- Whose data is being controlled?
- What sort of Personal Data is being controlled?
- Name (first name, surname, company name, department name)
- Address (referring to a definite location, including but not limited to house number, postal code (zip code), city, county)
- Telephone number
- Email address
3. What sort of other Data is being controlled?
Data detailed under point 2.; data concerning purchasing, delivering and refunding products, which may be transferred to third parties elaborated under point 8.
- What is legal basis of collecting and controlling Personal Data?
The consent of Users.
- What is the duration of Data Controlling?
Personal Data controlling ends instantly in case of a personal withdrawal of a consent, a request of deleting or destroying.
Data concerning purchases made by Users are stored for 5 years.
- What is the purpose of Data Collecting and Controlling?
Making it available for the Users to purchase goods.
Making it available for the Users to ask for information or offers.
Processing the orders made by the Users by the Data Controller.
Resolving issues and complaints by the Data Controller.
The easy and efficient use of the Webshop for the Users.
Visitors and Users may receive newsletters about new products and offers if an explicit consent is given by them for that purpose.
- Who can access to the data?
No Visitor, User or unappointed third party can access to any other data.
The staff of the Webshop can access all data, however, they are not allowed to use them for any other purpose than described above, nor transfer or sell them to any unappointed third parties.
Appointed third parties that are able to access to the data are described in the following section.
- Whom is data transferred to?
In case of purchasing, data describing financial information are transferred to and handled by PayPal. The Data Controller is being informed by PayPal on the corresponding data in the form of a success report.
PayPal Corporate Headquarters: 2211 North First Street, Jan Jose, California 95131 the USA – www.paypal.com
Using Shopify as a webshop system, data are being transferred to and handled by Shopify.
Shopify International Ltd. – Attn: Data Protection Officer – c/o Intertrust Ireland 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland
Data describing information essential for the delivery of the products are transferred to the delivery company:
Name: Portó Kft.
Address: 40. alagsor, Pozsonyi út, 1137 Budapest, Pozsonyi út 40. alagsor, Hungary
Any data have to be transferred to third parties if they are required for investigating and/or examining criminal cases or cases of natural security. If this happens, the third party who requires the data must define what data they need and name the exact purpose of data controlling, too.
Apart from the cases described above, no data can be transferred to any other third parties without the consent of the User.
- What happens if Personal Data are not shared or if a person ceases to share it?
No User is obligated to share any Personal Data, visiting the webpage is possible without doing so (or after withdrawing a consent to Data Controlling). In this case, however, Users may have limited access to our services.
The Data Controller makes every effort (that can be expected rationally) so that the principles of the safety of data can prevail. This can be summarized in the following way.
Those who have the right to access the necessary data are able to do so at any time.
Every piece of data is available only for those who are authorized to control and process it.
- Authenticity and Integrity
During the process of data storing and controlling the data itself remains unchanged.
While the data is being stored, the Data Controller performs every measures of protection and precaution (that can be expected rationally) so that the data shall be protected against stealing, unauthorized accessing, becoming damaged, corrupted, deleted, destroyed and published (regardless of a result of an intentional or unintentional act), failures of electronic or any other forms (including natural disasters).
Data Breach and its Handling
In case of data breach of high risk, the Data Controller informs the persons who are involved (due to their rights and freedom) with no delay.
By doing so the Data Controller explains clearly and in a legible form
- the nature of the breach
- the probable consequences of the breach
- the actions planned or performed to handle the breach, including the actions which are to lessen the possible negative consequences
- provides the contact of the data protection officer, or if he/she is not available at that time, of a person who is able to give ample amount of information about the situation.
The Data Controller need not inform the persons who are involved if
- the Data Collector performed actions which made the data affected by the breach incomprehensible (e.g. by using encryption on the data)
- informing the persons who are involved would require actions of unproportional effort (in this case information shall be provided in another form, e.g. publishing)
- due to the actions performed by the Data Collector the high risk does not exist anymore.
- they enable the webpage to recognize and store the preferences of the Visitors and Users
- they are to authenticate the Visitors and Users so as to protect their personal data and prevent the abuse of these data
- they make the navigation between sub-pages easier
- they store the most frequently pages so that they can load faster
- they help the Data Controller collect information about the using of the webpage and its parts so the Data Collector can optimize and develop the page taking account of the activities of the Visitors and Users.
These Cookies work automatically.
A Visitor, however, can disable them either together, or one by one. The exact way of doing so depends on the browser the Visitor uses: in most case the corresponding option can be found in the browser’s settings menu.
If the cookies are disabled, certain parts of the webpage might not work or might work improperly.
According to the law a webpage can use certain types of cookies without having a consent for doing so. On the Webshop the following cookies belong to this group:
- authentication cookies – they identify a User who is logged in until he/she logs out (and the cookies become deleted)
- user-input cookies – these store and trace data given by the User eg. on a form or a questionnaire, they are being deleted in a couple of hours after the corresponding data has been given
- user-interface customization cookies – these cookies record the preferences of a Visitor (eg. the language used by the webpage) and are being deleted when the page has been left or in short time afterwards.
None of these cookies are stored for a long time and their main purpose is to make the visit efficient for the Visitors and the Users.
The cookies used are elaborated on the following page: https://www.shopify.com/legal/cookies
The Visitors’ and Users’ Rights
Every Visitor and User has right for the following actions which can be enforced by sending an e-mail to the address shown on the Webshop.
These rights are the following:
- The right to be informed forehand
Every person has the right to be informed about all the facts related to data controlling and processing, in a clear and legible form. This right exists even if the data controlling has not begun.
- The right to access
Every person has the right to receive a feedback about the process how his/her data is being controlled, including the nature of the data, the purpose and duration of controlling and the fact if his/her data is being transferred to a third person. Every person has the right to be informed about their rights related to data controlling and processing.
Certain services of the Webshop might not be available if the User does not allow that certain data are being transferred to third parties elaborated in the corresponding section of Data Controlling.
- The right to rectification
Every User has the right to ask the Data Controller to correct his/her personal data. (The Users may be asked to provide some additional data if it is missing.) Every User can modify his/her personal data: this can be done having logged in on the Profile sub-page.
Every natural or legal person whom the corrected data (of any nature) has been transferred shall be informed about the correction unless it is impossible or unproportional effort is required.
- The right to erasure and to be forgotten
Without any further notice or request the data of a User is to be deleted in the following cases:
- the data collected and processed before is not used in the future
- the only legal basis of data controlling was the User’s consent, which has been withdrawn
- it has been proved that the data controlling has been illicit.
Should the Data Controller used (or shared) Personal Data for any other purpose than described in the corresponding section of Data Controlling (e.g. surveys) before the arrival of the request, it was performed with the use of an anonymized form of data, which did and does not enable the identification of a User. In this case the right to be forgotten cannot be comprehended. (A brief explanation: in this situation it would be impossible to decide whose data should be deleted.)
Should any data of a User have been published (followed by a formerly expressed consent) and it must be deleted (due to the User’s right to erasure), every other data collector involved in the situation are attempted to be informed that the User requested the deletion of his/her data. The particular amount of effort taken depends on the available time, technology and the estimated costs of the action. Approved third parties are informed about the User’s request in all cases.
- The right to restrict
Should a User consider our methods of data controlling inappropriate he/she can request us to restrict the processing of their data.
If it becomes proven that the User’s or Visitor’s data has been illicit, restricting data instead of deleting it can be requested, too. In this case the Data Collector stores the data in question but does not process it.
Due to data restriction certain services of the Webpage might become restricted.
- Right to object
Any affected person has the right to object against controlling his/her Personal Data due to any reason related to his/her situation at any time; regardless of the Data Controlling is carried out in the public interest, in the exercise of an official authority vested in the controller, or controlling is carried out due to the need of exercising the legal claims of a third party.
In the cases above the Data Controller shall not control the related Personal Data any more unless it is proven by the Data Controller that doing so is a necessity based on legal reasons which override the interests, rights and freedom of the affected person or are in direct connection with proposing, exercising or protecting legal claims.
If the controlling of Personal Data happens for direct solicitation, the affected person has the right to object against controlling his/her Personal Data for this particular purpose. If an objection happens due to this reason, the related Personal Data shall not be controlled for this purpose in the future.
No Personal Data are being collected for research or statistic purposes in a form which enables the identification of any User; all collected data for these purposes are anonymized. Therefore, the affected person may object to control anonymized data only before collecting the described data takes place. Special attention has to be called to the right to object when or before the first contact between the Data Controller and the Visitor established, the related information has to be announced in a clear and unambiguous form, separated from any other pieces of information.
- The right to data portability
If the claim of Data Controlling is the consent of a Visitor or based on a contract, the User has the right to obtain all data related to him/her in a legible form that is viewable with a computer or any other similar digital device. The format of the data shall be a widespread one. Assuming it is attainable, the User may request that his/her data shall be transferred to another Data Controller.
Exercising the right to data portability may not affect disadvantageously the rights and freedom of other persons.
- Automated decision systems
The Webshop uses no automated decision systems.
- The right to legal remedy
If a Visitor or User presumes that the data controlling happens improperly or in an illicit way, they have the rights to contact us by using the contact email address found on the Webpage.
Any complaints related to controlling Personal Data can be addressed to Hungarian National Authority for Data Protection and Freedom of Information (NAIH; Nemzeti Adatvédelmi és Információszabadsági Hatóság), whose address is the following: 22/C Szilágyi Erzsébet Fasor, 1125 Budapest, Hungary, Europe; postal address: Post Office Box 5, 1530, Budapest, Hungary, Europe.
The Visitor or User has the rights to exercise their rights in the form of a lawsuit at a civil court. Assessing the legal action is at the sphere of action of the court of justice. The plaint has to be submitted to the court corresponding to the Visitor’s living place. Further information about the Hungarian courts can be found at the following webpage: http://birosag.hu/torvenyszekek.
Terms and Definitions
Administrator – The person or persons, who are responsible for maintaining the Webshop.
Customer – A type of User who is able to purchase Products.
Consent – An express from the side of a Visitor which has been performed voluntarily, clearly and definitely based on an adequate form of informing, in which he/she agrees that their Personal Data can be controlled by the Data Controller. A Consent can be of a form of declaration, or any form of action that refers to the expression of will.
Data Breach – aka. Breach; an incident which leads to security issues, which means the loss, alteration or destruction of data (accidentally or illicit), and/or the illicit publishing or accessing to data.
Data Controller – Urosystem Zrt.
Data Controlling – Any automatized or manually performed process applied to data. The term includes collecting, recording, systematization, conversion, query, publishing, applying, noticing, providing, spreading, harmonizing, restricting, deleting and destroying.
Data Deleting – aka. Erasure; making data unrecognizable in a way which guarantees that the particular data cannot be recovered in the future.
Data Processing – Any task executed on data, related to Data Controlling; regardless of its place, manner, used tools and methods.
Data Processor – A natural or legal person, or an organization without a legal personality who is assigned by the Data Controller to the task of processing data.
Data Transferring – Making data available for a certain third party.
Info. Act – The 2011/CXII. Act, which describes the right to self-determination and the freedom of information.
Personal Data – Any information which refers to an identified natural or legal person or enables the identification of them. A person is identifiable if this process can be done by either directly or indirectly using one or more types of Personal Data, eg. name, number (telephone or the number of documents like an ID card), online name, or data referring to physical, physiological, genetic, cultural, social, economic identity.
Personally Identifiable Financial Information – Aka. PIFI, any information provided by a consumer that would not be available otherwise publicly. It enables the unique and/or focused searching, identification and validation of a person’s financial information. PIFI include (but not limited to) the following sorts of information: name, company name, contact details, bank account number, credit card number, tax number.
Protest – A notice given by a person so that they express an objection to the controlling of their personal data, or they express a request of ceasing of Data Controlling, or deleting their data.
User – A person who is visiting the Webshop or who asks for quotation or information or to make a purchase of goods. See Visitor, Customer.
Visitor – A person who is visiting the Webshop without filling in forms or purchasing goods. Visitors need give no personal data for this action.
Webshop – www.urosystem.com