rights and freedoms of the data subject do not take precedence over these interests, and the data controller has assessed all the circumstances of the data transfer.
11.4. Prior to data transfer, the data controller or the data processor acting on its behalf or on its instructions shall examine the accuracy, completeness and up-to-dateness of the personal data to be transferred.
11.5. In the event of data transfer, the data subjects shall be notified immediately, except if the data transfer is necessary due to legal or official measures, in particular police measures or criminal proceedings.
11.6. The Service Provider shall notify the data subjects of the transfer of data to the external service providers named in this Notice through this Notice.
12. Data security
12.1. The Service Provider shall ensure the secure storage of data in all cases in accordance with the legal provisions, by adhering to the rules and by implementing appropriate technical and organizational measures. The Service Provider shall make the source of the data available to the Data Subject.
12.2. The Data Controller shall do everything in its power to ensure the security of the Data Subject’s data in accordance with its obligations under the Info Act and the GDPR, and shall also take the necessary technical and organizational measures and establish the procedural rules necessary for the enforcement of the Info Act, the GDPR, and other data and privacy protection rules. Only employees of the Data Controller with express authorization may access the data subject’s data stored in the Data Controller’s database.
12.3. The data management services provided in connection with the website also include so-called cloud-based applications. Cloud applications are typically international or cross-border in nature and, for example, serve the purposes of data storage, when the data storage is not the Data Controller’s computer/organizational computer center, but a server center that can be located anywhere in the world. The main advantage of cloud applications is that they provide highly secure, flexibly expandable IT storage and processing capacity that is essentially independent of geographical location.
12.4. The Data Controller selects its partners providing cloud services with the greatest possible care, does everything possible to conclude a contract with them that also takes into account the data security interests of the Data Subjects, makes sure that their data management principles are transparent to them and regularly checks data security.
12.5. It is possible that the Data Controller’s website contains references or links to pages maintained by other service providers (including buttons and logos indicating the possibility of logging in or sharing), where the Data Controller has no influence on the practices related to the processing of personal data. The Data Controller draws the attention of the data subjects that if they click on such links, they may be transferred to the pages of other service providers. In such cases, we recommend that they read the data processing information valid for the use of these pages. This Data Processing Information only applies to the data processing carried out by the Data Controller. If you modify or delete any of your data on the external website concerned, it will not affect the data processing by the Data Controller; such modifications must also be made on the website.
13. Rights of Data Subjects
Right to prior information: the data subject has the right to receive information prior to the fact of data processing (Articles 13 and 14 of the GDPR; Section 2, Section 14 of the Info Act);
Right of access: at the request of the data subject, the data controller shall make his/her personal data and information related to their processing available to him/her (Article 15 of the GDPR; Section 14 of the Info Act);
Right to rectification: at the request of the data subject, the data controller shall correct, rectify or supplement his/her personal data (Article 16 of the GDPR; Section 14 of the Info Act);
Right to restriction of data processing: at the request of the data subject, the data controller shall restrict the processing of his/her personal data (Article 18 of the GDPR; Section 14 of the Info Act);
Right to erasure: at the request of the data subject, the data controller shall erase his/her personal data (Article 17 of the GDPR; Section 14 of the Info Act); Right to be forgotten (GDPR (66));
Right to object: the data subject may object to the processing of his/her data (GDPR Article 21; GDPR (69);
Right to data portability: the data subject shall receive his/her data in a structured, transparent format for the purpose of transmitting them to another data controller (GDPR Article 20).
The Data Subject has the right to receive information about the facts related to the data processing regarding his/her personal data processed by the Service Provider before the start of the data processing. Given that the Data Subject provides his/her personal data to the Service Provider himself/herself, the Service Provider complies with its information obligation pursuant to Article 13 of the GDPR with this Notice.
13.2. Right of access (Article 15 of the GDPR)
13.2.1. The Data Subject shall have the right to request information at any time as to whether or not personal data concerning him or her are being processed and, in relation to such personal data processing, about
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) in the event of a transfer, the recipients/categories of recipients, including recipients in third countries and international organisations, in which case the safeguards;
(d) the intended period for which the personal data will be stored or, where that is not possible, the criteria for determining that period;
(e) the right of the data subject to obtain from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such data;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the data were not collected from the data subject, all available information on their source;
(h) the fact of automated decision-making, including profiling (this point is not relevant for the Service Provider).
(i) Information about the data processor (based on the Info Act).
13.2.2 The Data Subject has the right at any time to request the Service Provider to correct, delete or restrict the processing of personal data concerning him or her, and may object to the processing of such personal data. Refusal or restriction of access may be justified and lawful in certain specifically named cases, but these mostly fall within the scope of authority and will likely be irrelevant for the Service Provider.
13.2.3 The first copy is free of charge, and the data controller may charge a reasonable administrative fee for additional copies requested. The right to request a copy may not adversely affect the rights and freedoms of others.
13.3. Right to rectification and completion (Article 16 of the GDPR)
13.3.1. The Data Subject shall have the right to obtain from the Controller, upon request, the rectification of inaccurate Personal Data concerning him or her without undue delay. Taking into account the purpose of the processing, the Data Subject shall have the right to request the completion of incomplete Personal Data, including by means of a supplementary statement.
13.4. Right to restriction of data processing (Article 18 GDPR)
13.4.1 In the event of exercising the right to restrict data processing, the Service Provider shall not delete the personal data, but shall not carry out any other data processing operations beyond storage.
13.4.2. Personal data subject to data processing restrictions may only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the European Union or a Member State.
(a) the accuracy of the personal data is contested by the Data Subject, in which case the restriction shall apply for a period enabling the Service Provider to verify the accuracy of the personal data;
(b) the data processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;
(c) the Service Provider no longer needs the personal data for the purposes of the data processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims;
(d) the Data Subject has objected to the processing pursuant to Article 21(1) of the GDPR and time is required to examine whether there are overriding legitimate grounds for the processing. In this case, the restriction shall apply for the period until it is established whether there are overriding legitimate grounds for the processing, i.e. whether the legitimate grounds of the Service Provider for the retention and processing of the data override the legitimate grounds of the Data Subject for erasure.
13.4.3 In the event of restriction of data processing, the Service Provider shall inform the Data Subject in advance of the lifting of the restriction in the same form and manner as the Data Subject requested the restriction of data processing.
13.4.4 The Service Provider shall inform all recipients of the rectification, erasure or restriction of processing requested by the Data Subject and implemented by the Service Provider to whom or with whom the personal data has been disclosed, unless this proves impossible or requires a disproportionate effort. Upon the request of the Data Subject, the Service Provider shall inform the Data Subject of the recipients to whom it has informed in accordance with the foregoing.
13.5. Right to erasure of personal data (“right to be forgotten”) (Article 17 GDPR)
13.5.1. The Data Subject may at any time request the Service Provider to delete his/her personal data, which request the Service Provider is obliged to comply with if one of the following reasons applies:
(a) the personal data is no longer necessary for the purpose for which the Service Provider collected or otherwise processed them;
(b) the Data Subject has withdrawn his/her consent on which the data processing is based and there is no other legal basis for the data processing;
(c) the Data Subject objects to the processing of the data by the Service Provider based on public interest or legitimate interest pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the data processing, or objects to the processing for direct marketing purposes pursuant to Article 21(2) of the GDPR;
(d) the personal data have been unlawfully processed by the Service Provider;
(e) the personal data must be erased for compliance with a legal obligation to which the Service Provider is subject under Union or Member State law;
(f) the personal data were collected in connection with the provision of information society services referred to in Article 8(1) of the GDPR.
13.5.2 The data shall not be erased if the processing is necessary:
(a) for the exercise of the right to freedom of expression and information;
(b) for compliance with an obligation to which the Service Provider is subject under law (e.g. tax and accounting obligations) to process the personal data, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Service Provider;
(c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
(d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, where the right to erasure would likely render impossible or seriously jeopardise such processing; or
(e) for the establishment, exercise or defence of legal claims.
13.6 Right to object (Article 21 GDPR)
13.6.1 The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data for reasons of public interest or for the purposes of the legitimate interests pursued by the Service Provider or a third party (Article 6 (1) (e) and (f) GDPR).
13.6.2 In such a case, the Service Provider shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
13.7 Right to data portability (Article 20 GDPR)
13.7.1 Given that the Service Provider also stores the Data Subject’s data in an electronic database, the Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to the Service Provider, in a structured, commonly used and machine-readable format and to transmit these data to another data controller without hindrance from the Service Provider. The Data Subject has the right to data portability in respect of data the processing of which is based on the Data Subject’s consent (Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR) or the performance of a contract (Article 6(1)(b) of the GDPR). If the Data Subject requests the direct transmission of personal data between data controllers, the Service Provider shall indicate whether this is technically feasible.
14. Enforcement of the Data Subject’s rights, submitting a request, contacting the Service Provider, complaints, data protection incident
14.1 Service Provider’s measures
14.1.1 The Service Provider shall take the following measures – in accordance with the law – to facilitate the exercise of the rights of the data subjects:
(a) take appropriate technical and organizational measures;
(b) provide the information provided to the data subjects in an easily accessible and legible form, concise, clear and intelligible;
(c) may request credible verification of the identity of the submitter if there is reasonable grounds to assume that the person submitting the request is not the data subject;
(d) provide the exercise of the data subject’s rights free of charge unless the data subject’s request is clearly unfounded or – in particular due to its repetitive nature – excessive. The burden of proof shall be on the Service Provider. In such a case:
it may charge a reasonable fee or
refuse to take action based on the request.
14.1.2 The Service Provider shall fulfill the request submitted by the Data Subject as soon as possible, but shall decide on it within 25 days at the latest, and shall notify the Data Subject of the decision in writing (or, if submitted electronically, electronically). This deadline may be extended by 2 months in justified, complicated cases, with the Data Subject being notified within 25 days, stating the reason.
14.2 Right to legal remedy, information on legal remedies
14.2.1 Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
(a) Without prejudice to other administrative or judicial remedies, the Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the processing of personal data concerning him or her infringes the provisions of the GDPR.
(b) The Data Subject may contact the following authority as the supervisory authority:
NAIH – National Authority for Data Protection and Freedom of Information
1530 Budapest, Pf.: 5.
1125 Budapest, Szilágyi Erzsébet fasor 22/c
phone: +36 (1) 391-1400; e-mail: ugyfelszolgalat@naih.hu
website: https://naih.hu
(c) The supervisory authority to which the Data Subject has lodged a complaint shall inform the Data Subject, as a customer, of the progress of the procedure relating to the complaint and its outcome, including the right of the Data Subject to a judicial remedy pursuant to Article 78 of the GDPR.
14.2.2 Right to an effective judicial remedy before a supervisory authority (Article 78 of the GDPR)
(a) Without prejudice to other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.
(b) Proceedings against the supervisory authority shall be brought before the court of the Member State in which the supervisory authority is established (in Hungary, the Metropolitan Administrative and Labour Court has jurisdiction and competence for proceedings against the National Data Protection and Freedom of Information Authority).
14.2.3 Right to an effective judicial remedy against the Service Provider or the data processor (Article 79 of the GDPR)
(a) In addition to and without prejudice to the available administrative or non-judicial remedies, the Data Subject may enforce his or her rights to the protection of his or her personal data before a civil court – the court competent for the place of the Controller’s establishment or (at his or her choice) the court competent for his or her place of residence or, failing that, his or her place of residence – if, in his or her opinion, the Service Provider has not processed his or her personal data in accordance with the GDPR and has consequently infringed his or her rights under the GDPR.
(b) The proceedings shall be initiated before the court of the Member State in which the Service Provider is established, i.e. Hungary. The proceedings may also be initiated before the court of the Member State in which the Data Subject has his habitual residence (if this is not the same as Hungary).
14.3 Informing the Data Subject about the data breach (Article 34 of the GDPR)
14.3.1 If the data breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the Service Provider shall inform the Data Subject of the data breach without undue delay. This notification shall describe the nature of the data breach in a clear and intelligible manner and shall include at least the following information and measures:
(a) the name and contact details of the data protection officer or other contact person who can provide further information;
(b) the likely consequences of the data breach;
(c) the measures taken or planned by the controller to remedy the data breach, including, where applicable, measures to mitigate any adverse consequences resulting from the data breach.
14.3.2 The Data Subject shall not be required to be informed of a data breach if any of the following conditions are met:
(a) the Service Provider has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data breach, in particular measures such as the use of encryption that render the data unintelligible to persons not authorised to access the personal data;
(b) the Service Provider has taken additional measures following the data breach to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise in the future;
(c) the notification would involve a disproportionate effort.
14.3.3 In the above cases, the Data Subject shall be informed by means of publicly published information or a similar measure shall be taken that ensures that the Data Subject is informed in an equally effective manner.
14.3.4 In the event of exercising the rights of the Data Subject, the request should be submitted, if possible, i) in writing, by post, ii) in person to the registered office of the Service Provider or iii) by e-mail to the e-mail address of the Service Provider (as specified in point 6 above).
Annex
Data Processors used in the processing of personal data
| Data processor | ||
| WineHub Holding Kft. (1036 Budapest, Fényes Adolf utca 24-26.)
Codebuild Kft. (9023 Győr, Szigethy Attila út 61. 3. em. 7.) |
||
|
DPD Hungary Kft. (1134 Budapest, Váci út 33. 2. emelet)
Raiffeisen Bank Zrt. |
||
|
Laurus Magyarország Kft. (1054 Budapest, Kálmán Imre utca 1.) |
