For PURCHASES in the webshop:
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the related laws and regulations of the Member States, the Controller provides the following information on the processing of personal data of natural persons with regard to purchases in the webshop.
The webshop sells alcoholic beverages. Pursuant to Section 16/A of Act CLV of 1997 on Consumer Protection, selling alcoholic beverages to persons under the age of eighteen is prohibited. Consequently, we draw the Data Subjects’ attention to the fact that if they are under 18 years old, they are not entitled to use the webshop.
Name: Etyeki Kúria Kft.
Address: H-2091 Etyek, Báthori Street 21.
Representative of Controller: László Babarczi
Controller’s contact details with regard to data privacy: firstname.lastname@example.org
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Third country: any country which is not an EEA state
2. Purpose of processing
2.1 Conclusion of contract, scope of performance
Identification of the Data Subject, differentiation from other clients, users and interested parties,
Facilitating purchases in the webshop,
Conclusion of contracts, defining content, modification, performance, monitoring of performance,
Collecting total cost of product, enforcement of Controller’s contractual claims,
Invoicing obligation of the Controller, fulfilment of tax law and accounting obligations,
Sending confirmation in connection with the services, sending system message(s),
Correspondence, notifications, disclaimers in connection with performance,
Sending notification with regard to the delivery of product,
Identifying recipients of discounts, checking conditions for providing discounts, enforcement of discount by Data Subject,
Performance of Controller’s obligations, exercising its rights,
Enforcing and protecting the Controller’s rights and claims,
Handling complaints, reviewing claims related to warranty of material defects and product warranty, legal protection against resultant claims.
2.2. Processing for marketing purposes
(in particular: maintaining contact, measuring client satisfaction, conducting questionnaires to develop services, creating databases, contacting people about new or renewed services with the purpose of direct business acquisition and for marketing purposes, sending out invitations to events, preparing analyses, statistics, service development)
2.3. Camera surveillance
Safety of the controller’s premises,
Protecting the Controller’s assets, the health and safety of its employees and visitors and safeguarding their assets,
Prevention of potential accidents, circumstances of crimes, legal infringements, investigating and proving them
3. Scope of processed data:
The data controlled by the Company may be classified into the following groups based on the processing purpose:
3.1. Data necessary to conclude contract: the Data Subject’s family name, surname, address, telephone number, email address, method for receiving product, payment details (in particular: payment method, payment tool, bank account number, details on discount), details of the ordered product, delivery address of product, data related to potential complaints
3.2. Data necessary for fulfilment of contract
3.2.1. Delivery data: Customer’s name, telephone number, email address, method for receiving product, payment method, product type, product quantity, total cost of product (purchase price and delivery fees and costs in total), delivery address, identification of recipient (showing ID), name of recipient, signature, data on any complaints
3.2.2. Data on issuance of invoices: in fulfilling the contract the Company processes payment and invoicing details. In particular, invoice data (Customer’s name, address, issuance and performance date of the invoice, order number, type, quantity, price, delivery fee and due date of ordered product, discount details).
3.2.3. Processing data related to invoice payment: payment method, payment tool, bank account number, bank card payment details.
3.3. Communication for marketing purposes: The Controller processes the Data Subjects’ names and email addresses for marketing communication purposes. The legal basis for processing is the Data Subject’s consent and the primary aim of the processing is contact for marketing purposes, providing information, newsletters or direct communication pursuant to Section 6 (1) of Act XLVIII of 2008.
3.4. Camera surveillance data: in the Wine Bar the Controller conducts camera surveillance, recording images and video images of natural persons without sound.
4. Legal basis for processing:
4.1. For the conclusion and performance of a contract the data defined in Sections 3.1 and 3.2.1 must be processed in accordance with Article 6 (1) b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Providing data is a condition for concluding and fulfilling the contract. Failure to provide the data may result in the Controller not being able to complete the order.
4.2. The processing of the data defined in Sections 3.1, 3.2.1 and 3.2.3 is necessary to enforce the Controller’s or a third party’s legitimate interest in accordance with Article 6 (1) f) of the GDPR: The Controller and the courier used by the Controller have a legitimate interest in enforcing their claims against the Buyer (in particular with regard to purchase price, delivery fee, compensation), in reviewing customer complaints, claims on warranty of material defects, product warranty and consumer arguments, in proving contractual performance, receiving legal protection against claims and enforcing their resultant claims, in preventing bank card fraud, and settling accounts with the bank card provider.
4.3. The processing of the data defined in Section 3.4 is necessary to enforce the Controller’s or a third party’s legitimate interest in accordance with Article 6 (1) f) of the GDPR: The Controller and any people on the Controller’s premises have a legitimate interest in the safety of the people and equipment there, as well as in preventing and proving legal infringements, accidents, offences and crimes.
4.3. Data on invoicing and on payment of the total cost must be processed for the performance of the Controller’s legal obligations (tax law and accounting) as defined in Section 3.2.2 herein, in accordance with Article 6 (1) f) of the GDPR.
4.4. The processing of the data for marketing purposes as outlined in Section 3.3 is based on the data subject’s consent in accordance with Article 6 (1) a) of the GDPR: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before the withdrawal.
The Controller does not carry out profiling.
5. Term of processing
The Controller shall process the Data Subject’s data for the following terms:
invoicing data and documents subject to retention pursuant to the Act on Accounting, in particular accounting documents directly or indirectly supporting bookkeeping (including general ledgers, sub-ledgers and detailed records) for 8 years (Section 169 (1)-(3) of the Act on Accounting)
personal data defined in the Act on Rules of Taxation such as certificates of performance, for 5 years from the last day of the calendar year in which the tax is due (Section 78 (3)-(4) of the Act on Rules of Taxation),
data necessary for the conclusion and performance of a contract concluded with the Data Subject (pursuant to Chapter 3 a), b) XXXXX) until the claim on the warranty of material defects or product warranty expires,
in the case of processing based on consent: until consent is withdrawn, but no longer then the period defined in the consent,
in the case of processing based on legitimate interest: until the Data Subject’s objection (if the Data Subject’s interest, fundamental rights and freedoms override those of the Controller’s), but no longer than until the claims related to processing based on legitimate interest expire.
in the case of camera surveillance, for no longer than 3.5 months from making the recording.
6. Information on using processor(s), people entitled to forward data
The Controller does not forward the Data Subject’s personal data to third countries or international organisations.
During processing the Controller forwards the data to processors contracted with the Controller to fulfil the contract: courier company, IT operators, web storage providers, web content designer, accounting service providers, internet payment service provider.
The Controller uses Google Analytics to monitor website statistics, user demographics, users’ interests and conduct on the website. Furthermore, the Organisation uses Google Search Console for search engine optimisation on the website and for measuring user satisfaction. Google makes it possible to restrict the use of analytical services. Visit the Google page to opt out from Google Analytics using the data.
7. People entitled to access data
Recorded data may only be accessed by the Controller’s employees and the designated employees of the processor(s). The Controller will not transfer the accessed data to third parties other than the processor(s) listed in point 6.
Camera recordings may only be accessed by the designated employees of the Controller and the processor(s) as well as the Data Subject. Recordings of the electronic surveillance system may be accessed by the IT operator and the Controller’s authorised representative. At its own request, the Data Subject may access only the recordings made of him-/herself in the presence of one of the above-mentioned persons. Access must always be requested in writing. The Data Subject must provide proof of being a data subject and identify him-/herself for the Controller.
8. Common rules for exercising data subject rights, rights of data subjects
8.1. Common rules for exercising data subject rights
The Controller facilitates the exercise of data subject rights under Articles 15 to 22 of the GDPR. The Controller may refuse a request from the Data Subject on exercising his or her rights, unless the Controller demonstrates that it is not in a position to identify the Data Subject.
To fulfil the request, the Controller must verify that the party making the request is a Data Subject and check their identification.
The management shall provide information in writing using clear and plain language on the action taken regarding the Data Subject’s request without undue delay, and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.
Where the Controller has reasonable doubts concerning the identity of the natural person exercising their right as the Data Subject, the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.
Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller, while taking into account the administrative costs of providing the information or communication or taking the action requested, may:
- a) charge a reasonable fee, or
- b) refuse to act on the request. It must justify any refusal.
The Controller may refuse to act on the request if it demonstrates that it is not in a position to identify the data subject.
8.2. Rights of data subjects
8.2.1. Right of access by the Data Subject
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the information as per Article 15 of the GDPR.
8.2.2. Right to rectification
The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.2.3. Right to erasure (“right to be forgotten”)
The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- b) the Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- c) the Data Subject objects to the direct processing with the purpose of acquiring business, or to the processing, and there are no overriding legitimate grounds for the processing,
- d) the personal data have been unlawfully processed;
- e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- f) the personal data have been collected in relation to information society services offered directly to children.
The right to erasure may not be enforced if the processing is necessary
- a) for exercising the right of freedom of expression and information;
- b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- c) on grounds of public interest affecting areas of public health;
- d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- e) for the establishment, exercise or defence of legal claims.
8.2.4. Right to restriction of processing
The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- a) the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
- b) the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- d) the Data Subject objects to the processing in the case of processing based on legitimate interest.
8.2.5. Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
- a) the processing is based on consent or a contract, and
- b) the processing is carried out by automated means.
8.2.6. Right to object
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) f) of the GDPR. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
8.2.7. Right of complaint, enforcing claims in front of a court
The Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the processing of personal data relating to him or her infringes the GDPR, or to enforce his or her claim in front of a court.
Contact details of supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, P.O. Box: 5
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Etyek, 4 September 2020
Etyeki Kúria Kft.