Privacy and data management information
WineHub Holding Ltd. – WWW.WINEHUB.HU
Valid: 27.07.2022. from
1. Introduction, principles, purpose and scope of the Guide
1.1 This privacy and data protection notice (hereinafter: Guide) aims to set out the WineHub Holding Limited Liability Company (registered office: 1036 Budapest, Fényes Adolf utca 24-26., company registration number: Cg.01-09-867419, tax number: 13675811-2-41, legal representative: Carlos Coelho Managing Director, hereinafter referred to as “Service provider” or “Data Controller“), and the Service Provider’s privacy and data protection policies and practices for the protection of personal data, which the Service Provider has published on the ww.winehub.hu website (the “Website“), as the data controller, recognises its obligations in relation to the personal data collected through this website.
1.2 The purpose of this Notice is for the Data Controller to ensure compliance with the constitutional principles of data protection and the requirements of data security, to prevent unauthorised access to data, unauthorised alteration, loss or disclosure of data.
1.3 This Policy applies to all natural persons who visit the Website and to all customers (whether natural persons or entities, whether incorporated or unincorporated, who use the Website to place an order or a reservation) (the “Data Subject“) of products and services marketed through the Website.
1.4 The Data Controller respects the rights of the Data Subject(s) to the protection of their personal data.
1.5 This Notice summarises in a concise and simple manner what data the Data Controller collects, how it may use that data, the tools used by the Data Controller and the Data Subject’s data protection and data protection enforcement options.
1.6. The scope of the Notice is limited to the processing of data by the controller, i.e. it does not cover the processing activities that may be related to information published by third parties that advertise on the Website or otherwise appear on it.
1.7. Detailed rules can be found in the said Regulation and related legal acts, and if you require further information, you are advised to consult the Regulation or contact the Data Controller using the contact details also indicated in this Notice.
2. Applicable legislation
2.1. The Service Provider is committed to fully complying with the applicable data protection rules in all stages of the processing of personal data, including but not limited to the provisions of Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter: “GDPR” or the “Regulation“) and the 2011 EU Regulation on the Right to Information Self-Determination and Freedom of Information. CXII. law (hereinafter referred to as “Info tv.“).
2.2. The general objective of the GDPR is to ensure the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data, while ensuring the free flow of personal data within the EU (Article 1). To this end, the Controller will establish a set of rules on the processing of personal data and data flows, one of the most important elements of which is to focus on the responsibility of the controller. The principles of data protection apply to all information relating to an identified or identifiable natural person.
2.3. The scope of the Regulation covers “the processing of personal data wholly or partly by automated means and the processing of personal data which form part of a filing system or are intended to form part of a filing system by non-automated means.”
3. Principles of data management
3.1. The data controller shall process personal data in accordance with the provisions of the GDPR and applicable laws. In its data processing, the Service Provider complies with the principles of the GDPR Regulation, which are:
3.1.1. Lawfulness, fairness and transparency: the processing of personal data is carried out lawfully and fairly and in a transparent manner for the data subject;
3.1.2. Purpose limitation: personal data is collected and processed only for specified and explicit purposes;
3.1.3. Data economy: data processing is limited to the relevant and necessary extent;
3.1.4. Accuracy: we will make every reasonable effort to ensure that the data is accurate and up to date, and will promptly delete or correct inaccurate personal data;
3.1.5. Limited storage: personal data is stored and processed only for the time necessary to achieve the purposes for which it is processed;
3.1.6. Integrity and confidentiality: ensure adequate security of personal data, including protection against accidental loss, destruction, unlawful destruction, unauthorised access, unauthorised use, damage, by appropriate technical and organisational measures;
3.1.7. Accountability: prepared to demonstrate compliance with the above;
3.1.8. 16. protection of the data of a person under the age of 18. A 16. the personal data of a person under the age of 18 may be processed only with the consent of the person who is the legal guardian of the person concerned. The Service Provider is not in a position to verify the consent of the person giving consent or the content of the consent, so the Data Subject or the person having parental authority over the Data Subject warrants that the consent is in accordance with the law. In the absence of a declaration of consent, the Service Provider 16. does not collect personal data relating to a data subject under the age of 18.
3.2. The Data Controller shall inform the Data Subject of the processing rules in a timely manner, before the processing starts, in the prescribed manner. The Data Controller collects, stores and uses personal data only for a specific purpose, in accordance with the purpose limitation requirement. The personal data collected shall always be adequate, relevant and sufficient for the purpose for which it is collected, and the Data Controller shall comply with the principle of data minimisation by complying with this rule.
3.3. In the spirit of data accuracy, the Data Controller shall take reasonable steps, having regard to the purpose, to ensure that the personal data of the Data Subject are complete, accurate, up-to-date and reliable to the extent necessary for that purpose.
3.4. The Data Controller will use personal data for marketing purposes only with the consent of the Data Subject and will give the Data Subject the opportunity to opt-out of such communication.
3.5. The Data Controller will take proportionate and complete steps to ensure the protection of the Data Subject’s personal data as detailed in this Privacy Notice, including in cases where it transfers them to third parties.
3.6. The Service Provider will not transfer the personal data it processes to third parties other than the Data Processors and External Service Providers specified in the Notice.
4. How to access and amend the Prospectus
4.1. The current version of the Prospectus is available electronically at all times via the Website. The Service Provider may unilaterally modify this Policy at any time without prior notice, as necessary, and the modified Policy shall enter into force immediately upon uploading to the Website.
4.2. By accessing the Website, the Data Subject accepts the current version of the Policy, and no further consent is required unless otherwise provided in the Policy.
5. Interpretative provisions
Regulation, GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 20 December 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. (27 April 2016);
Infotv: 2011. CXII. Act on the Right to Information Self-Determination and Freedom of Information;
Official Journal: 2005. CXXXIII. Act on the Rules for the Protection of Persons, Property and Private Investigation;
Art.:2017. Act CL of 2007 on the Rules of Taxation;
Sztv.:2000. Act C of 2006 on Accounting;
VAT tv.: 2007. CXXVII. law on value added tax;
Ptk: 2013. Act V of 2007 on the Civil Code;
Elker tv.: on certain aspects of electronic commerce services, information society services and other services in the information society, Act 2001. CVIII. Act;
Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special categories of personal data: personal data revealing racial or ethnic origin, political opinions or opinions, religious or philosophical beliefs, membership of an interest group, sex life, health, pathological addiction and personal data concerning criminal offences.
Genetic data: any personal data relating to the inherited or acquired genetic characteristics of a natural person which contain specific information about the physiology or state of health of that person and which result primarily from the analysis of a biological sample taken from that natural person;
Biometric data: any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures which allow or confirm the unique identification of a natural person, such as facial image or dactyloscopic data;
Health data: personal data relating to the physical or mental health of a natural person, including data relating to health services provided to a natural person which contain information about the health of the natural person;
Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Data Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the controller’s designation may also be determined by Union or Member State law;
Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
Recording of data processing: in accordance with GDPR 30. (1) of the GDPR, a record of the processing activities carried out by the Controller, which shall contain, in addition to the data relating to the Controller, the name of the processing, the purposes of the processing, the categories of data subjects, the categories of personal data processed, the recipients to whom the data will be disclosed, the name and contact details of the processor(s) and, where possible, the time limit foreseen for the erasure of each category of data,
Recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, with whom or to which the personal data are disclosed. Public authorities that may have access to personal data in the context of an individual investigation in accordance with EU or Member State law are not recipients;
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Consent of the Data Subject: a voluntary, specific, informed and unambiguous indication of the Data Subject’s wishes, by which the Data Subject signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she gives his or her consent to the processing of personal data concerning him or her;
Profiling: any form of automated processing of personal data in which personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of a natural person;
Privacy incident: IT error, data breach .
IT Error: a disruption or slowdown in the operation of an IT system that interferes with work, causes an abnormal operation, service disruption or slowdown, which does not constitute a data breach but may compromise the confidentiality, integrity or availability of the IT system;
Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Authority: National Authority for Data Protection and Information Security, www.naih.hu
6. Data controller (service provider), contact details
Company name: WineHub Holding Korlátolt Felelősségű Társaság
Head office: 1036 Budapest, Fényes Adolf utca 24-26.
Company registration number: 01-09-867419
Tax number: 13675811-2-41
Legal representative: Carlos Coelho, Managing Director
Registering authority/court: the Commercial Court of the Metropolitan Court of Budapest
7. Data Protection Officer
7.1. Under the GDPR, the Service Provider is not obliged to appoint a Data Protection Officer, given that the Service Provider is not a public authority or other body with public responsibilities and its activities do not involve processing operations which, by their nature, the nature, scope and/or purposes of the activities of the Service Provider do not involve systematic and systematic large-scale monitoring of Data Subjects and do not cover decisions on criminal liability of Data Subjects and the scope of personal data and special categories of personal data relating to criminal offences.
8. Purpose of data processing, legal basis, scope of data processed, duration of data processing, data subjects entitled to access data in relation to data subjects using the services provided through the Website (webshop).
(The processing of data related to the use of anonymous User identifiers by the Website is detailed in sections 8.8-8.19)
8.1. Purpose and legal basis for processing
8.2. We use the following legal bases for our processing in accordance with the GDPR:
8.2.1. Consent-based processing: the consent of the visitor to the Website or of the Customer, which is voluntary, specific, informed and unambiguously authorises the Data Controller to process personal data concerning him/her (e.g.: sending a newsletter, promotional purpose, marketing purpose);
8.2.2. Data processing for the performance of a contract: the performance of a contract to which the Data Subject (customer) is a party by virtue of having placed an order through the Website;
8.2.3. Data processing for the fulfilment of a legal obligation: processing necessary for the fulfilment of a legal obligation to which the controller is subject (e.g.: accounting, bookkeeping (Act on the Protection of Consumers (Act CLV of 1997 on Consumer Protection), VAT Act, Art.), handling of complaints (Act CLV of 1997 on Consumer Protection), replying to general enquiries)
8.2.4. Processing for legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party;
8.2.5. The Elker. Act 13/A. §: according to which the Data Controller may process the Customer’s natural person identification data (name, name at birth, mother’s name at birth, place and date of birth) and address for the purpose of creating, defining the content of, amending, monitoring the performance of, invoicing the fees arising from, and enforcing claims in connection with the contract for the provision of information society services. The controller may process natural person identification data, address, and data relating to the time, duration and place of use of the information society service for the purpose of invoicing fees resulting from a contract for the provision of an information society service.
8.3 Scope of data processed, duration of data processing, persons entitled to access data
8.4. The Website can be visited and the services of our webshop can be used by two groups of Data Subjects: (i) visitor status, in which case no order will be placed through the Website; and (ii) customer status, in which case an order will be placed via the Website. The scope of the personal data processed and recorded for the two categories is set out below.
8.5. The Data Controller collects and processes personal data on the basis of the legal bases indicated above, as set out in the table(s) below, for the retention period indicated:
Data processed only for customers
|Conclusion of a contract (to which the data subject is a party), performance of the contract and data processed on the basis of legitimate interest||Name of personal data||Retention/Storage period|
|Name, tax ID/tax number, mother’s name, place/date of birth, bank account number, name of the bank holding the account, telephone number, e-mail address, number, date and time of the purchase transaction; website through which the purchase was made||Retention period 5 years after the date of performance, termination or cessation of legitimate interest in accordance with the relevant statutory provision (Civil Code 6:22§)
(Info tv., GDPR regulation, Elker tv. § 13/A)
|Personal data contained in general requests (all personal data brought to the attention of the Data Controller by the data subject)||5 years after the legitimate interest ceases.
(Info tv., GDPR regulation, Elker tv. § 13/A)
|Data processed pursuant to a legal requirement (legal obligation)||Name of personal data||Retention/Storage period|
|Accounting voucher data: invoice name, invoice address, tax number/tax identification number, invoice item name, unit price, total price.||Sztv. 169. § (2) at least 8 years
(Info tv., GDPR regulation, Elker tv. § 13/A)
|Name, address, e-mail address||The Consumer Protection Act 1997. CLV. Act 17/A (7) 5 years|
|Data processed with the voluntary consent of the data subject
|Name of personal data||Retention/Storage period|
|Name, e-mail address, telephone number||Retention period until unsubscription, withdrawal of consent
(Info tv., GDPR regulation, Elker tv. § 13/A)
8.6. Data relating to Data Subjects may come into the possession of the Data Controller directly or indirectly from Data Subjects in accordance with this Notice:
8.7. The data is stored in both electronic and paper format.
Data processed exclusively for visitors
Please note that if you also place an order on the Website, the Data Controller will process the data detailed below.
8.8. If you use the Site as a visitor only, without placing an order, we will not have any personally identifiable information about you as a visitor, or store any information about you.
8.9. The Data Controller records and draws your attention to the fact that, when you visit the Website, we create a technical identifier, a so-called cookie, which does not collect any information related to you, but rather sends us information about your usage habits on the computer from which you are logged in.
8.10. The Data Controller may use variable alphanumeric packets of information, i.e. cookies, sent by the web server, which are stored on the user’s computer for a predetermined period of time, to provide services and the website.
8.11. A cookie is a series of unique identifiers or a storage of profile information that service providers place on the Data Subject’s computer. It is important to note that such a sequence of signals is not in itself capable of identifying the Data Subject in any way, but only of identifying the Data Subject’s computer. In the networked world of the internet, personalised information and tailored service can only be provided if service providers can identify the habits and needs of their customers. Service providers are turning to anonymous identification to learn more about their customers’ information use patterns in order to further improve their services and to offer their customers customisation options.
8.12. Cookies are used, for example, to store Data Subjects’ preferences and settings; to help them log in; to display personalised ads and to analyse the functioning of the Website. For this purpose, the Data Controller may use services to collect and track data on contact activities such as relevance, referrals, searches, openings, most important and frequently used features.
8.13. Flash cookies are used by website operators to, for example, tell you whether you have ever visited the website before or to help you identify the features/services that may be of most interest to you. Search and Flash cookies enhance the online experience by retaining the information preferred by the Data Subject while on a particular page. Neither the search engine nor Flash cookies can personally identify the Data Subject, and the Data Subject can reject browser cookies through the browser settings, but without such cookies, he or she will not be able to use all the services of the website.
Cookies used on the Website
|Cookie name||Objective of||Personal data concerned||Legal basis for data processing||Expiry time|
|Strictly mandatory cookie||Enabling navigation||During the use of the website: the IP address of the Data Subject’s computer; data relating to his or her activity on the website.||Consent of the data subject||After leaving the site. No personal data is stored.|
|Performance cookie||Collection of information about website usage (Google Analytics)||Collection of information about the use of the website Personal data of the Data Subject: the IP address of the Data Subject’s computer when using the website; the start and end time of the time spent on the website; the type of browser and operating system, depending on the setting of the Data Subject’s computer; data about the Data Subject’s activity on the website.||Consent of the data subject||Personal data is stored depending on the type of cookie throughout the session: 2 years/24 hours/1 minute/ 90 days/ 365 days|
|Targeting and advertising cookie||Create and store identifiers, display targeted ads. (Google Analytics, Facebook tracking code)||IP address of the device concerned||Consent of the data subject||Personal data is stored for the duration of the session depending on the type of cookie: 90 days/18 months/ 2 years|
8.15. If the Data Subject does not want such an identifier to be placed on his or her computer, he or she can configure his or her browser to not allow the placement of the unique identifier and can withdraw his or her permission at any time, delete the unique identifier, in which case the services may not be available to the Data Subject or may not be available in the form in which he or she would have had he or she had permitted the placement of the identifiers.
8.16. The services are used by a large number of users in a variety of software and hardware environments, with different purposes and domains. The development of services can best be adapted to the needs and possibilities of users if the Website operator has a comprehensive picture of their usage patterns and needs. However, due to the large number of users, in addition to personal enquiries and feedback, it is an effective complementary method for the Website operator to collect and analyse data on their habits and the environment in which the services are run using automated methods.
8.17. The purpose of data processing is to ensure the proper and high quality operation of the website, to monitor and improve the quality of the services provided by the Data Controller, to identify malicious visitors who attack the website and to measure the number of visits.
8.18. The data may be accessed by: the staff responsible for the supervision and maintenance of the Data Controller’s IT system and any data processors.
8.19. The way the data is stored: electronically, but may also be stored on paper in the event of a data breach.
9. Purpose of data processing, scope of data processed, duration of data processing, data subjects entitled to access data in relation to the contact persons and employees of business organisations that come into contact with the Data Controller in the course of their economic (business) activities
9.1. Purpose and legal basis for processing
9.2. The Data Controller processes personal data for legitimate interests in the following cases: the intention to conclude a contract, the conclusion and performance of a contract.
9.3. The Data Controller processes Personal Data in order to comply with legal obligations, based on statutory provisions in the following cases: invoicing, accounting, accounting obligations (Sztv, VAT Act, Art.)
9.4. The Data Controller processes personal data on the basis of the Data Subject’s explicit and voluntary consent in the following cases: marketing purpose: sending a newsletter
9.5. Scope of data processed, duration of data processing, persons entitled to access the data
The Data Controller collects and processes personal data on the basis of the designated legal basis, as set out in the table(s) below, for the designated retention period, according to the quality of the Data Subject:
|Data processed on the basis of legitimate interest||Name of personal data||Retention/storage period|
|Name, e-mail address, telephone number
For partner contact persons, also: position held in the partner company
|The retention period is 5 years from the date of performance, termination of the contract or cessation of the legitimate interest in accordance with the relevant statutory provision (Civil Code, Civil Code, § 6:22)
(Info tv., GDPR regulation, Elker tv. § 13/A)
|Data processed under the law||Name of personal data||Retention/Storage period|
|Data on the accounting document: name, position held, e-mail address, telephone number.||Sztv. 169. § (2) of at least 8 years
(Info tv., GDPR regulation, Elker tv. § 13/A)
|Data processed with the voluntary consent of the data subject||Name of personal data||Retention/storage period|
|Name, email address, phone number, for contacts – position held in partner company||Retention period until unsubscription, withdrawal of consent
(Info tv., GDPR regulation, Elker tv. § 13/A)
9.6. Data relating to Data Subjects may be held by the Data Controller as follows:
- directly or indirectly from Data Subjects, in accordance with this Privacy Notice
- by transferring data from other data controllers,
- from public sources.
9.7. The data is stored in both electronic and paper format.
10. Data processors, external service providers
10.1. The Data Controller is entitled to use a data processor for the performance of its activities, the list of the data processor used is set out in the present Notice 1. is set out in the Annex.
10.2. Persons entitled to access the data: the Data Controller may transfer the data to its employees and agents performing tasks related to customer service and its activities, as well as to its employees and data processors performing accounting and tax tasks as recipients. In the event of an official request by an investigating authority or other authority in the framework of an official procedure, the Solver shall provide the requested data in accordance with the provisions of the applicable legislation.
10.3. The Data Controller shall, in accordance with the law, enter into a data processing agreement with a data processor, in which the relationship between the data processor and the data controller is regulated and the security of personal data held and processed by the data processor is guaranteed. In particular:
- the processor processes the personal data on the basis of the controller’s instructions and instructions;
- is bound by confidentiality obligations, both to him or her and to his or her employees who process personal data;
- implement appropriate organisational and technical measures to guarantee data security;
- the processor facilitates and enables audits and on-site inspections;
- where the processor engages the assistance of another processor, the same obligations apply as those initially established by the contract between the processor and the controller;
- at the end of the data processing agreement, the processor shall, at the controller’s discretion, return all personal data to the controller or delete them, delete existing copies, except where storage is required by Member State or EU law.
11. Data transmission
11.1 Transfer of data: making data available to a specified third party.
11.2. The transferor of the data must always check the conditions of the transfer (legal basis, purpose limitation, data security) with the Service Provider. Personal data may only be transferred if the Data Subject has given his or her consent in writing or if permitted by law and if the conditions for processing are met for each individual personal data. Any transfer of data must be properly informed, purpose-specific and based on an appropriate legal basis.
11.3. Non-repetitive transfers and transfers concerning only a limited number of data subjects may be permitted for compelling legitimate interests pursued by the controller, provided that those interests are not overridden by the interests or rights and freedoms of the data subject and the controller has assessed all the circumstances of the transfer.
11.4. Prior to the transfer, the controller or the processor acting on his behalf or under his instructions shall verify the accuracy, completeness and timeliness of the personal data to be transferred.
11.5. In the event of a transfer, the data subjects must be informed immediately, except where the transfer is required by law or for reasons of official action, in particular police action or criminal proceedings.
11.6. The Service Provider shall notify the data subjects of the transfer of data to the external service providers named in this Notice by means of this Notice.
12. Data security
12.1. In any case, the Service Provider shall ensure the secure storage of data in accordance with the legal provisions, by complying with the rules and by implementing appropriate technical and organisational measures. The Service Provider shall make the source of the data available to the Data Subject.
12.2 The Data Controller shall, in accordance with its obligations under the Info Act and the GDPR, do its utmost to ensure the security of the Data Subject’s data, and shall take the necessary technical and organisational measures and establish the procedural rules necessary to enforce the Info Act, the GDPR and other data protection and confidentiality rules. The data of the data subject stored in the database of the Data Controller may only be accessed by the employees of the Data Controller who are expressly authorised to do so.
12.3. So-called cloud applications are also part of the data management services provided in connection with the website. Cloud applications are typically international or cross-border in nature and are used, for example, for data storage purposes, where the data storage is not on the Data Controller’s computer/organisational computer centre, but on a server centre located anywhere in the world. The main advantage of cloud applications is that they provide a highly secure, flexible and scalable IT storage and processing capacity that is essentially independent of geographic location.
12.4. The Data Controller selects its cloud service partners with the utmost care, does its utmost to conclude contracts with them that take into account the data security interests of the Data Subjects, their data management principles are transparent to them and data security is regularly monitored.
12.5. There may be references or links on the Controller’s website to sites maintained by other service providers (including login and share buttons and logos), where the Controller has no control over the practices relating to the processing of personal data. The Data Controller draws the attention of the data subjects to the fact that if they click on such links, they may be redirected to the sites of other service providers. In such cases, we strongly recommend that you read the privacy notice applicable to the use of these sites. This Privacy Notice applies only to the processing carried out by the Data Controller. If any of your data is modified or deleted by the data subject on an external website, this will not affect the processing by the Data Controller, who must also make such modifications on the website.
13. Rights of Data Subjects
Right to prior information:
the data subject has the right to be informed prior to the processing (GDPR 2. Section 13. and Article 14; Info tv. 14.§a);
Right of access:
to have access to personal data and information relating to the processing of personal data at the request of the data subject (Article 15 GDPR; Article 14b of the Info Law);
Right to rectification:
at the request of the data subject, the controller may correct, rectify or supplement personal data (Article 16 GDPR; Article 14.c of the Info Law);
Right to restriction of processing:
at the request of the data subject, the controller restricts the processing of his or her personal data (Article 18 GDPR; Article 14 Info Law);
Right to erasure:
the right to erasure of personal data by the controller at the request of the data subject (Article 17 GDPR; Article 14 Info Law); right to be forgotten (GDPR (66));
Right to object:
the data subject may object to the processing of his/her data (GDPR 21. Art.69; GDPR (69);
Right to data portability:
to receive the data subject’s data in a structured and transparent format for the purpose of transferring them to another controller (Article 20 GDPR).
The Data Subject has the right to be informed of the facts related to the processing of his or her personal data processed by the Service Provider prior to the start of the processing. In view of the fact that the Data Subject provides the Service Provider with his/her personal data, the Service Provider is subject to GDPR 13. fulfils its obligation to provide information pursuant to Article 7 by means of this Notice.
13.2. Right of access (Article 15 GDPR)
13.2.1. At any time, the Data Subject has the right to request information on whether his or her personal data are being processed and, in relation to such personal data processing, on:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) in the case of transfers, the recipients/categories of recipients, including third country recipients and international organisations, in which case the guarantees;
(d) the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
(e) the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such data;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the data have not been collected from the data subject, any available information about their source;
(h) the fact of automated decision-making, including profiling (this point is not relevant for the Service Provider).
(i) Information on the data processor (under the Info Act).
13.2.2 The Data Subject shall have the right to request the Service Provider to rectify, erase or restrict the processing of personal data concerning him or her at any time and may object to the processing of such personal data. Denial of access or restriction of access may be justified and lawful in certain specifically named cases, but these are usually within the competence of public authorities and are likely to be irrelevant to the Service Provider.
13.2.3 The first copy shall be free of charge, and the controller may charge a reasonable administrative fee for any additional copies requested. The right to request a copy must not adversely affect the rights and freedoms of others.
13.3. Right to rectify, supplement or amend (Article 16 GDPR)
13.3.1. The Data Subject shall have the right to obtain from the Data Controller, upon his or her request, the rectification of inaccurate Personal Data relating to him or her without undue delay. Taking into account the purpose of the processing, the Data Subject has the right to request the completion of incomplete Personal Data, including by means of a supplementary declaration.
13.4.1 In the event of the exercise of the right to restriction of processing, the Service Provider will not delete the personal data, but will not perform any processing operation other than storage.
13.4.2. Personal data subject to a restriction on processing may only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
(a) the Data Subject contests the accuracy of the personal data, in which case the limitation shall apply for the period of time that allows the Service Provider to verify the accuracy of the personal data;
(b) the processing is unlawful and the Data Subject opposes the erasure of the data and requests instead the restriction of their use;
(c) the Service Provider no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims;
(d) the Data Subject is subject to GDPR 21. The data subject has objected to the processing on the basis of Article 7(1) and needs time to assess whether there are overriding legitimate grounds for the processing. In such a case, the restriction shall apply for the period until it is established whether there is a legitimate ground for data processing which takes precedence, i.e. whether the legitimate grounds of the Service Provider for retaining and processing the data take precedence over the legitimate grounds of the Data Subject for the erasure of the data.
13.4.3 In the event of restriction of processing, the Service Provider shall inform the Data Subject in advance of the lifting of the restriction in the form and manner in which the Data Subject requested the restriction of processing.
13.4.4 The Service Provider shall inform any recipient to whom or with whom the personal data have been disclosed of the rectification, erasure or restriction of processing requested by the Data Subject and carried out by the Service Provider, unless this proves impossible or involves a disproportionate effort. At the request of the Data Subject, the Service Provider shall inform the Data Subject of the identity of the recipients to whom it has provided the information referred to above.
13.5. Right to erasure of personal data (“right to be forgotten”) (Article 17 GDPR)
13.5.1. The Data Subject may at any time request the Service Provider to delete his/her personal data, which the Service Provider is obliged to comply with if one of the following grounds applies:
(a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed by the Service Provider;
(b) the Data Subject has withdrawn his or her consent on the basis of which the processing is based and there is no other legal basis for the processing;
(c) the Data Subject is subject to GDPR 21. Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the data subject does not object to the processing based on the public interest or legitimate interest of the Service Provider, or object to the processing for direct marketing purposes on the basis of Article 2(2);
(d) the personal data were unlawfully processed by the Service Provider;
(e) personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Service Provider;
(f) collect personal data in accordance with Article 8 of the GDPR. Article 3(1) in connection with the provision of information society services.
13.5.2 You do not have to delete the data if the processing is necessary:
(a) for the exercise of the right to freedom of expression and information;
(b) for the purposes of complying with an obligation imposed on the Service Provider by applicable law that requires the processing of personal data (e.g. tax and accounting obligations) or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Service Provider;
(c) the GDPR 9. Article 3(2) h) and (i) and point 9. on grounds of public interest in the field of public health, in accordance with Article 3(3);
(d) GDPR 89. for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 3(1), where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or
(e) for the establishment, exercise or defence of legal claims.
13.6.1 The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on grounds of public interest or necessary for the purposes of the legitimate interests pursued by the Service Provider or a third party (GDPR 6. Article (1)(1). e) and f)).
13.6.2 In such a case, the Service Provider may no longer process the personal data, unless it proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject or are related to the establishment, exercise or defence of legal claims.
13.7.1 Given that the Service Provider also stores the Data Subject’s data in an electronic database, the Data Subject has the right to receive personal data concerning him/her provided to the Service Provider in a structured, commonly used, machine-readable format, and to transmit such data to another controller without the Service Provider’s prevention. The right to data portability applies to the Data Subject in relation to data whose processing is based on the Data Subject’s consent (GDPR 6. Article 2(1) a) or 9. Article 2(2) a)) or the performance of a contract (GDPR 6. Article 2(1) b)). If the Data Subject requests the direct transfer of personal data between controllers, the Service Provider will indicate whether this is technically feasible.
14. Enforcement of the Data Subject’s rights, submitting a request, contacting the Service Provider, complaints, data protection incident
14.1 Measures taken by the service provider
14.1.1 In order to facilitate the exercise of the rights of data subjects, the Service Provider shall take the following measures in accordance with the law:
(a) make appropriate technical and organisational arrangements;
(b) provide the information in a form which is easily accessible and legible to the data subjects, in a concise, clear and plain language;
(c) may request credible evidence of the identity of the person making the request if there are reasonable grounds to believe that the person making the request is not the data subject;
(d) ensure the exercise of the data subject’s rights free of charge, unless the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature. The burden of proof shall be on the Service Provider. In this case:
- charge a reasonable fee, or
- may refuse to act on the request.
14.1.2 The Service Provider shall process the request submitted by the Data Subject as soon as possible , but not later than 25 days, and shall notify the Data Subject of the decision in writing (or, if submitted electronically, electronically). This time limit may be extended by 2 months in justified and complex cases, provided that the person concerned is notified within 25 days, stating the reason.
14.2 Right to legal remedies, information on legal remedies
14.2.1 Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
(a) Without prejudice to any other administrative or judicial remedy, the Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the processing of personal data relating to him or her infringes the provisions of the GDPR.
(b) The data subject may apply to the following authority as supervisory authority:
NAIH – National Authority for Data Protection and Freedom of Information
1530 Budapest, Pf.: 5.
1125 Budapest, Szilágyi Erzsébet fasor 22/c
tel: +36 (1) 391-1400; e-mail: firstname.lastname@example.org
(c) The supervisory authority with which the Data Subject has lodged the complaint must inform the Data Subject as a customer of the procedural developments and the outcome of the complaint, including whether the GDPR 78. Article 5 gives you the right to a judicial remedy.
14.2.2 Right to an effective judicial remedy against the supervisory authority (Article 78 GDPR)
(a) Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him.
(b) Proceedings against the supervisory authority must be brought before the courts of the Member State where the supervisory authority is established (in Hungary, the Administrative and Labour Court of Budapest has jurisdiction and competence to hear proceedings against the National Authority for Data Protection and Freedom of Information).
14.2.3 Right to an effective judicial remedy against the Service Provider or the Data Processor (Article 79 GDPR)
(a) In addition to and without prejudice to the administrative or non-judicial remedies available, the Data Subject may exercise his or her rights to the protection of his or her personal data before a civil court, the competent court of law of the place where the Controller is established or (at his or her choice) the competent court of law of the place of residence or, failing that, of the place of stay, if he or she considers that the Service Provider has not processed his or her personal data in accordance with the GDPR and has therefore infringed his or her rights under the GDPR.
(b) The proceedings must be brought before the courts of the Member State where the Service Provider is established, i.e. Hungary. Proceedings may also be brought in the courts of the Member State of the Data Subject’s habitual residence (if different from Hungary).
14.3 Retrieved from Informing the data subject of the personal data breach (Article 34 GDPR)
14.3.1 If the personal data breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the Service Provider shall inform the Data Subject of the personal data breach without undue delay. This information must clearly and plainly describe the nature of the data breach and include at least the following information and measures:
(a) provide the name and contact details of the Data Protection Officer or other contact person who can provide further information;
(b) describe the likely consequences of the data breach;
(c) describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
14.3.2 The Data Subject need not be informed of a personal data breach if any of the following conditions are met:
(a) the Service Provider has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
(b) the Service Provider has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
(c) the information would require a disproportionate effort.
14.3.3 In the above cases, the Data Subject shall be informed by means of publicly disclosed information or by means of a similar measure which ensures that the Data Subject is informed in a similarly effective manner.
14.3.4 In the event that the Data Subject asserts his or her rights, his or her request shall, as far as possible. i) in writing, by post ii) deliver it personally to the registered office of the Service Provider; or iii) by sending it by e-mail to the Service Provider’s e-mail address (as set out in point 6 above).
- Annex No.
Data Processors used for the processing of personal data
|WineHub Holding Ltd. (1036 Budapest, Fényes Adolf utca 24-26.)
(9023 Győr, Szigethy Attila út 61. 3. floor 7.)
DPD Hungary Kft.
(1134 Budapest, Váci út 33. 2nd floor)
Raiffeisen Bank Zrt.
Laurus Hungary Ltd.
(1054 Budapest, Kálmán Imre utca 1.)