Ars Una Studio Kft. (Headquarters: 1113 Budapest, Csetneki u. 13., complaints handled at: 1113 Budapest, Csetneki u. 13., tax number: 10772335-2-43, company register number: 01-09-167877, data protection registration number: 03463-0001, email address: email@example.com, phone: +361-279-2320) (hereinafter: Service Provider, data controller) submits to the following prospectus.
On the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation), REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 provides the following information.
This privacy statement is based on the above content specification and covers the following pages: arsuna.hu, mese.arsuna.hu
Amendments to the prospectus will take effect upon publication at the above address.
DATA CONTROLLER CONTACTS:
Name: Ars Una Studio Kft.
Headquarters: 1113 Budapest, Csetneki u. 13.
1. "personal data" means any information relating to an identified or identifiable natural person ("data subject"); a natural person is identifiable, if he/she can be identified, directly or indirectly, particularly based on by an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
2. “data handling”: any operation or set of operations on personal data or files, whether automated or non-automated, such as collecting, recording, organizing, sorting, storing, transforming or altering, querying, viewing, using, communicating, transmitting or otherwise making available, coordinating or interconnecting, restricting, deleting or destructing;
3. “data controller”: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
4. “data processor”: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
5. “recipient”: the natural or legal person, public authority, agency or any other body to whom or with which the personal data is disclosed, whether a third party or not. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
6. “the consent of the data subject”: a voluntary, specific, well-informed and unambiguous statement of the data subject's intention, by means of a statement or an act which unequivocally expresses the confirmation, that he or she consents to the processing of personal data concerning him or her;
7. “privacy incident”: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored or otherwise handled.
PRINCIPLES FOR THE HANDLING OF PERSONAL DATA
a) handling must be carried out lawfully and fairly and in a way that is transparent to the data subject ("lawfulness, fairness and transparency").
b) must be collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; processing for archiving in the public interest, for scientific and historical research purposes or for statistical purposes ("purpose limitation") shall not be considered incompatible with the original purpose in accordance with Article 89 (1);
c) must be adequate, relevant and not excessive in relation to the purposes for which they are processed ("data minimization").
d) must be accurate and, when necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without delay ("accuracy").
e) must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period only if the personal data are processed in accordance with Article 89 (1) for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organizational measures provided for in this Regulation to protect the rights and freedoms of data subjects ("purpose limitation");
f) shall be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to personal data ("integrity and confidentiality"), using appropriate technical or organizational measures. The controller is responsible for compliance with the above and must be able to demonstrate such compliance ("accountability").
DATA HANDLING RELATED TO THE WEBSHOP OPERATION
1. The data collection, scope of data processed and purpose of data handling:
- E-mail address: Identification, enabling registration, contact.
- Password: Provides secure access to the user account.
- Surname and first name: Required for contact, purchase and legal invoicing.
- Telephone number: Contact, and more effective coordination of billing or shipping issues.
- Billing name and address: Issuance of a legal invoice, as well as creation of the contract, determination of its content, modification, monitoring of its fulfillment, invoicing of the fees arising from it, and enforcement of the related claims.
- Shipping name and address: To enable home delivery.
- Date of purchase / registration: Performance of technical operation.
- The IP address used at the time of purchase: Performance of technical operation. Neither the username nor the email address requires personal information.
2. Data subjects: All customers registered in the web shop are regarded as data subjects.
3. Duration of data handling, deadline for deleting data: Immediately when canceling the registration.
Except in the case of accounting documents, as these data must be kept for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting. The accounting document (including general ledger accounts, analytical and detailed records) directly and indirectly corroborating the accounting records must be kept in a legible form for at least 8 years, retrievable by reference to the accounting records.
4. Persons of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller's sales and marketing staff in accordance with the above principles.
5. Description of data subjects' rights in relation to data handling:
The data subject may request from the controller access to, rectification, erasure or restriction of the processing of personal data concerning him or her and may object to the processing of such personal data, and the data subject has the right for data portability and withdrawal of consent at any time.
6. Access to, deletion, modification or restriction of the processing of personal data, portability of data, and protest against data processing can be initiated by the data subject in the following ways:
by mail, at the 1113 Budapest, Csetneki u. 13. address, - by e-mail, at the firstname.lastname@example.org e-mail address, - by phone, on the +361-279-2320 number.
7. Legal basis for data handling:
7.1. Consent of the data subject, Article 6 (1) (a) and (b), Infotv. Section 5 (1),
7.2. Section 13 / A (3) of Act CVIII (hereinafter: Elker Act) of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services: The service provider may process the personal data that are technically necessary for the provision of the service in order to provide the service. If the other conditions are the same, the service provider must choose and in all cases operate the means used in the provision of the information society service in such a way, that personal data be processed only if it is absolutely necessary for the provision of the service and the fulfillment of other purposes specified in this Act, however, even in this case only to the extent and for the time necessary.
7.3. In the case of an invoice in accordance with accounting legislation, Article 6 (1) (c).
8. Please note that data handling is based on your consent. You are required to provide personal information in order for us to fulfill your order. Failure to provide this will result in the inability to process your order.
1. Activity of data processing: Delivery of goods, transportation.
2. Name and contact details of the data processor: GLS General Logistics Systems Hungary Kft. mail address: 2351 Alsónémedi, GLS Európa utca 2. Telephone number: +36 20 890-0660 E-mail: email@example.com, privacy notice: https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat
3. The data handling, the scope of the managed data: Delivery name, delivery address, telephone number, e-mail address.
4. Data subjects: All data subjects requesting home delivery.
5. Purpose of data handling: Home delivery of the ordered product.
6. Duration of data handling, deadline for deleting data: Until the home delivery is completed.
7. Legal basis for data processing: The User's consent, Article 6 (1) a), Infotv. Section 5 (1).
IFSz Kft. Headquarters: 4026 Debrecen, Péterfia utca 4. III/313,314, Email: firstname.lastname@example.org, Telephone: +36 (52) 503 020,
Google Ads advertisements
Pozitivo Digital Kft. Headquarters: 1135 Budapest, Szent László út 28-30. 7/89., Tax number: 13356466-2-41, Company registration number: 01-09-731103, E-mail: email@example.com, Telephone: +3630/486-1069
1. Web store-specific cookies are so-called “cookies used for password-protected sessions,” “shopping cart cookies,” and “security cookies,” the use of which does not require prior consent from those involved.
2. The data handling, the scope of data managed: Unique identification number, dates, times
3. Data subjects: All data subjects who visit the website.
4. The purpose of data handling: To identify users, record “shopping carts” and track visitors.
5. Duration of data handling, deadline for deleting data: Cookie type Legal basis of data handling Duration of data handling Data group managed Session cookies Act CVIII of 2001 (Elkertv.) 13 / A. § (3) on certain aspects of electronic commerce services and information society services The period until the end of the relevant visitor session connect.
6. Identity of potential data controllers entitled to access the data: The data controller does not process personal data using cookies.
7. Description of data subjects' rights in relation to data processing: The data subject has the option to delete cookies in the Tools / Settings menu of browsers, usually under the settings of the Privacy menu item.
USING GOOGLE ADS CONVERSION TRACKING
1. An online advertising program called "Google Ads" is used by the data controller and uses Google's conversion tracking service.
Google Conversion Tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google “).
2. When a User accesses a website through a Google ad, a conversion tracking cookie is placed on their computer. These cookies have a limited validity and do not contain any personal data, so the User cannot be identified by them.
3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller may see that the User has clicked on the advertisement.
4. Each Google Ads customer receives a different cookie, so they cannot be tracked through Ads customers' websites.
5. The information obtained through conversion tracking cookies is used to generate conversion statistics for AdWords conversion tracking customers. This is how customers find out the number of users who clicked on their ad and were sent to a page with a conversion tracking tag. However, they do not have access to information that could identify any user.
6. If you do not wish to participate in conversion tracking, you can opt out by disabling cookies in your browser. You will then not be included in conversion tracking statistics.
7. More information and Google's privacy statement can be found at: www.google.de/policies/privacy/
APPLYING GOOGLE ANALYTICS
1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called "cookies", which are text files placed on your computer, to help the website analyze how Users use the site.
2. The information created by the cookie about the website used by the User is usually stored on a Google server in the USA. By activating IP anonymization on the Website, Google will shorten the User's IP address within the Member States of the European Union or in other States party to the Agreement on the European Economic Area.
3. The full IP address will be transmitted to and truncated at Google's server in the U.S. only in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User has used the website, to provide the website operator with reports on the activity of the website and to provide additional services related to the use of the website and the Internet.
4. Within the framework of Google Analytics, the IP address transmitted by the User's browser is not reconciled with other data of Google. The User may prevent the storage of cookies by setting their browser accordingly, however, please note that in this case, not all functions of this website may be fully available. You may also prevent Google from collecting and processing your information about your use of the Website (including your IP address) by cookies by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu
A Facebook pixel is a code that is used to report conversions on a website, compile target audiences, and give the page owner detailed analytics data about visitors’ use of the website.
With the help of the Facebook remarketing pixel tracking code, you can display personalized offers and advertisements on the Facebook interface to the visitors of the website.
The Facebook remarketing list is not capable of personal identification. You can find more information about Facebook Pixel here: https://www.facebook.com/business/help/651294705016616
NEWSLETTER, DM ACTIVITY
1. Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising, the User may give prior and express consent to the Service Provider, that it may contact him/her with advertising offers and other items at the contact details provided during registration.
2. Furthermore, keeping in mind the provisions of this prospectus, the Customer may consent to the Service Provider to process the personal data necessary for sending advertising offers.
3. The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers free of charge without restriction or justification. In this case, the Service Provider deletes all personal data - necessary for sending advertising messages - from its register and does not contact the User with its further advertising offers. The User can unsubscribe from the advertisements by clicking on the link in the message.
4. The data collection, scope of data processed and purpose of data handling:
- Name, e-mail address: Identification, subscription to the newsletter.
- Date of subscription: Performance of technical operation.
- IP address used for subscription: Performance of technical operation.
5. Data subjects: All data subjects who subscribe to the newsletter.
6. The purpose of data handling: to send electronic messages containing advertisements to the data subject, to inform the data subject about relevant information, products, promotions and new functions.
7. Duration of data handling, deadline for deleting data: data handling lasts until the withdrawal of the consent statement, i.e. until un-subscription.
8. Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller's sales and marketing staff, respecting the above principles.
9. Description of data subjects' rights in relation to data processing:
The data subject may request from the controller access to, rectification, erasure or restriction of the processing of personal data concerning him, and may object to the processing of such personal data, and the data subject also has the right for data portability and to withdraw consent at any time.
10. Access to, deletion, modification or restriction of the processing of personal data, portability of data and protest against data processing can be initiated by the data subject in the following ways:
- by mail, at the 1113 Budapest, Csetneki u. 13. address,
- by e-mail, at the firstname.lastname@example.org e-mail address,
- by phone, on the +361-279-2320 number.
11. The data subject may unsubscribe from the newsletter at any time, free of charge.
12. Legal basis for data processing: consent of the data subject, Article 6 (1) (a), that is Section 5 (1) of the Infotv., and Section 6 (5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising: The advertiser, the advertising service provider and the publisher of the advertisement shall keep records of the personal data of the persons who have made a statement of consent to them, within the scope specified in the consent. The data contained in this register relating to the recipient of the advertisement may be processed only in accordance with the statement of consent, until it is withdrawn, and may be disclosed to third parties only with the prior consent of the person concerned.
13. Please note that data handling is based on your consent. You are required to provide personal information if you wish to receive a newsletter from us. Failure to provide this will result in the inability to send you a newsletter.
1. The data collection, scope of data processed and purpose of data handling:
- Surname and first name: Identification, contact.
- E-mail address: Contact.
- Telephone number: Contact.
- Billing Name and Address: Identification, handling of quality objections, questions and issues related to the products ordered.
2. Data subjects: All data subjects shopping on the web shop website who have a quality complaint.
3. Duration of data handling, deadline for deleting data: Copies of the minutes, transcripts and responses to the statement shall be kept for 5 years pursuant to Section 17 / A (7) of Act CLV of 1997 on Consumer Protection.
4. Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller's sales and marketing staff, respecting the above principles.
5. Description of data subjects' rights in relation to data processing:
The data subject may request from the controller access to, rectification, erasure or restriction of the processing of personal data concerning him or her and may object to the processing of such personal data, and the data subject also has the right for data portability and withdrawal of consent at any time.
6. Access to, deletion, modification or restriction of the processing of personal data, portability of data, and protest against data processing can be initiated by the data subject in the following ways:
by mail, at the 1113 Budapest, Csetneki u. 13. address,
by e-mail, at the email@example.com e-mail address,
by telephone, on the +361-279-2320 number.
7. Legal basis for data processing: consent of the data subject, Article 6 (1) (c), Section 5 (1) of the Infotv., and Section 17 / A (7) of Act CLV of 1997 on Consumer Protection.
8. We would like to inform you that the provision of personal data is based on a contractual obligation. The processing of personal data is a precondition for concluding the contract. You are required to provide personal information so that we can handle your complaint. Failure to provide information has the consequence that we are unable to handle the complaint we receive.
COMMUNITY/SOCIAL MEDIA SITES
1. The data collection, the scope of handled data:
Name registered on Facebook / YouTube social media and video sharing sites, and the user's public profile picture.
2. Data subjects: All data subjects who have registered on the Facebook / YouTube social media sites and “liked” the site.
3. Purpose of data collection:
Sharing or "liking" certain content elements, products, promotions or the website itself on social media sites.
4. Duration of data processing, deadline for deletion of data, identity of potential data controllers entitled to access the data and description of the rights of data subjects in relation to data processing: The source of the data, their handling, the method and the legal basis of the transfer can be found on the relevant community page. Data handling is carried out on the social networking sites, so the duration and method of data handling, as well as the possibilities of deleting and modifying data are regulated by the given social networking site.
5. Legal basis for data processing: the voluntary consent of the data subject to the processing of his or her personal data on social networking sites.
CUSTOMER RELATIONS AND OTHER DATA HANDLING
1. If the data subject has a question or problem while using our data handling services, he or she may contact the data controller in the ways provided on the website (telephone, email, social networking sites, etc.).
2. The data controller deletes the received e-mails, messages, data provided by telephone, on Facebook, etc. together with the name and e-mail address of the customer and other personal data provided voluntarily, no later than 2 years after the data was provided.
3. Information on data processing not listed in this prospectus will be provided at the time of the data collection.
4. Upon an exceptional official request, or on the basis of the authorization of other bodies if authorized by law, the Service Provider is obliged to provide information, disclose data, hand over documents or make documents available.
5. In these cases, the Service Provider will provide the requester with personal data only to the extent that is absolutely necessary for the realization of the purpose of the request, provided that it has indicated the exact purpose and scope of the data.
RIGHTS OF DATA SUBJECTS
1. Right of access: You have the right to receive feedback from the controller as to whether your personal data is being processed and, if such processing is in progress, you have the right to access the personal data and information listed in the Regulation.
2. Right of rectification: You have the right, at your request, to have inaccurate personal data concerning you rectified by the controller without undue delay. Considering the purpose of the data processing, you have the right to request the completion of incomplete personal data, by means of a supplementary statement.
3. Right of deletion: You have the right to have your personal data deleted without undue delay at your request, and the controller is obliged to delete your personal data without undue delay under certain conditions.
4. Right to forget: If the controller has disclosed personal data and is obliged to delete it, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that you have requested the deletion of copies, duplicates and links to the personal data in question.
5. Right to restrict data processing: You have the right to have the data controller restrict the data processing at your request if one of the following conditions is met:
- You dispute the accuracy of personal data; in which case the restriction applies to the period of time that allows the data controller to verify the accuracy of the personal data.
- the processing is unlawful, and you oppose the deletion of the data and instead ask for a restriction on its use.
- the data controller no longer needs the personal data for data processing purposes, but you request the data in order to make, enforce or protect legal claims.
- You objected to the data processing; in this case, the restriction applies for as long as it is established whether the legitimate reasons of the controller take precedence over your legitimate reasons.
6. Right to data portability: You have the right to receive personal data about yourself provided to you by the data controller in a structured, widely used, machine-readable format, and you have the right to transfer this data to another data controller without being hindered by the controller to whom you have made the personal data available.
7. Right to protest: You have the right to object at any time to the processing of your personal data, including profiling based on the above provisions, for reasons related to your own situation.
8. Protest in the case of direct business acquisition: If personal data is processed for the purpose of direct business acquisition, you have the right to object at any time to the processing of personal data concerning you for this purpose, including profiling, insofar as it relates to direct business acquisition. If you object to the processing of personal data for the purpose of direct business acquisition, the personal data may no longer be processed for this purpose.
9. Automated decision-making in individual cases, including profiling: You have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effect or would have a significant effect on yourself.
The preceding paragraph shall not apply if the decision:
- is necessary for the conclusion or performance of a contract between you and the data controller.
- is governed by EU or Member State law applicable to the controller, which also lays down appropriate measures to protect your rights and freedoms and legitimate interests; or
- is based on your express consent.
DEADLINE FOR ACTION
The controller shall inform you without undue delay, but in any case, within 1 month of receipt of the request, of the action taken on the above requests. If necessary, it can be extended by 2 months.
The data controller shall inform you of the extension of the deadline, indicating the reasons for the delay, within 1 month from the receipt of the request.
If the controller does not take action on your request, it will inform you without delay, but no later than one month after receipt of the request, of the reasons for the non-action and of the fact that you can lodge a complaint with a supervisory authority and have a judicial remedy.
SECURITY OF DATA PROCESSING
The controller and the processor shall take appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of the processing and the varying likelihood and severity of the risk to individuals' rights and freedoms, to guarantee a level of data security in commensuration with the degree of risk, including, inter alia, where appropriate:
a) pseudonymization and encryption of personal data;
b) ensuring the continued confidentiality, integrity, availability and resilience of systems and services used to process personal data.
c) in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner.
d) a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures taken to ensure the security of data processing.
INFORMING THE DATA SUBJECT ABOUT THE DATA PRIVACY INCIDENT
If the data privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the data privacy incident without undue delay.
The information provided to the data subject shall clearly and intelligibly describe the nature of the data privacy incident and the name and contact details of the data security official or other contact person providing further information; the likely consequences of the data privacy incident must be described; the data subject shall be informed of the measures taken or planned by the controller to remedy the data privacy incident, including, where appropriate, the measures taken to mitigate any adverse consequences arising from the data privacy incident.
The data subject need not be informed if any of the following conditions are met:
• the controller has implemented appropriate technical and organizational security measures and these measures have been applied to the data affected by the data privacy incident, in particular, measures, such as the use of encryption, which make the data incomprehensible to persons not authorized to access the personal data;
• the controller has taken further measures following the data privacy incident to ensure that the high risk to the data subject's rights and freedoms is no longer likely to materialize.
• information would require a disproportionate effort. In such cases, the data subject shall be informed through publicly available information or a similar measure shall be taken to ensure that the data subject is informed in an equally effective manner. If the data controller has not yet notified the data subject of the data privacy incident, the supervisory authority may, after considering whether the data protection incident is likely to involve a high risk, order that the data subject be informed.
REPORTING A DATA PRIVACY INCIDENT TO THE AUTHORITY
The data privacy incident shall be reported by the controller to the supervisory authority competent under Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the data privacy incident, unless the data protection incident is not likely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must be provided.
Complaints against possible breaches by the data controller can be lodged with the National Data Protection and Freedom of Information Authority: National Data Protection and Freedom of Information Authority 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Mailing address: 1530 Budapest, Mailbox: 5. Telephone: +36 -1-391-1400 Fax: +36-1-391-1410 E-mail: firstname.lastname@example.org
During the preparation of the prospectus, the following legislations were considered:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- Act CXII of 2011 – on the right to informational self-determination and freedom of information (hereinafter: Infotv.)
- Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (notably Article 13 / A)
- Act XLVII of 2008 – on the prohibition of unfair commercial practices against consumers.
- Act XLVIII of 2008 – on the basic conditions and certain restrictions of commercial advertising (in particular § 6)
- Act XC of 2005 on Electronic Freedom of Information
- Act C of 2003 on Electronic Communications (specifically § 155)
- Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioral Advertising
- Recommendation of the National Authority for Data Protection and Freedom of Information on data protection requirements for prior information
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).