Data Processing Information Notice

PRIVACY AND DATA PROCESSING INFORMATION NOTICE

Webshippy Magyarország Korlátolt Felelősségű Társaság
(H-2151 Fót, 0221/12.)

Budapest, 01.01.2020

  1. INTRODUCTION OF THE DATA CONTROLLER

Webshippy Magyarország Korlátolt Felelősségű Társaság (hereinafter referred to as “Company”, “Controller”, “We”) has created the following privacy notice to ensure the lawfulness of its internal data processing and to safeguard the rights of data subjects.

Name of the Controller:Webshippy Magyarország Korlátolt Felelősségű Társaság
VAT number of the Controller:25569421-2-13
Registered office of the Controller:H-2151 Fót, 0221/12. (East Gate Business Park C/2.)
Electronic address of the Controller:[email protected]
Representative of the Controller:PERÉNYI András, CEO

Our Company processes personal data in accordance with all applicable laws, but in particular with the following:

Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as the “Privacy Act”),

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “Regulation” or “GDPR”).

Our Company handles personal data confidentially, and takes all IT-related and other technical and organisational measures in the field of data storage and data management to ensure data security and to facilitate safe data processing.

Our Company has created this notice in order to describe the purposes of the processing of personal data related to visiting the website https://webshippy.com and using the services provided by the site and the characteristics of the processing, as well as to inform the data subjects.

*****

  1. THE CHARACTERISTICS OF EACH PROCESSING PURPOSE
  2. Management of cookies on the website

We use so-called “cookies” to maintain and improve the services of the https://webshippy.com website and to enhance the user experience.

What Are Cookies

As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience. This page describes what information they gather, how we use it and why we sometimes need to store these cookies. We will also share how you can prevent these cookies from being stored however this may downgrade or ‘break’ certain elements of the sites functionality.

How We Use Cookies

We use cookies for a variety of reasons detailed below. Unfortunately in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to this site. It is recommended that you leave on all cookies if you are not sure whether you need them or not in case they are used to provide a service that you use.

Disabling Cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of the this site. Therefore it is recommended that you do not disable cookies. 

The Cookies We Set

  • Account related cookies
    If you create an account with us then we will use cookies for the management of the signup process and general administration. These cookies will usually be deleted when you log out however in some cases they may remain afterwards to remember your site preferences when logged out.
  • Login related cookies
    We use cookies when you are logged in so that we can remember this fact. This prevents you from having to log in every single time you visit a new page. These cookies are typically removed or cleared when you log out to ensure that you can only access restricted features and areas when logged in.
  • Email newsletters related cookies
    This site offers newsletter or email subscription services and cookies may be used to remember if you are already registered and whether to show certain notifications which might only be valid to subscribed/unsubscribed users.
  • Forms related cookies
    When you submit data to through a form such as those found on contact pages or comment forms cookies may be set to remember your user details for future correspondence.

Third Party Cookies

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.

  • This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.
    For more information on Google Analytics cookies, see the official Google Analytics page.
  • As we sell products it’s important for us to understand statistics about how many of the visitors to our site actually make a purchase and as such this is the kind of data that these cookies will track. This is important to you as it means that we can accurately make business predictions that allow us to monitor our advertising and product costs to ensure the best possible price.
  • We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including the social networks whose features you have integrated with your site, will set cookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.

More Information

Hopefully that has clarified things for you and as was previously mentioned if there is something that you aren’t sure whether you need or not it’s usually safer to leave cookies enabled in case it does interact with one of the features you use on our site.

However if you are still looking for more information then you can contact us through one of our preferred contact methods:

  1. Assessment of job applications

The purpose of data processing

To carry out the selection process for the vacant post and, during the selection process, to get to know the professional and human qualities, educational qualifications and previous work experience of the candidates in order to find the most suitable person to fill the vacant position.

Personal data processed

If you apply for the advertised job through our website, you will need to provide us with the following information:

name,

email,

telephone,

language skills,

former work experience,

statements about the personal qualities and skills of the person concerned,

statement about having a driving licence, a declaration that you have your own car and laptop,

curriculum vitae.

Once you have applied, we will send you a simple online test to assess your creativity and knowledge.

The legal basis of data processing

The processing of personal data is necessary to take steps at the request of the data subject prior to the conclusion of the contract (Article 6(1)(b) of the Regulation).

By sending us the application for the advertised job, the data subject expresses his or her clear intention to fill the vacancy and to participate in the selection process. It is a necessary part of the selection process that the employer assesses the professional and personal qualities of the candidate beforehand in order to judge whether the candidate is suitable for the job.

The source of personal data

The data subject. Since the data subject is the source of the personal data, the Controller will inform him or her directly of any changes to the scope of the data processed when the data are collected.

Recipients of personal data made available

Personal data are only processed by our employees who have the right to make suggestions or decisions in relation to the advertised vacancy.

Candidates’ personal data are stored in the MINICRM system, whose developer acts as a data processor for the data stored in the program.

MiniCRM Zrt. (H-1075 Budapest, Madách Imre út 13-14.; company registration number: 01-10-047449; VAT number: 23982273242) – developer of the MiniCRM software

If the data subject sends his or her data to us by email, Google Ireland Limited (Gordon House, Barrow Street, Dublin, Ireland), as our Company’s email service provider and the developer of Google G Suite, acts as data processor.

The data processor may process the personal data of the data subject only for the purposes specified by the Controller and contractually agreed upon, in accordance with the instructions of the Controller, and has no autonomous decision-making power with regard to the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

Transfer of personal data to a third country or international organisation

We shall not transfer personal data to third countries or international organisations.

Duration of processing personal data

Only until the position is filled permanently (at the end of the selected probationary period), but for a maximum of 1 year.

Automated decision-making and profiling

Neither of them takes place during the data processing.

Provision of personal data

The provision of personal data is not mandatory, but it is an essential condition for the assessment of the application and participation in the selection process.

*****

  1. Electronic communication

In today’s fast-paced world, our Company is keeping in touch with our partners and customers primarily through electronic means. Anyone can contact us at any time by sending us an electronic message.

We will process your personal data in electronic communications with you in relation to any matter as described in this notice.

The purpose of data processing

Communicate directly by sending an email or via the messaging service at https://webshippy.com/kapcsolat/. The data provided by the data subject when contacting us will be used solely for the purpose of communicating with him or her and for the administration of the content of the message. Our Company will only contact any data subject in connection with the performance of a contract already in force, in compliance with the rules on data protection.

You can also contact us via the chat application (Chatra) at https://webshippy.com/.

Our Company will only contact any data subject where there is a legitimate legal basis for doing so, in compliance with the rules on data protection.

Personal data processed

Name, email address and any other information that the data subject may provide to our Company in the course of the communication. As the source of the personal data is the data subject, the final scope of the personal data processed will be communicated to you during the communication.

If the data subject contacts us via https://webshippy.com/kapcsolat/, he or she will be required to provide the following information:

family name,

first name,

mobile telephone,

email address,

webshop motor,

the monthly parcel number sent.

Data processed when you contact us via the chat on the website (Chatra):

name,

email.

Messages sent via the chat application (Chatra) are replied to via the application or by email.

The legal basis of data processing

The legal basis for the processing of personal data is Article 6(1)(b) of the Regulation, i.e. processing is necessary for the performance of a contract (obligation) to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into a contract. The Controller considers the communication with the data subjects as preliminary processing in relation to a contract (agreement) to be concluded at a later stage or processing in relation to a contract already concluded.

In addition, Article 6(1)(f) of the Regulation (legitimate interest) also provides our Company with a legal basis for processing. Our Company has a legitimate interest in ensuring that, if we are contacted by electronic mail about a matter, we process the personal data necessary to respond and resolve the matter.

The source of personal data

The data subject. Since the data subject is the source of the personal data, the Controller will inform him or her directly of any changes to the scope of the data processed when the data are collected.

Recipients of personal data made available

The personal data provided by the data subject may only be accessed by employees of our Company who have the right to make suggestions or decisions in relation to the message sent by the data subject or the necessary action to be taken on the basis of the message.

We use the following data processor(s) for data processing:

MiniCRM Zrt. (H-1075 Budapest, Madách Imre út 13-14.; company registration number: 01-10-047449; VAT number: 23982273242) – The developer of our Company’s administration software (MiniCRM).

Roger Wilco LLC. (2200 Clarendon Blvd., Suite 1400A Arlington, VA 22201, USA; [email protected].) – As the developer of the Chatra chat application, acts as a data processor when providing the service.

Google Ireland Limited (Gordon House, Barrow Street, Dublin, Ireland): Our Company’s email service provider is Google G Suite.

The data processor may process the personal data of the data subject only for the purposes specified by the Controller and contractually agreed upon, in accordance with the instructions of the Controller, and has no autonomous decision-making power with regard to the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

Transfer of personal data to a third country or international organisation

We shall not transfer personal data to any international organisation.

Although Roger Wilco LLC. is a company registered in the United States, it is a signatory to the Privacy Shield Convention, which ensures that the company’s processing of personal data is subject to similar protections as European companies, and therefore transfers to it for processing purposes are not considered transfers to third countries.

Duration of processing personal data

Where a contract or agreement of any kind is concluded between our Company and the data subject, the personal data processed in the course of the related communication will be processed in relation to that contract until the expiry of the limitation period, which is generally 5 years from the performance of the contract.

If the communication does not lead to a contract or other agreement between our Company and the data subject, we will delete your message(s) after the communication has been finally closed.

Automated decision-making and profiling

Neither of them takes place during the data processing.

Provision of personal data

The processing of personal data is a condition for replying to the message and thus for the communication between the data subject and our Company.

*****

  1. Recording telephone calls

The purpose of data processing

Our company also records outgoing and incoming phone calls. The audio recording is assigned a unique identification number and stored. The purpose of this data processing is to clarify any partner needs arising from telephone calls and to improve the quality of the service by analysing the recordings.

In many cases, our staff provide help and information to existing and potential Partners over the phone. In such a case, it is in the best interests of both parties that it can be clearly proven later on exactly what information was provided to the data subject, as the liability of the parties will depend on this as well.

Personal data processed

Voice recording, unique identifier.

The legal basis of data processing

Article 6(1)(f) of the Regulation, i.e. the legitimate interest of our Company. Our Company has a legitimate interest in achieving the purposes for which the data are processed.

The source of personal data

Only personal data provided by the data subject will be processed.

Recipients of personal data made available

Personal data are only known to our employees whose job it is to process the data.

WhiteCore Services Kft. (H-1037 Budapest, Erdőalja út 74., company registration number: 01-09-969523; VAT number: 23521603241) – As the developer of the 3CX software that handles and records phone calls, it may be exposed to personal data.

The data processor may process personal data only for the purposes specified by our Company and contractually agreed, in accordance with our instructions, and has no autonomous right to decide on the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

Transfer of personal data to a third country or international organisation

Our Company shall not transfer personal data to third countries or international organisations.

Duration of processing personal data

Recordings will be deleted after 90 days.

Automated decision-making and profiling

Neither of them takes place during the data processing.

*****

  1. Newsletter dissemination

The purpose of data processing

The purpose of data processing is to inform our current and prospective partners about our products, services, promotions, as well as current news, information and promotions related to the Company’s operations.

Personal data processed

Email address and name. When you subscribe to a newsletter, we process data relating to the time of subscription and the consent given.

Newsletters are sent via the MailChimp system, which also allows us to see the following details of the sent mail:

the fact and time of opening the email,

whether a click was made in the email.

The legal basis of data processing

In case of subscription, the legal basis for data processing is the consent of the data subject.

For those who register on our Company’s website in the Webshippy system, we automatically send newsletters on the basis of our legitimate interest (Article 6(1)(f) of the Regulation). The Webshippy system is used exclusively by entities engaged in sales (webshops) in the exercise of their economic activities and its services are in no way related to privacy, which is why, in accordance with Paragraph (47) of the Regulation, we send our newsletters to the email address used for registration without further explanation. The services offered by Webshippy cannot even be interpreted outside the economic activity, since they are closely linked to the selling activity and not to the private life of natural persons.

Newsletters sent to registrants of Webshippy system are deemed not to be addressed to the representative of the registrant as a natural person, but to the registering legal entity (or sole entrepreneur), in relation to the economic activity, the representative of which must necessarily be a natural person.

Recipients of personal data made available

The personal data provided by the data subject may only be accessed by our colleagues whose job it is to process personal data.

We use the following data processor for data processing:

The Rocket Science Group, LLC

Registered office: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA

Contact: https://mailchimp.com/contact/

Activity: Our company uses the MailChimp mailing system for its newsletter service. The Rocket Science Group LLC, as the operator of the MailChimp software, is involved in the management of the newsletters we send out. MailChimp’s servers are located in the United States of America, but MailChimp has signed the “Privacy Shield” agreement between the European Union and the United States of America, which demonstrates that personal data is afforded similar and adequate protection.

The data processor may process the personal data of the data subject only for the purposes specified by the Controller and contractually agreed upon, in accordance with the instructions of the Controller, and has no autonomous decision-making power with regard to the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

Duration of processing personal data

In the case of consent, until its withdrawal, however, the data subject may unsubscribe at any time. You can unsubscribe from the newsletter automatically by clicking on the unsubscribe link in the newsletters, or you can send your unsubscribe request to the [email protected] email address.

In case of data processing based on legitimate interest, until the registration is deleted.

Automated decision-making and profiling

Neither of them takes place during the data processing.

*****

  1. Registration at the www.webshippy.com site

The purpose of data processing

Create a user account on the website.

Personal data processed

Information mandatorily required for registration:

name,

username,

email address,

password.

We do not have access to the password of the data subject, it is stored confidentially. The data subject shall also keep the provided password confidentially. If the data subject’s data have come into the possession of an unauthorised third party through his or her own fault, our Company shall not be liable for any damage or disadvantage resulting therefrom.

Providing further data is voluntary. After registration, the data subject is free to provide the following additional personal data in the user account:

contact person’s name, phone number, email address,

name and position of the contractual representative,

bank account number in the case of a sole entrepreneur or natural person.

The legal basis of data processing

The legal basis for the processing is Article 6(1)(b) of the Regulation, i.e. the fulfilment of the obligation between our Company and the data subject during the registration process, on the basis of which the data subject is entitled to use his/her account.

The source of personal data

The data subject or his/her employer.

Recipients of personal data made available

Personal data may be accessed only by those employees of our Company whose specific job function includes this.

We use the following data processor(s) for data processing:

OVH Hosting Limited

Registered office: Unit 12 The Courtyard Building, Carmanhall Road, Sandyford, Dublin 18, Ireland

Activity: OVH Hosting Limited as server and hosting provider contributes to the operation of our Company’s website.

Digital Ocean LLC

Registered office: 01 Avenue of the Americas, 10th Floor, New York, NY 10013, United States

Email: [email protected]

Activity: Digital Ocean LLC as server and hosting provider contributes to the operation of our Company’s website.

The data processor may process the personal data of the data subject only for the purposes specified by the Controller and contractually agreed upon, in accordance with the instructions of the Controller, and has no autonomous decision-making power with regard to the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

Transfer of personal data to a third country or international organisation

We shall not transfer personal data to any international organisation.

Although Digital Ocean LLC. is a company registered in the United States, it is a signatory to the Privacy Shield Convention, which certifies that the company’s processing of personal data is subject to similar protections as European companies, and therefore transfers to it for processing purposes are not considered transfers to third countries.

Duration of processing personal data

Once the user account is terminated, we delete the personal data processed solely for the purpose of registration.

Automated decision-making and profiling

Neither of them takes place during the data processing.

Provision of personal data

The processing of personal data is an essential condition for the use of the Company’s services.

*****

  1. Issuing and retaining invoices

The purpose of data processing by the Controller is to issue and retain invoices

in accordance with the provisions in Sections 159(1) and 169 of the Act CXXVII of 2007 on Value Added Tax (VAT Act) and

Section 169(2) of the Act C of 2000 on Accounting.

Personal data processed

The data specified in Section 169 of the VAT Act, but at least:

name,

invoicing address,

VAT number.

The legal basis of data processing

The legal basis for the processing of data during the issuing of invoices is Article 6(1)(c) of the Regulation, i.e. the fulfilment of a legal obligation, which in this case is Section 169(1) of the VAT Act.

The source of personal data

The data subject.

Recipients of personal data made available

Personal data may be processed only by those employees of our Company whose specific job function includes this.

We use the following data processor for the processing of personal data:

MiniCRM Zrt. (H-1075 Budapest, Madách Imre út 13-14.; company registration number: 01-10-047449; VAT number: 23982273242) – developer of the MiniCRM software

Everest Accounting Kft. (H-1051 Budapest, Arany János utca 9. 2. em. 1.; company registry number: 01-09-274656; VAT number: 25429428241) – performing bookkeeping for our Company.

KBOSS.hu Kft. (H-1031 Budapest, Záhony utca 7.; company registry number: 01-09-303201; VAT number: 13421739-2-41) – our Company’s invoices are processed in the szamlazz.hu system.

The data processor may process the personal data of the data subject only for the purposes specified by the Controller and contractually agreed upon, in accordance with the instructions of the Controller, and has no autonomous decision-making power with regard to the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

Transfer of personal data to a third country or international organisation

The Company shall not transfer personal data to third countries or international organisations.

Duration of processing personal data

Invoices are retained for at least 8 years after issue, in accordance with Section 169(2) of the Act C of 2000 on Accounting.

Automated decision-making and profiling

Neither of them takes place during the data processing.

*****

  1. Data processing related to the performance of contracts

In order to provide its services, our Company enters into contracts with its Cooperating Partners, who may be individuals or legal entities.

When entering into a contract with a natural person, we process the personal data necessary to identify and contact that person and other personal data relating to the performance of the contract.

If we enter into a contract with a legal entity, we need to process the data of the contact person of the partner in order to keep in touch during the cooperation and in order to maintain and deepen the cooperation.

Personal data processed

Given that in the case of a contract with a natural person, the source of the personal data is the data subject, we will provide final information on the exact scope of the personal data processed at the time of concluding the contract. In general, in the case of a natural person contracting party, we primarily process the following data:

name, (identification)

mother’s name, (identification)

place and date of birth, (identification)

address, (contact)

telephone, (contact)

email, (contact)

in the case of payment by bank transfer: bank account number, account-holding bank,

in case of contract for pecuniary interest, tax identification number, or VAT number in the case of a sole entrepreneur,

registry number in the case of a sole entrepreneur,

other data absolutely necessary for the performance of the contract.

In the case of a legal entity, we will process the name, telephone number, email address and position of the contact person.

The legal basis of data processing

Natural person: Article 6(1)(b) of the Regulation: performance of the contract

Legal entity: Legitimate interest under Article 6(1)(f) of the Regulation. It is in the legitimate interest of the Company to deepen and maintain the cooperation with the organisation represented by the data subject as a contact person, for which continuous contact is essential, and therefore we need to have the necessary personal data.

The source of personal data

Where we conclude a contract with a natural person, the source of the personal data is the data subject. In the case of contracting with a legal entity, the source of the contact details is the employer of the person concerned.

Recipients of personal data made available

Personal data may be processed only by those employees of our Company who participate in performing the relevant legal relationship.

We use the following data processor for the processing of personal data:

MiniCRM Zrt. (H-1075 Budapest, Madách Imre út 13-14.; company registration number: 01-10-047449; VAT number: 23982273242) – developer of the MiniCRM software

The data processor may process the personal data of the data subject only for the purposes specified by the Controller and contractually agreed upon, in accordance with the instructions of the Controller, and has no autonomous decision-making power with regard to the processing. The data processor has undertaken confidentiality obligations and contractual guarantees with regard to the retention of personal data obtained in the course of its duties.

Transfer of personal data to a third country or international organisation

The Company shall not transfer personal data to third countries or international organisations.

Duration of processing personal data

Our Company will process the data until the expiry of the limitation period, which is generally 5 years from the termination of the contract or, in the case of monetary claims, until recovery.

Contact details will be deleted if the contact person’s employment with the Partner is terminated.

Automated decision-making and profiling

Neither of them takes place during the data processing.

Provision of personal data

All data are provided on voluntary basis.

*****

III. THE RIGHTS OF THE DATA SUBJECT IN RELATION TO THE PROCESSING

Right to information

The data subject has the right to be informed about the processing of his or her personal data, to be performed by the Company by providing this notice.

Data processing based on consent

Where the legal basis for a processing operation is the data subject’s consent, he or she has the right to withdraw his or her consent at any time. However, it is important to note that the withdrawal of consent can only apply to data for which there is no other legal basis for processing. If there is no other legal basis for the processing of the personal data concerned, the Company will permanently and irretrievably delete the personal data following the withdrawal of consent. Withdrawal of consent under the Regulation shall not affect the lawfulness of processing carried out on the basis of the consent prior to its withdrawal.

Right of access

At the request of the data subject, the Company shall at any time inform the data subject whether or not his or her personal data are being processed and, in case of processing, provide access to the personal data and the following information:

the purposes of data processing;

categories of the personal data affected;

the recipients or categories of recipients to whom or with whom the Company has disclosed or will disclose the personal data, including in particular recipients in third countries or international organisations;

the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;

the data subject will also be informed of his or her right to request the Company to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;

the right to lodge a complaint with a supervisory authority or to launch a procedure at court;

if the data were not collected directly from the data subject by the Company, any available information on the source of the data;

where automated decision-making is carried out, the fact of such processing, including profiling, and, at least in these cases, the logic used, i.e. the significance of such processing and the expected consequences for the data subject.

Right to the rectification of personal data

The data subject is entitled at any time to have inaccurate personal data relating to him or her rectified by the Company without undue delay upon his or her request. Taking into account the purpose of the processing, the data subject also has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

The data subject must notify the Company as soon as possible of any change in his or her personal data, thus facilitating lawful processing and the enforcement of the data subject’s rights.

Right to deletion

At the request of the data subject, the Company shall delete personal data relating to the data subject without undue delay if one of the following grounds applies:

the Company no longer needs the personal data for the purposes for which it was collected or otherwise processed;

where processing is based on consent, the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or objects to processing for direct marketing purposes;

the personal data are unlawfully processed by the Company;

personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Company;

personal data are collected in connection with the provision of information society services.

Right to restricting data processing

The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Company if one of the following conditions is met:

the accuracy of the personal data is contested; in this case, the restriction applies for the period of time that allows the Company to verify the accuracy of the personal data;

the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;

the Company no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the Company’s legitimate grounds prevail over the data subject’s legitimate grounds.

Right to objection

Where the processing of personal data is based on the legitimate interests of the controller (Article 6(1)(f) of the Regulation) or is necessary for the performance of a task carried out in the exercise of official authority vested in the controller (Article 6(1)(e) of the Regulation), the data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data, including profiling based on those provisions.

If the data subject’s personal data are processed by the Company for the purposes of direct marketing (e.g. sending information letters), the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of his or her personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her which he or she has provided to the Company in a structured, commonly used, machine-readable format and the right to have such data transmitted by the Company to another controller if:

processing is based on the data subject’s consent or on a contract within the meaning of Article 6(1)(b) of the Regulation; and

the processing is carried out by automated means.

*****

THE RULES OF PROCEDURE FOR ENFORCING THE RIGHTS OF THE DATA SUBJECT

The data subject may exercise the above rights by sending an email to [email protected], by post to the registered office of the Company (H-2151 Fót, East Gate Business Park C/2.) or by visiting the registered office of the Company in person. The Company shall start the examination and execution of the data subject’s request without undue delay upon receipt. The Company will inform the data subject on the measures taken on the request within 30 days of receipt. If the Company is unable to comply with the request, it shall inform within 30 days the data subject of the reasons for the refusal and of his or her rights for legal remedy.

Within five years of the death of the data subject, the rights enjoyed during his or her lifetime, as set out in this notice, may be exercised by a person authorised by the data subject by means of an administrative arrangement or a declaration in a public or private document of full probative value made to the Controller or, if the data subject made several declarations to a controller, by a declaration made at a later date. If the data subject has not made a corresponding declaration of rights, his or her close relative within the meaning of the Civil Code shall still have the right to exercise the rights under Articles 16 (right to rectification) and 21 (right to objection) of the Regulation and, if the processing was unlawful during the data subject’s lifetime or the purpose of the processing ceased to exist upon the death of the data subject, under Articles 17 (right to deletion) and 18 (right to restriction of processing) of the Regulation within five years of the death of the data subject. The right to exercise the rights of the data subject under this paragraph shall be exercised by the close relative who first exercises that right.

*****

  1. RIGHT TO LEGAL REMEDY IN RELATION TO THE PROCESSING

In order to exercise his or her right to judicial remedy, the data subject may take legal action against our Company if he or she considers that our Company or a processor or joint controller acting on our behalf or at our instructions is processing his or her personal data in breach of the provisions of the law on the processing of personal data or of a binding legal act of the European Union. The court shall act out of turn in the case. The regional court has jurisdiction to hear the case. The action may also be brought – at the option of the data subject – at the place of residence or domicile of the data subject or at the regional court of the place where our Company has its registered office (Pécs Regional Court).

By filing a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), any person may initiate an investigation against the Company on the grounds that a violation of rights has occurred or is imminent in relation to the processing of personal data, or that the Company is restricting the enforcement of his or her rights in relation to the processing of personal data or is refusing to enforce such rights. The notification can be made using one of the following contact details:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Postal address: H-1530 Budapest, Pf.: 5.

Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: [email protected]

URL: http://naih.hu

Budapest, […]

______________________

Webshippy Magyarország Kft.

Representative: PERÉNYI András, CEO