PRIVACY POLICY

Description of data processing in the operation of the webshop
This document contains all relevant information on data processing in connection with the operation of the webshop in accordance with the European Union's General Data Protection Regulation 2016/679 (hereinafter: Regulation, GDPR) and the provisions of Act CXII of 2011. (hereinafter: Infotv.).

​

Information on the use of cookies
What is a cookie?

The Data Controller uses so-called cookies when you visit the website. A cookie is a set of information consisting of letters and numbers that our website sends to your browser in order to save certain settings, facilitate the use of our website and help us to collect some relevant statistical information about our visitors.
Some of the cookies do not contain any personal information and cannot be used to identify an individual user, but some of them contain a unique identifier - a secret, randomly generated sequence of numbers - that is stored on your device, thus ensuring your identification. The duration of each cookie is described in the relevant description of each cookie.

Legal background and legal basis of cookies:
The legal basis for processing is your consent pursuant to Article 6(1)(a) of the Regulation.

Main characteristics of the cookies used by the website:
Shopping cart cookie. Cookies: Cookies used to store shopping cart cookies.
Smart offer cookie: records the conditions under which smart offers are displayed (e.g. whether the visitor has been on the site before, whether he has placed an order). Lifetime of 30 days.
If you do not accept the use of cookies, certain functions will not be available to you. For more information on how to delete cookies, please click on the links below:
Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11

Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Mozilla: https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito

Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

Chrome: https://support.google.com/chrome/answer/95647

Edge: https://support.microsoft.com/hu-hu/help/4027947/microsoft-edge-delete-cookies


​

Data processed for the purposes of contracting and performance
There may be more than one processing operation for the purposes of contracting and performance. Please note that data processing in relation to complaint handling and warranty management will only take place if you exercise one of these rights.
If you do not make a purchase through the webshop, but are only a visitor to the webshop, the processing for marketing purposes may apply to you if you give us your consent for marketing purposes.
For more details on processing for the purposes of contracting and performance:

​

Order processing
When processing orders, processing activities are necessary for the performance of the contract.
Data processed The Data Controller processes your name, address, telephone number, e-mail address, the characteristics of the product purchased, the order number and the date of purchase.
If you have placed an order in the webshop, the processing and the provision of the data are necessary for the performance of the contract.
Duration of processing The data will be processed for 5 years in accordance with the statute of limitations under civil law.
Legal basis for processing The performance of the contract [processing pursuant to Article 6(1)(b) of the Regulation].

​

Issue of the invoice
The processing is carried out in order to issue a legally compliant invoice and to fulfil the obligation to keep accounting records. Pursuant to Article 169 (1) to (2) of the Act, companies are required to keep accounting documents which directly and indirectly support the accounting.
Data processed Name, address, e-mail address, telephone number.
Duration of data processing Invoices issued must be kept for 8 years from the date of issue of the invoice pursuant to Section 169 (2) of the Act.
Legal basis for processing Pursuant to Article 159 (1) of Act CXXVII of 2007 on Value Added Tax, the issue of invoices is mandatory and must be kept for 8 years pursuant to Article 169 (2) of Act C of 2000 on Accounting [processing pursuant to Article 6 (1) (c) of the Regulation].

Processing of data relating to the transport of goods
The data processing is carried out for the purpose of the delivery of the ordered product.
Data processed Name, address, e-mail address, telephone number.
Duration of processing The Data Controller processes the data for the duration of the delivery of the ordered goods.
The legal basis for processing is the performance of a contract [processing pursuant to Article 6(1)(b) of the Regulation].

​

Recipients and processors of data processing related to the transport of goods
Name of the recipient:GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
The address of the recipient is: 2351 Alsónémedi, GLS Európa u. 2.
Telephone number of the recipient: 06-29-88-67-00
E-mail address of the addressee: info@gls-hungary.com
Addressee's website: https://gls-group.eu/HU/hu/home
The courier service will assist in the delivery of the ordered goods on the basis of a contract with the Data Controller. The courier service will process the personal data received in accordance with the Privacy Policy available on its website.


Name of the recipient: DPD Hungária Kft.
Address of the recipient: 1158 Budapest, Késmárk utca 14. B. ép.
Phone number of the recipient: +36-1/501-6200
E-mail address of the addressee: dpd@dpd.hu
Addressee's website: https://www.dpd.com/hu/
The courier service will assist in the delivery of the ordered goods on the basis of a contract with the Data Controller. The courier service will process the personal data received in accordance with the Privacy Policy available on its website.


Name of the recipient: FoxPost Zártkörűen Működő Részvénytársaság
The address of the recipient is: 3200 Gyöngyös, Batsányi János utca 9.
Phone number of the addressee: +36 1/999-0-369
E-mail address of the addressee: info@foxpost.hu
Website of the addressee: foxpost.hu
The courier service will assist in the delivery of the ordered goods on the basis of a contract with the Data Controller. The courier service will process the personal data received in accordance with the Privacy Policy available on its website.


Data processed in relation to the justification of consent
During the registration, ordering, newsletter subscription, the IT system stores the IT data related to the consent for the purposes of subsequent verifiability.
Data processed Date of consent and IP address of the data subject.
Duration of data processing Due to legal requirements, consent must be able to be verified at a later date, therefore the duration of data storage is stored for a period of limitation after the termination of data processing.
Legal basis for processing Article 7(1) of the Regulation imposes this obligation. [Processing under Article 6(1)(c) of the Regulation]

​

Processing for marketing purposes
Processing in relation to the sending of newsletters
The processing is carried out for the purpose of sending out newsletters.
Data processed Name, address, e-mail address, telephone number.
Duration of processing Until the withdrawal of the data subject's consent.
Legal basis for processing Your voluntary consent, which you give to the Data Controller by subscribing to the newsletter [processing pursuant to Article 6(1)(a) of the Regulation]
 

Other data processing
If the Data Controller intends to carry out further processing, it shall provide prior information on the essential circumstances of the processing (legal background and legal basis of the processing, purpose of the processing, scope of the data processed, duration of the processing).
You will be informed that written requests for data from public authorities based on a legal mandate must be complied with by the Data Controller. The Data Controller shall keep records of data transfers in accordance with Article 15 (2) to (3) of the Data Protection Act (to which authority, what personal data, on what legal basis, when the Data Controller transferred the data), the content of which the Data Controller shall provide information on request, unless the provision of information is excluded by law.

Recipients of personal data
Processing for the purpose of storing personal data
Name of the data processor: NAVONA fashion
Contact details of the data processor:
Phone number: +36209511939
E-mail address: navona@navona-fashion.com
1035 Budapest Ányos u 4.-10.
Website: https://navona-fashion.com/
10.10.A. 10.10.A. At 1010 Amyos, Hungary, 10.10.A. at 10.10. The Data Processor stores personal data on the basis of a contract with the Data Controller. The Processor is not entitled to access the personal data.

​

Data processing activities related to the sending of newsletters
The company operating the mailing system is called The Rocket Science Group LLC.
The company operating the mailing system is located at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA
Phone number of the company operating the mailing system:
E-mail address of the company operating the mailing system: privacy@mailchimp.com
Website of the company operating the mailing system: mailchimp.com
The Data Processor is contracted by the Data Controller to assist in the sending of newsletters. In doing so, the Data Processor processes the name and e-mail address of the data subject to the extent necessary to send the newsletter.

​

Your rights in the processing
For the duration of the processing, you have the following rights under the Regulation:
the right to withdraw your consent

access to personal data and information relating to the processing

the right to rectification

restriction of processing,

the right to access to personal data and to obtain information on the processing of personal data, including the right to access to personal data

right to object

the right to portability.


​

If you wish to exercise your rights, this will involve your identification and the Data Controller will need to communicate with you. For this purpose, identification will require the provision of personal data (but identification may only be based on data that the Controller already holds about you) and your complaints about the processing will be available on the Controller's email account for the period of time specified in this notice in relation to complaints. If you have been a customer of ours and would like to be identified for the purposes of complaint handling or warranty handling, please also provide your order ID for identification purposes. We can use this to identify you as a customer.
Complaints about data processing will be answered by the Data Controller within 30 days at the latest.

​

Right to withdraw consent
You have the right to withdraw your consent to data processing at any time, in which case the data will be deleted from our systems. However, please note that in the case of an outstanding order, withdrawal may result in our inability to deliver to you. In addition, if the purchase has already been made, we may not be able to delete the billing data from our systems under accounting regulations, and if you have a debt to us, we may process your data in the event of withdrawal of consent on the basis of a legitimate interest in the recovery of the debt.

​

Access to personal data
You have the right to receive feedback from the Data Controller as to whether your personal data is being processed and, if it is being processed, you have the right to:
to have access to the personal data processed; and

to be informed by the Controller of the following information:
the purposes of the processing;

the categories of personal data processed concerning you; and

information about the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed by the Controller;

the envisaged period of storage of the personal data or, where this is not possible, the criteria for determining that period;

your right to obtain from the Controller the rectification, erasure or restriction of the processing of personal data concerning you and, where the processing is based on legitimate interests, to object to the processing of such personal data;

the right to lodge a complaint with a supervisory authority;

if the data have not been collected from you, any available information about their source;

the fact of automated decision-making (where such a process is used), including profiling, and, at least in these cases, clear information on the logic used and the significance and likely consequences for you of such processing.

The purpose of exercising the right may be to ascertain and verify the lawfulness of the processing, and the Controller may charge reasonable compensation for providing the information in return for repeated requests for information.
Access to personal data shall be ensured by the Controller by sending you, by email, the personal data and information processed, after you have identified yourself. If you are registered, access will be provided so that you can view and verify the personal data processed about you by logging into your account.
Please indicate in your request whether you are requesting access to personal data or information about data processing.

 

Right to rectification
You have the right to have inaccurate personal data relating to you corrected by the Data Controller without delay upon your request.

​

Right to restriction of processing
You have the right to obtain from the Controller, at your request, the restriction of processing if one of the following conditions is met:
You contest the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data, if the accuracy of the data can be established immediately, the restriction shall not apply;

the processing is unlawful, but you object to the erasure of the data for any reason (for example, because the data are important to you for the purposes of pursuing a legal claim) and therefore do not request the erasure of the data but instead request the restriction of their use;

the Controller no longer needs the personal data for the purposes for which they are processed, but you require them for the establishment, exercise or defence of legal claims; or

you have objected to the processing, but the Controller may have a legitimate interest in the processing, in which case, until it is established whether the legitimate grounds of the Controller prevail over your legitimate grounds, the processing should be restricted.

Where processing is subject to restriction, such personal data, except for storage, may only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
The controller shall inform you in advance (at least 3 working days before the restriction is lifted) of the lifting of the restriction on processing.

​

Right to erasure - right to be forgotten
You have the right to obtain from the Controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Controller;

You withdraw your consent and there is no other legal basis for the processing;

You object to the processing based on legitimate interest and there is no overriding legitimate ground (i.e. legitimate interest) for the processing,

the controller has unlawfully processed the personal data and this has been established on the basis of the complaint,

the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Controller.

If the Controller has disclosed personal data processed about you for any lawful reason and is required to delete it for any of the reasons set out above, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform other controllers that have processed the data that you have requested the deletion of the links to or copies of the personal data in question.
Deletion does not apply where the processing is necessary:
for the exercise of the right to freedom of expression and information;

to comply with an obligation under Union or Member State law that requires the controller to process personal data (such as processing in the context of invoicing, where the storage of the invoice is required by law) or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;

for the establishment, exercise or defence of legal claims (e.g. where the Controller has a claim against you and has not yet settled it, or in the course of dealing with a consumer complaint or a complaint about data processing).


​

Right to object
You have the right to object to the processing of your personal data based on legitimate interests at any time on grounds relating to your particular situation. In such a case, the Controller may no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, where it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data may no longer be processed for those purposes.

​

Right to portability
If the processing is automated or if the processing is based on your voluntary consent, you have the right to request the Data Controller to receive the data you have provided to the Data Controller, which the Data Controller will make available to you in xml, JSON or csv format, and if technically feasible, you may request that the Data Controller transfer the data in this format to another controller.

​

Automated decision-making
You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning you or similarly significantly affects you. In such cases, the controller must take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.
The above shall not apply where the decision:
necessary for the conclusion or performance of a contract between you and the controller;

it is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect your rights and freedoms and legitimate interests; or

is based on your explicit consent.



Registration in the data protection register
Under the provisions of the Data Protection Act, the Controller was required to notify certain of its processing to the Data Protection Register. This notification obligation ceased as of 25 May 2018.

Data security measures
The Data Controller declares that it has implemented appropriate security measures to protect personal data against unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.
The Data Controller will make every effort to ensure that its Data Processors also take appropriate data security measures when working with your personal data, as far as organisational and technical feasibility allows.

​

Legal remedies
If you believe that the Data Controller has violated a legal provision on data processing or has failed to comply with a request, you may initiate an investigation procedure with the National Authority for Data Protection and Freedom of Information (postal address: 1363 Budapest, Pf. 9., e-mail: ugyfelszolgalat@naih.hu).
You are also informed that in case of violation of the legal provisions on data processing or if the Data Controller has not complied with any of your requests, you may bring a civil action against the Data Controller before a court. 

​

Amendment of the Privacy Notice
The Data Controller reserves the right to amend this Privacy Notice in a way that does not affect the purpose and legal basis of the processing. By using the website after the amendment has entered into force, you accept the amended privacy notice.
If the Data Controller wishes to carry out further processing of the data collected for purposes other than those for which they were collected, it will inform you of the purposes of the processing and the information below before carrying out the further processing:
the duration of the storage of the personal data or, where this is not possible, the criteria for determining the duration;

the right to request the Controller to access, rectify, erase or restrict the processing of personal data concerning you and, in the case of processing based on legitimate interest, to object to the processing of personal data and, in the case of processing based on consent or a contractual relationship, to request the right to data portability;

in the case of processing based on consent, that you may withdraw your consent at any time,

the right to lodge a complaint with a supervisory authority;

whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, whether you are under an obligation to provide the personal data and the possible consequences of not providing the data;

the fact of automated decision-making (where such a process is used), including profiling, and, at least in these cases, clear information about the logic used and the significance and likely consequences for you of such processing.

Processing may only start thereafter, if the legal basis for the processing is consent, to which you must give your consent in addition to the information.