1. Data processing policy
Swimwear Company Korlátolt Felelősségű Társaság (seat: H-4032 Debrecen, Füredi út 98.; company registry number: 09-09-019448; hereinafter: „Operator” or „Data Controller”) is committed to protecting the privacy of its customers, therefore pays close attention to ensure that the collection, management, use, processing and possible transfer of personal data are conducted in accordance with the provisions of Act CXII of 2011on information self-determination and freedom of information, Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity, Act CVIII of 2001 on certain issues of electronic commerce activities and information society services, Act CXIX of 1995 on the Handling of Names and Addresses for Purposes of Research and Solicitation and Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, referred as „GDPR”, effective as of 25 May, 2018 and other relevant laws, national and international recommendations.
|Data subject||Any natural person who is identified or identifiable – directly or indirectly – on the basis of any specified personal data;|
|Personal Data||Data that can be related to the data subject, in particular the data subject’s name, personal identification mark, as well as knowledge of one or more physical, physiological, mental, economic, cultural or social identities, and a conclusion that can be drawn from the data concerning the data subject;|
|Consent||Voluntary and determined expression of the will of the data subject which is based on appropriate information, and by which the data subject gives his/her unambiguous consent to the complete or specific processing of personal data concerning him or her;|
|Protest||Statement by the data subject complaining about the processing of his / her personal data and requesting the termination of the data processing or the deletion of the data processed;|
|Data Manager||Any natural or legal person, or any organization without legal personality, who alone or jointly with others determines the purpose of the data process, makes and implements decisions regarding data management (including the device used), or executes them with the data processor;|
|Data Processing||Regardless of the procedure used, any operation or combination of operations on the data, in particular collection, recording, fixing, systematization, storage, alteration, use, query, transmission, disclosure, matching or linking, locking, deleting and destruction of data, or preventing further use of the data, to take a photograph, or to record sound or images, and to record personally identifiable physical features (e.g. fingerprints, palm prints, DNA samples, iris images);|
|Data Transmission||Making the data available to a specific third party;|
|Disclosure||Making the data available to anyone;|
|Data Deletion||Making data unrecognizable in such a way that it is no longer possible to recover it;|
|Data Destruction||Total physical destruction of the data carrier containing the data;|
|Data Processing||Performing technical tasks related to data processing operations, irrespective of the method and device used to perform the operations and its location, provided that the technical task is performed on the data;|
|Data Processor||Any natural or legal person, or any organization without legal personality, who carries out the processing of data under a contract, including a contract under a legal provision;|
|Data Marking||Providing the data with identification mark in order to distinguish it;|
|Data Locking||Providing the data with identification mark in order to limit its further processing for a definitive or specified period of time;|
|Third Party||Any natural or legal person, or any organization without legal personality, who is not the data subject, the data controller or the data processor;|
|EEA State||Member state of the European Union and other state that is member of the Agreement on the European Economic Area, furthermore, state citizen of which shall enjoy the same legal status as a citizen of a member state of the European Economic Area, based on the international agreement concluded between the European Union and its member states and states that are not members of the Agreement on the European Economic Area;|
|Third Country||Any State that is not an EEA State;|
|Data Privacy Incident||Unlawful handling or processing of personal data, including in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction or damage.|
3. Your data manager and its contact details
Data Manager: Swimwear Company Korlátolt Felelősségű Társaság (seat: H-4032 Debrecen, Füredi út 98.; company registration number: 09-09-019448)
Contact person: Szarvas Levente
Contact details: +36 70 6104702 , firstname.lastname@example.org
The scope and the legal basis of the data processing
The Operator manages the data of the users of the Website. These terms and conditions also apply to visitors to the Web Store, our contractual partners and our performance assistants and contributors.
We shall only process personal data of individuals who have consented to the processing or transfer of their personal data to third parties, or if it is ordered by law or decree of the local government – under the authority of the law, within the scope specified therein – for public interest purpose.
It is also a consent to select the box when viewing the Website, to send personal data to our postal, e-mail or other contact, to make technical settings when using information society services, and to make any other statement or an act which clearly indicates, in the given context, that the data subject’s consent to the intended processing of his or her personal data.
Beyond that, in accordance with the Article 6 of the GDPR and Section 6 of the Info Law, we shall only process personal data when obtaining the consent of the data subject would be impossible or its cost would be disproportionate, and the processing is necessary for the performance of our obligation or for our own interest or the legitimate interest of a third party, and enforcement of this interest is proportionate to the restriction of the right to the protection of personal data. We shall process personal data from you and our other partners if the data subject has consented to the transfer of your personal data to a third party. We are not entitled to transfer the managed data for advertising or other purposes without your express consent.
In order to fulfil legal obligations such as accounting and taxation (required by Sections 169 and 202 of Act CXXVII of 2007on Value Added Tax, Act CXVII of 1995 on Personal Income Tax, Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing, Act C of 2000 on Accounting), in order to fulfill legal obligations (accounting, taxation), the Operator shall manage the data of the natural persons who are in business relationship with it as a buyer or as a supplier.
The Operator shall handle/treat the documents that are deemed to be of permanent value by Act LXVI of 1995 on public records, public archives, and the protection of private archives and not received by customers under its legal obligations until these documents are handed over to the archive.
By submitting your personal data to the Operator, your consent to data processing is deemed to be granted.
By submitting your personal information to us, you warrant that you are entitled to such processing, including in particular the transfer of data.
The Operator disclaims all liability for any claim made in connection with the breach of the above warranty, and at the same time, you shall be liable for any loss or damage suffered by the Operator as a result of the falsity or mistake of the above warranty.
4. The purpose of the data processing
The purpose of the data processing in relation to the personal data held by the Operator is as follows:
- provision of services by the Operator, purchase of products offered for purchase;
- creating and managing a user account in the Web Store;
- providing information on data and it’s changes regarding the services and products;
- maintaining the relationship between the Operator and the Customer;
- providing newsletters;
- providing information on news and interesting information related to the Operator;
- service development – for this end, we need, among other things, to collect and use certain information about your shopping habits; therefore, we conduct market research directly or with external partners and ask you to complete a satisfaction survey after a specific order;
- conducting marketing activities;
- generating and maintaining a marketing database;
- conducting direct marketing activities;
- providing support services, including answering any questions you may have about the products and services advertised by the Operator, or questions you may have about a particular order.
5. Duration of the data processing
The data processing is carried out solely to the extent necessary for the purpose, for the period of time and only with the personal data that is essential for the purpose of data processing and otherwise suitable for the purpose, especially as long as your rights and obligations with respect to your information, provision of services and related administration exist.
As a general rule, we store your personal information for the duration of existence of your user account.
If you do not have a user account in the Web Store, as a general rule, we are obliged to store all order information for a period of 3 (three) years from the completion of the order. Similar to the above, we may be required to provide data storage beyond the three year period in accordance with applicable legal storage requirements concerning particular data.
6. Scope of the processed data
6.1. General definition
The personal data processed by the Operator shall be the data that the Operator takes or could take possession of during the use of the Operator’s services, the selling of its products offered for sale and performing the contract for this purpose, by way of provision of personal data by customers of the Operator’s products or services, potential customers, prospective contractors, users of the Operator’s online interface; and additionally by way of provision of any personal data provided by you to the Operator.
There may be several cases of data processing in connection with contacting, ordering and fulfilling the order and visiting the site. We would like to inform you that regarding complaint handling, warranty administration stipulated in Section 14 the data processing shall only be effective if you exercise any of these rights.
If you do not make a purchase through the Web Store and you are only a visitor to it, then, if you give us a marketing consent, you may be subject to the data processing terms set out in Section 12 for marketing purposes.
6.2. Data processing based on contacting
Pre-contact is optional, and you can order from the Web Store without it at any time. However, if you contact the Operator by email, or telephone regarding a product, the information you provide during the contact (including, but not limited to your name, address, telephone number, email address, buyer number (customer number), online ID) shall be processed by the Operator. The data shall be processed at least until the contact is completed, and at most until it is necessary. The legal basis for data processing is your voluntary consent given to the Operator by way of contacting.
6.3. Data processing for the purpose of concluding and performing the agreement
The personal data processed in this regard may include, but is not limited to:
a) Personal data in case of a natural person customer:
For these purposes, the Operator processes the name, address, telephone number, email address, buyer number (customer number) and online ID of the natural person who created the user account in the Web Store. Data processing begins lawfully and automatically when a user account is created.
b) Personal data in case of natural person representing a legal person customer:
Personal data processed: name, address, telephone number, email address, online ID of the natural person.
6.3.1. Registration in the Web Store
By storing the information provided during registration, the Operator can provide a more convenient service. Registration is a prerequisite for contracting. Visitors of the Website will only be asked for their personal information if they wish to register, place an order the online interface provided for this purpose.
In the course of data processing, the Operator processes your name, address, telephone number, e-mail address, product specifications and date of purchase. Data processing shall last until your consent is withdrawn or your purpose is terminated, whichever happens earlier.
6.3.2. Processing of order
In the course of data processing, the Operator processes your name, billing and shipping address, telephone number, e-mail address, product specifications, order number and date of purchase. If you place an order in the Web Store, data procession and data provision are essential for the performance of the contract. The Operator shall process the data under this clause for 5 years. The legal basis for data processing is the performance of the contract.
6.3.3. Issue of invoice
In this regard, the Operator shall process your name, address, e-mail address, and telephone number in order to issue an invoice in accordance with the law and to fulfil the obligation to retain the accounting document. Invoices issued shall be retained under applicable law for a period of 8 years from the date of issue of the invoice, so the Operator shall process personal data for at least this period. The purpose of data processing is to comply with the applicable laws.
6.3.4. Transportation of products
In this regard, the Operator shall process your name, address, e-mail address, and telephone number in order to perform the contract. The Operator shall manage the data under this clause for 5 years. The legal basis for data management is the performance of the contract.
7. Data processing
The Operator shall rely on the assistance and services of data processor (s) (in particular, but not exclusively accountants, IT service providers) for its data processing activities. Data processing is carried out on the basis of a data processing contract concluded between the Operator and the data controller, which ensures the data processor’s confidentiality obligation and thus the security of data processing.
8. Persons who are entitled to access the data
The personal data you provide to us may be known and handled by the Operator’s employees, executives, consultants, data processing or other employees and partners to whom you consent to the transfer of data.
In accordance with the legislative requirement, courts and certain authorities have the right to know personal data processed by the Operator. The court, prosecutor’s office and other authorities (e.g. police, tax authorities, Hungarian National Authority for Data Protection and Freedom of Information) may contact the Operator for provision of information or documents or data transfer. In these cases, we have to fulfil our reporting obligation to the extent necessary to achieve the purpose of the request.
9. Handover and transfer of data
We understand that your information is valuable and we shall do our best to protect it in the course of our data processing.
We may share personal data provided to us in specific cases with third parties who cooperate with us or act on our behalf if this is necessary to achieve the purpose for which the data has been provided by the data subject or by you. The personal data may also be transferred by the Operator to other third parties if this is intended to serve you more efficiently or if such third parties process such data on behalf of the Operator.
However, we made sure that these third parties shall properly protect the information and data.
The Operator may transfer personal data to third party data processors providing an appropriate level of technical and organizational guarantees. The Operator may use external service providers for routine server maintenance, data storage, or other IT tasks in accordance with generally accepted privacy practices.
In some cases, we may share your personal data with, or grant access to your certain personal data to the following parties:
- to our clients providing marketing / telemarketing services
- our financial / banking partners;
- our courier and express delivery partners;
- companies belonging to the same group of companies as the Operator.
We only share information with other third parties if
- we have obtained your consent;
- we are required to do so by law; or
- it is necessary for the purposes of legal procedures, pertaining thereto, or for the exercise of rights granted by law.
By providing your personal data, you expressly consent to such transfer of data and you warrant that you are entitled to transfer such data to the Operator for such purpose.
As soon as the conditions for the lawful control or transfer of data are not met, the Operator shall promptly take action to erase personal data from the database and notify you of the fact of erasure.
10. Transfer of personal data to countries outside the European Union
In the process of delivering a product or preforming a service requested by you, your personal data may be forwarded to third countries, because in certain cases the employees, contractors, sub-contractors of the Operator are located outside of EEA states and perform services from these states. In this case the transfer of data is done in compliance with Chapter V of the GDPR, by the criteria set out therein (e.g. compliance decision of the EU Commission, general data protection criteria, company policy).
11. Data Security
The data that came into the possession of the Operator during the processing of data, stored in the electronic information systems or the ordinary paper data carriers shall be processed with the utmost discretion as strictly confidential, and the Operator shall seek to protect them by all legal means, particularly by technical and organisational measures against unauthorised access, alteration, transfer, publishing, other abuse, erasure and eradication or accidental loss.
Within the scope of organisational measures, we ensure surveillance of physical access to our buildings, train our employees constantly and store our paper documents confidential with adequate protection.
The closed IT system of the Operator offers adequate protection for the processing of data in electronic information systems. Similarly to the Operator, our data controls and partners ensure the protection of data and they only strictly use of data with purpose limitation. Only authorised persons have access to data, the authenticity and validity of data is ensured, the data is unaltered, and the data is protected against unauthorised access.
The Operator ensures the security of data through such technical, management and organisational measures, which offer a level of protection appropriate for the risks arising in connection with data processing. We have adopted widely accepted technological and operation safety solutions in order to counter the loss, alteration, eradication or abuse of identifiable personal data. We make every effort to ensure the protection of personal data processed by the Operator through appropriate confidentiality and technical and security measures. Personal data may only be accessed by duly authorized staff that have undertaken confidentiality and authorized controllers.
However, we bring to your attention the fact that the confidentiality, integrity and availability of data transfer through our website extend beyond the scope of our website, thus we cannot undertake liability for it. We adhere to strict rules regarding the data received for the security of our data and the prevention of unauthorised access.
12. Data processing for marketing purposes
By using our Web Store and the registration of your email address you give your consent for the Operator to send professional materials, and other information, notifications in connection with the Operator in the form of a newsletter. The subscription is voluntary and can be withdrawn at any time through the link in the newsletter or by an email reply.
The Operator shall create a database consisting of the data of the persons providing their contact details (company name, name, position, company email address), the persons and organisations contained in the database (company email addresses in case of contact persons) and send a newsletter to them with topics that are relevant to them according to their request or according to the opinion of the Operator. The Operator shall store the data provided during subscription in its own customer contact management system – in servers located in Hungary, and in the European Union – and process them confidentially, and shall not hand over or make them available to unauthorised persons.
The newsletters are not addressed to the contact persons as individuals, but to their affiliated organizations, and the Operator stores and processes the information provided, stored and processed in connection with the above data processing, not as the contact person’s personal data, but for the purpose of contacting you, so personal data shall not be processed in this case.
The Operator reserves the right to exclude anyone at any time from the sending of newsletters. The Operator processes personal data up until the erasure of data is not requested by the data subject.
During the newsletter service, the sending of newsletters is done by a third person MailChimp – The Rocket Science Group, LLC (seat: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA, company registry number: 01543536) being in contractual relation with the Operator, thus the contact data is handed over to it. The company performing newsletter services processes data in confidence, and shall not hand over, make available the data to third persons, in addition its own policy is applicable to data processing.
Data processing as a remarketing activity is done by using cookies.
The cookies of Google Analytics, Google AdWords and Facebook gather statistical data relating to the visits to the Website (e.g. number of visitors, approximate geographical location etc.) The Operator uses the statistical data received regarding the traffic and use of its websites through these services for the development of these websites.
13. Data processing activity
13.1. Data processing in connection with the delivery of goods
Name of the data processor: TNT Express Hungary Kft.
Seat of the data processor: International Airport Terminal 1, TNT Building (283) , H-1185 Budapest, Hungary
Phone number of the data processor: +36 80 31 31 31
E-mail address of the data processor: email@example.com
Name of the data processor: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
Seat of the data processor: 2351 Alsónémedi GLS Európa u. 2.
Phone number of the data processor: +36 29 88 66 70
E-mail address of the data processor: firstname.lastname@example.org
The data processor participates in the delivery of the ordered goods on the basis of a contract concluded with the Operator. In doing so, the Operator may process the name, address and telephone number of the customer until the end of the calendar year following the date of dispatch of the postal item and shall immediately delete it thereafter.
13.2. Data processing in connection with newsletters
Name of the data processor: MailChimp – The Rocket Science Group, LLC
Seat of the data processor: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA
Phone number of the data processor: (678) 999-0141
E-mail address of the data processor: email@example.com
The Data Processor participates in the sending of newsletters on the basis of a contract concluded with the Operator. In doing so, the Operator shall process the data subject’s name and e-mail address to the extent necessary for sending the newsletter and shall delete it immediately upon the request of the data subject.
13.3. Data processing in connection with online payments
Name of the data processor: Paylike
Seat of the data processor: DK-8200, Aarhus, Pedersenvej 14.
Phone number of the data processor: +36 1 500 9480
E-mail address of the data processor: firstname.lastname@example.org
The Data Processor participates in the execution of the online payment on the basis of a contract concluded with the Operator. In doing so, the Operator shall process the billing name and address of the data subject, the order number and date of the order within the civil statute of limitations.
14. Consumer protection
The data management process serves to control warranty and other consumer protection complaints. If you have requested warranty service, data processing and data entry is essential. In this regard, the Operator processes the name, telephone number, email address of the customer and the content of the complaint. Warranty claims are stored for 5 years based on Act CLV of 1997 on Consumer Protection („Ftv.”). The legal basis for data processing is your warranty claim, which is your voluntary decision. If you contact us, we are obliged to keep the complaint for 5 years according to 17/A § (7) of Ftv.
15. The rights of data subjects in connection with data processing
15.1. Request for information
The data subjects may request information about the personal data they have provided and which are processed by the Operator, furthermore about their source, purpose, legal basis, duration, data processor’s name, address and activities related to data processing, as well as the legal basis and recipient of the data transfer.
Requests for information shall only be fulfil personally by the Operator in order to ensure the security of the data of the data subjects. To this end, requests for information may be sent to the Operator in writing in the form of a document with full probative force, by e-mail or fax, provided that they are sent in writing. The Operator shall provide the information to the address given by the data subject in writing, as soon as possible and in any event within 30 days.
Please note that information on a particular data set is provided free of charge once per annum, and the Operator may charge a reasonable reimbursement for further information.
If a data subject informs the Operator, simultaneously providing the specified personal data, that the personal data being processed is incorrect, or otherwise the Operator becomes aware of the personal data error and the correct data, the personal data shall be corrected by the Operator. The Operator shall notify the data subject of the correction or of the rejection of his / her request for rectification.
15.3. Erasure or blocking
Data subjects have the right to request the deletion or blocking of their personal data. Personal data shall be blocked if, on the basis of the information in our possession, it is presumable that the deletion would harm the legitimate interests of the data subject. The blocked personal data shall only be controlled for as long as there is a purpose for the data processing, which prevented the erasure of personal data. We shall notify you of the erasure or blocking, or of any refusal of your request for erasure or blocking.
The Operator shall mark the personal data it processes if the data subject disputes its correctness or accuracy, but the inaccuracy of the disputed personal data cannot be clearly established.
The data subjects, except in the case of mandatory data processing, have the right to object to the processing of their personal data:
- if the processing or transfer of their personal data is necessary only for the fulfilment of the legal obligation of the Operator or for the enforcement of a legitimate interest of the Operator or a third person; or
- if their personal data is used or transferred for the purposes of direct marketing, opinion polling or scientific research, provided that they have not been consented to it; or
- in cases determined by law.
The Operator shall examine the objection as soon as possible, but not more than 15 days from the submission of the request, and shall make a decision on the merits of the objection and inform the requestor in writing of its decision.
If the objection is well founded, the Operator shall terminate the processing of the data, including further data collection and transfer, shall block the data, and shall inform all persons to whom the personal data subject to the objection have previously been transmitted, and who are required to take action to enforce the right of protest.
15.6. Data portability
Data subjects have the right to receive personal data concerning them which they have made available to us in a structured, widely used, machine-readable format, and to transfer such data to another data processor without being prevented from doing so by us, if it is based on the consent of the data subjects, and the processing of your personal data is automatically carried out by us.
15.7. Non-cooperation in direct marketing
Data subjects have the right to refuse cooperation in relation to so-called direct marketing letters at any time without giving any reason. Within this framework, they have the right to refuse or prohibit the inclusion of their name on the contact or acquisition list, the use for direct marketing purposes or for specified purposes, or the transfer to a third party.
16. Notification of change of data
You are entitled and obliged to report any changes in the data processed by the Operator within 15 days. You are solely responsible for the consequences of your failure to do so.
17. Withdrawal of consent
If the legal basis for data processing is your consent, you may withdraw your consent to the data processing at any time, without prejudice to the legal basis of the data processing prior to the withdrawal of the consent. If the sole legal basis for data processing is your consent, we shall not process your personal data after your consent has been withdrawn and it shall be erased from our records of any kind.
18. Right to legal remedy
Data subjects may seek the advice of the National Authority for Data Protection and Freedom of Information (H-1125 Budapest, Szilágyi Erzsébet fasor 22 / c., Postal address: 1530 Budapest, Pf. 5.) in relation to complaints regarding the protection of personal data and data processing issues, and may seek legal remedy before a court of law.
19. Restriction of rights
In exceptional cases, the above rights may be restricted by statutory provision, in particular to protect the rights of the data subject or others.
The Operator shall only provide data contrary to your data processing statement to any authorized entity, in the cases specified by law.
20. Managing privacy incidents
In order to prevent, manage, data protection incidents and comply with applicable legal requirements, the Operator shall log and continuously analyse and monitor access and access attempts on its information systems.
If the employees of the Operator authorised for inspection in the course of performing their duties detect a data protection incident, they shall immediately inform the Operator’s manager.
Employees of the Operator are required to report to the leader of the Operator, or to the person exercising the employer’s rights, if they become aware of a privacy incident or incident.
A privacy incident can be reported to the Operator’s email address and telephone number specified in Section 2 above, where employees, contractors, and affected persons can report underlying events, security vulnerabilities. If a privacy incident is reported, the Operator shall promptly investigate the incident, identifying the incident and deciding whether it is a genuine incident or a false alarm.
In the event of a data protection incident, the Operator shall demarcate, isolate the systems, persons and data concerned and ensure that the evidence supporting the occurrence of the incident are collected and retained, moreover it shall notify the competent authority immediately, but no later than 72 hours after becoming aware of the privacy incident. Thereafter, the Operator shall begin to repair the damage and restore legally compliant operation.
The Operator shall keep a record of privacy incidents, which shall include:
a) the scope of personal data concerned;
b) the scope and number of persons affected by the data protection incident;
c) time of the data protection incident;
d) circumstances and effects of the data protection incident;
e) the measures taken to remedy the privacy incident;
f) other data as defined by the law governing the data processing.
Records of incidents of data protection incidents shall be retained for 5 years.
21. Other provisions
If you have any questions or comments, please, do not hesitate to contact us at any of the contacts provided in this policy.