External data protection rules and information on data processing
These External Data Protection Regulations and Data Management Information (hereinafter: the Regulations) form an inseparable part of them in accordance with Clause 10 of the General Terms and Conditions (/ content-ironing-information / 11 # 10, hereinafter: GTC).
I. General Provisions
I.1. I.1. SHOEBOX Kereskedelmi Korlátolt Felelősségű Társaság (registered office: 2142 Nagytarcsa, Nyár utca 4., tax number: 12318847-2-44, contact details: tel .: +36 70 935 00 00, e-mail address: firstname.lastname@example.org, registry court : Registry Office of the Budapest District Court, company registration number: 13-09-212372, NAIH registration number: NAIH-64278/2013, hereinafter: Operator) the website www.officeshoes.hu (hereinafter: Website) operated by it is of key importance. protection of personal data provided by visitors, orderers and registrants on the Website, as well as personal visits to the Operator's sales premises (hereinafter: User) during registration / order / electronic information request by the User / stay in the sales premises, users' right to information self-determination provided in the manner set forth in these Regulations.
You can buy a wide range of products online through the Website. The Operator handles the data received during the identification of the Users for the purpose of fulfilling the orders placed by them. The Operator is the data controller of all data that qualifies as personal data and is uploaded by the Users during the visit to the Website or during the use of any of the Services of the Website.
The Operator manages the personal data of the Users in full compliance with the relevant legal regulations, which contributes to the creation of secure Internet access for the Users.
The Operator shall keep the personal data of the Users confidential, in accordance with the legal regulations in force - in particular with regard to Act CXII of 2011 on the right to information self-determination and freedom of information. of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC 679 of 27 April 2016 (hereinafter: GDPR) - manages, ensures their safety, takes the technical and organizational measures and establishes the procedural rules necessary to enforce the relevant legal provisions and other recommendations.
I.2. These Regulations summarize the principles that define the Operator's personal data protection policy and daily practice, present the services during which they request personal data from the Users of the Website, and within the framework of the Regulations the Operator declares for what purpose and how use such data and how you ensure the retention and protection of personal information.
I.3 I.3. During the development of the Regulations, the Operator has taken into account the relevant legal regulations in force and the most important international recommendations, in particular the following:
- Act CXII of 2011 on the right to information self-determination and freedom of information. law;
-Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC;
- Annex VI to the Convention of 28 January 1981 on the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg law;
- Act CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. law;
- Act C of 2003 on Electronic Communications;
- Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activity. Act (Grt.);
-recommendations, resolutions and data protection practices of the Data Protection Commissioner.
I.4. I.4. Upon the request of the Users, the Operator shall in all cases provide detailed information on the processed personal data, the purpose, legal basis, duration of the data processing and the activities related to the data processing, in accordance with the content of their request.
The Operator handles only such personal data, the recording of which is necessary in order to quantify the visit to the Website, to exercise its rights in its legal relationship with the Users, to fulfill its obligations, to communicate with them, and to make direct business transactions with the Users.
II. Concepts and key principles related to the processing of personal data
II.1.1. Data management: any operation or set of operations on data, regardless of the procedure used, in particular their collection, recording, recording, systematisation, storage, alteration, use, interrogation, transmission, disclosure, coordination or linking, blocking, deletion and destruction, and to prevent further use of the data, to take photographs, sound or images, and to record physical characteristics capable of identifying the person (eg fingerprint or palm print, DNA sample, iris image).
II.1.2. Data transfer: making the data available to a specific third party.
II.1.3. Data controller: a natural or legal person or an organization without legal personality who, alone or together with others, determines the purpose of data processing, makes and implements decisions on data processing (including the means used) or implements it with the data processor.
II.1.4. Data subject: Any natural person identified or identifiable, directly or indirectly, on the basis of personal data.
II.1.5. Personal data: data which can be contacted with the data subject, in particular the name, identification mark and knowledge of one or more physical, physiological, mental, economic, cultural or social identities of the data subject, and the conclusion that can be drawn from the data.
II.1.6. Data protection incident: Unlawful handling or processing of personal data, in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction and damage.
II.1.7. Profiling: any form of automated processing of personal data in which personal data are assessed for the purpose of assessing certain personal characteristics of a natural person, in particular performance, economic status, health, personal preferences, interests, reliability, behavior, location or movement. used to analyze or predict.
II.1.8. Pseudonymisation: the processing of personal data in such a way that it is no longer possible to determine to which specific natural person the personal data relate without the use of additional information, provided that such additional information is stored separately and technical and organizational measures are taken to ensure that this personal data may not be linked to identified or identifiable natural persons;
II.2.1. Legality, fairness and transparency
Personal data may only be processed for a specific purpose, in order to exercise a right and fulfill an obligation. The recording and processing of data must be fair and lawful.
Personal data may be processed if the data subject consents to it or is ordered by law or - on the basis of the authorization of law, within the scope specified therein - by a decree of a local government for a purpose based on the public interest (hereinafter: mandatory data processing).
At all stages of data management, it must meet the purpose of the data management.
II.2.3. Data saving
Only personal data that is necessary for the realization of the purpose of data processing and suitable for the achievement of the purpose may be processed.
The data controller is obliged to take measures to ensure the accuracy (correctness) of the data processed by him.
II.2.5. Limited storage
Personal data may only be processed to the extent and for the time necessary to achieve the purpose.
Personal data must be deleted if its processing is illegal; the person concerned requests; incomplete or incorrect - and this condition cannot be legally remedied - provided that cancellation is not precluded by law; the purpose of data processing has ceased or the term for the storage of data specified by law has expired; it was ordered by a court or the National Data Protection and Freedom of Information Authority (NAIH).
II.2.6. Integrity and confidentiality
The data shall be protected by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, accidental destruction and damage, and loss of access due to changes in the technology used.
If a User makes personal data available to the Operator, the Operator shall take all necessary steps to ensure the security of this data - both during network communication (so online data management) and during data storage and storage (so offline data management).
Personal data can only be accessed by persons holding competent positions - subject to high-level access controls.
The data subject may request from the controller i) information on the processing of his / her personal data, ii) correction of his / her personal data, and iii) deletion or blocking of his / her personal data, except for mandatory data processing.
II.2.8. As a general principle, the Operator declares that in all cases when requesting personal data from its Users, after reading and interpreting the necessary information text, they are free to decide whether to provide the requested information. It should be noted, however, that if someone does not provide their personal information, they will not be able to use the services of the Website subject to registration.
The operator respects the principles of data management and strives to enforce them at all times.
III. The legal basis of the data management
The operator shall treat the data in Chapter V with reference to the following legal bases:
III.1. Legal basis for data management: Act CVIII of 2001 on certain issues of electronic commerce services and information society services. Act 13 / A. § (3) and Article 6 (1) (c) of the GDPR (name, delivery address, billing address).
A IV.2. In addition to the voluntary consent of the data subject (Article 6 (1) (a) GDPR), the legal basis for data processing is the legitimate interest of the Operator and the User (Article 6 (1) (d) and (f) GDPR); imaging), contractual data management (Article 6 (1) (b) GDPR; name, shipping address, billing address), Grt. Section 6 (5) (Article 6 (1) (c) GDPR; name, e-mail address) and, in the case of a request for User Information by e-mail, Article 6 (1) (b) and (f) of the GDPR (name, e-mail address).
The operator states that the (contractual) legal basis for data management under Article 6 (1) (b) of the GDPR will be converted into a legal basis under Article 6 (1) (b) and (f) of the GDPR (legitimate interest) in the event of non-compliance.
III.2. The Operator is the User V.1. The information described in point. pursuant to Section 5 (1) (a) of the GDPR (Article 6 (1) (a) of the GDPR) and a contractual obligation (Article 6 (1) (b) of the GDPR); name, delivery address, billing address) and Act CVIII of 2001 on certain issues in electronic commerce services and information society services. in accordance with the rules of law.
The User gives his / her consent in person or during the use of the Website in electronic form1 in the process of registration / order / request for electronic information by the User, by signing the Data Management Statement / ticking the tickbox2. The User may withdraw his consent at any time and request the deletion / forgetting of his data, or modify his data affected by the consent. In the case of an ongoing order, the revocation of the data management consent is considered a withdrawal from the order, a fact which the Operator draws the User's attention to in the cancellation / forgetting request by stating that the User's data is the GDPR. Article 6 (1) (f) until the pre-contractual situation has been restored by the parties. Pursuant to Article 7 (3) and Article 13 (2) (c) of the GDPR, the withdrawal of consent does not affect the lawfulness of the prior processing.
III.3. The Operator shall use the User's personal data (image) recorded in point V for quality assurance, property security, crime prevention and crime detection purposes in the Info. Section 6 (1) (b) of the GDPR and Section 6 (1) of the GDPR. f), in proportion to the restriction of the rights related to the protection of personal data, in order to enforce the legitimate interests of the Operator and third parties, and in addition in accordance with V.7. The personal data recorded in point 17 / B of the Consumer Protection Act § (3) of the GDPR. c).
IV. The purpose of the data management
An operator shall manage the data contained in Chapter V in order to enforce the following objectives:
IV.1. The purpose of Data Management is: i) fulfillment of orders (name, delivery address); (ii) checking the operation of the service (name, telephone number, e-mail address); (iii) prevention of abuse (name, telephone number, e-mail address); iv) identification and differentiation of Users (name, date of birth, telephone number, delivery address, billing address, e-mail address, username, password); v) contact (name, telephone number, e-mail address); (vi) production of statistics (pseudonymised per order); (vii) targeted sending of advertising messages (name, e-mail address); viii) exercise of rights related to the relationship with the Users (customers) (name, billing address, telephone number, e-mail address); (ix) fulfillment of obligations (name, delivery address, billing address, date of birth, telephone number, e-mail address); x) issuance of the invoice (name, billing address); xi) monitoring and recording traffic and user habits, thereby recommending personalized advertisements to the Users of the Website (name, order data); xii) detection and prevention of property security and illegal acts (imaging).
IV.2. By entering their data in person or actively using the Website in electronic form during the registration / order / User electronic information request process, by signing the newsletter subscription / ticking the tickbox, the User may consent to the Operator providing direct marketing offers and electronic advertising at the given contact details ( newsletter, e-mail, SMS, etc.) visit them. Consent may be withdrawn at any time, free of charge, without restriction and without justification, and it is also possible to withdraw consent in the manner specified in the electronic advertisement. The consent may also be revoked by a declaration addressed to the Operator and sent to the Operator's registered office by post. In the case of an ongoing order, the revocation of the data management consent (related to the newsletter) included in this section does not affect the fulfillment of the order. Pursuant to Article 7 (3) and Article 13 (2) (c) of the GDPR, the withdrawal of consent does not affect the lawfulness of the prior processing.
IV.3. In all cases where the Operator wishes to use the provided personal data for a purpose other than the purpose of the original data collection, it shall inform the User thereof and obtain its prior, express consent, or provide him or her with an opportunity to prohibit the use.
V. The subject of the data management
V.1. Registration is not a prerequisite for ordering on the Website. Depending on the User's needs, there are two levels of use of the Website, during which different data - the III. with the legal basis referred to in point IV.1. for the purpose mentioned in point:
V.1.1. For Unregistered Users:
Name, Shipping address, Billing address, Telephone number, E-mail address, Date of birth, Personal image (s) - if applicable
The scope of the managed data was determined by the User's verification of legal capacity (date of birth), fulfillment of the order (name, delivery address), contact (name, telephone number, e-mail address) and provision of invoice conditions (name, billing address). The justification for image capture as treated data is given in Section V.
V.1.2. For Registered Users:
Name, Shipping address, Billing address, Phone number, Email address, Date of birth, Username, Password, Personal image (s) - if applicable
The scope of the managed data includes the confirmation of the User's legal capacity (date of birth), the fulfillment of the order (name, delivery address), contact (name, telephone number, e-mail address) and the provision of invoice conditions (name, billing address) and the Website registered the condition for using it as a user (username, password). The justification for image capture as treated data is given in Section V.
V.2. The provision of personal data is based on law and a contractual obligation, a precondition for concluding a contract for an order. The User is obliged to provide personal data if he wishes to shop online. Failure to provide data will prevent online ordering.
V.3. Parental consent is required to process data provided by users under the age of 16 and to make their disclaimers. The consent or subsequent approval of the legal representative of a minor who has reached the age of 16 does not require the validity of his / her legal declaration containing the consent of the person concerned.
V.4. Under no circumstances will the Operator collect special data relating to racial origin, national, national and ethnic origin, political opinion or party affiliation, religious or other beliefs, health status, pathological passion, sex life and criminal history.
V.5. The Operator does not supplement or combine the personal or other data provided by the Users with data or information from other sources.
V.6. The operator carries out a camera image of the events in his sales premises for the purposes of property security, crime detection and crime prevention, which material is stored for 3 working days. The Operator also warns the User about the fact of the image recording with a sign displayed in a clearly visible place in the sales premises. The user consents to the recording of the image by entering the sales area or by signing the Data Management Statement / ticking the tickbox1. If the User uses the III.3. does not consent, you can use the online ordering and customer service (chat, e-mail) service. The legal basis for data processing is also Article 6 (1) (d) and (f) of the GDPR.
V.7. Some data of the Users, such as their IP address, other traffic data and behavioral data, are also recorded in order to quantify the traffic to the Website and to identify any errors and intrusions that may occur to the Operator. This data is handled by the Operator only for the necessary time and is not linked to other data with the help of which the User's identity can be identified (Alias). Data can also be managed on servers located abroad.
VI. The duration of the data management
VI.1. Duration of data management:
VI.1.1. In the case of an unregistered user (see V.1.1.) For 3 years (expiration of the warranty period) following the realization of the purpose of data management (delivery of the order and settlement of the invoice), until another date specified by law.
Billing data (name, billing address) is the accounting tv. Section 169 (2) shall be retained for a period of 8 years from the date of issue of the invoice.
VI.1.2. In case of a registered user (see V.1.2.) For 3 years after the date of cancellation of the registration, or if an order was placed before the cancellation of the registration, which was not fulfilled by the date of cancellation of the registration, then VI.1.1. for the period set out in point.
Billing data (name, billing address) is the accounting tv. Section 169 (2) shall be retained for a period of 8 years from the date of issue of the invoice.
VI.1.3. At the Seller's sales premises, V.6. In the case of images recorded in accordance with point 1, the duration of data processing is 3 working days. If there is no need to store the recorded material during this period, the material will be automatically deleted at the end of working day 5. In justified cases, the Operator (if it has become aware of the content to be used as evidence in official proceedings) handles the image recording until the achievement of the goal (until a final decision is made).
VI.2. The User may withdraw his consent to data management at any time, request the deletion of his data affected by the consent, or modify his data. In the case of an ongoing order, the revocation of the data management consent is considered a withdrawal from the order, a fact which the Operator draws the User's attention to in the cancellation / forgetting request by stating that the User's data is the GDPR. Article 6 (1) (f) until the pre-contractual situation has been restored by the parties. Pursuant to Article 7 (3) and Article 13 (2) (c) of the GDPR, the withdrawal of consent does not affect the lawfulness of the prior processing.
VI.3. If the personal data was collected with the consent of the User, the Operator shall save the collected data, unless otherwise provided by law.
(a) for the purpose of fulfilling a legal obligation incumbent on it, or
- b) for the purpose of enforcing the legitimate interest of the Operator or a third party, if the exercise of such interest is proportionate to the restriction of the right to the protection of personal data
without further specific consent and after the withdrawal of the data subject's consent.
VII. Exercise of the data subject 's rights
VII.1. If any User complies with Section VII.2. In accordance with the provisions of point 1, the Operator requests the deletion of the personal data of the Operator from its own system, the Operator shall immediately do so by deleting the corresponding data previously indicated by the User from its database.
VII.2. The request for cancellation / forgetting can be submitted electronically via the e-mail address of the customer service or in the chat window on the Website, by letter sent to the Operator's registered office on a paper basis, orally at the telephone customer service or at the sales premises. The Operator shall send a written confirmation to the User of the verbal request for cancellation / forgetfulness.
In the case of a cancellation request (withdrawal of data management consent), the data managed by the Operator cannot be processed from the date of receipt of the request.
In the case of a request for forgetting, the Operator is obliged to delete all contacts, the profile created about the User and the automatic decision from the system by including all data lawfully processed before the receipt of the request.
VII.3. If there is a change in the managed data, the User can request to change it in the database. The request for the change can be submitted electronically via the e-mail address of the customer service or in the chat window on the Website, by sending a paper letter to the Operator's registered office, orally at the telephone customer service or at the sales premises. The Operator shall send a written confirmation to the User regarding the request for the verbal amendment.
VII.4. Instead of deleting, the Operator shall block the personal data if the User so requests or if, on the basis of the information available to him, it can be assumed that the deletion would harm the legitimate interests of the User. Personal data blocked in this way may only be stored for as long as the purpose of data management, which precluded the deletion of personal data, exists. With the exception of storage, data subject to restriction may only be processed with the consent of the User, or for the submission, enforcement or protection of legal claims, or for the protection of the rights of other natural or legal persons, or for important public interests (Right to Restrict Data Management).
VII.5. If the Operator does not comply with the User's request for rectification, blocking or deletion, it shall communicate the factual and legal reasons for rejecting the request for rectification, blocking or deletion in writing within 25 days of receipt of the request. In the event of a rejection of a request for rectification, erasure or blocking, the Operator shall inform the User of the possibility of legal redress and recourse to the supervisory authority.
VII.6. The User may object to the processing of his personal data,
(a) where the processing or transfer of personal data is necessary solely for the performance of a legal obligation on the Operator or for the legitimate interest of the controller, recipient or third party, except in the case of mandatory processing;
(b) where the use or transfer of personal data is for the direct acquisition of business, public opinion polls or scientific research; and
- c) in other cases specified by law.
In case of the User's protest, the Operator is not entitled to further data processing, unless he proves that the data processing is justified by compelling legitimate reasons that take precedence over the User's interests and rights or related to the submission, enforcement or protection of legal claims.
With regard to data processed on the basis of a legal basis pursuant to Article 6 (1) (d) and (f) of the GDPR (legitimate interest), the User may object to the processing of his data instead of withdrawing the request for deletion / consent.
The Operator, as the data controller, shall examine the protest within the shortest time from the submission of the request, but not later than within 15 days, make a decision on the merits of the request, and inform the requesting User in writing.
VII.7. Users may request information on the handling of their personal data. The request for information can be submitted electronically via the e-mail address of the customer service or in the chat window on the Website, by sending a letter on paper to the Operator's registered office, orally at the telephone customer service or at the sales premises. The Operator shall send a written confirmation to the User regarding the request for verbal information.
At the request of the User, the Operator provides information on the data managed by the User, their source, the purpose, legal basis, duration of the data processing, the fact of data transfer, legal basis, the name and address of the recipient and all activities related to data management. The Operator is obliged to provide the information in writing in a comprehensible form at the request of the User as soon as possible after the submission of the application, but no later than within 30 days.
The information written above is free of charge if the person requesting the information has not yet submitted an information request to the Operator regarding the same data set in the current year. In other cases, reimbursement may be established. Reimbursement of costs already paid shall be reimbursed if the data have been processed unlawfully or if a request for information has led to a correction.
The information of the data subject is provided by the Operator only in the Info. in cases specified by law. In the event of a refusal to provide information, the Operator shall notify the data subject in writing of the provisions of this Act on the basis of which the refusal of information was made. In the event of a refusal to provide information, the Operator shall inform the User of the possibility of legal redress and recourse to the National Data Protection and Freedom of Information Authority. The controller shall notify the Authority of rejected applications by 31 January of the year following the year in question.
VII.8. Data portability
Pursuant to Section 20 of the GDPR, the User is entitled to receive the data provided by him to the Operator in a structured, widely used, machine-readable format, as well as to transmit it to another data controller.
The User may request the direct transfer of data to the other data controller - if this is technically feasible.
The request for data transfer can be submitted electronically via the e-mail address of the customer service or in the chat window on the Website, by sending a paper letter to the Operator's headquarters, orally at the telephone customer service or at the sales premises. The Operator shall send a written confirmation to the User regarding the request for verbal data transmission.
If the Operator does not comply with the User's request for data transfer, he shall notify the factual and legal reasons for the rejection of the request in writing within 30 days of receipt of the request, at one of the contact details provided by the User. If the request for data transfer is rejected, the Operator shall inform the User about the possibility of legal redress and recourse to the supervisory authority.
With regard to data managed on the basis of a legal basis pursuant to Article 6 (1) (d) and (f) of the GDPR (legitimate interest), the User is not entitled to the right of data portability.