DATA PROCESSING POLICY
A www.vass-shoes.com internet webpage (“Website”) is committed to protect the personal data of its customer (“Customer”) considering it as most important to treat the personal data of its Customers with confidentiality providing the maximum guarantee of data protection by means of security, technical and organization measures.
The name and availabilities of the Data Controller and the representative of the controller
of the Website:
Name of the Controller: VASS LÁSZLÓ KÉZIMUNKA CIPŐKÉSZÍTŐ KFT.
Registered seat: 6 Haris köz , 1052-Budapest
Address: 2 Haris köz, 1052-Budapest
Representative: Éva Dr. Keczéryné Vass
Telephone: +36 1 780 7418
Fax: +36 1 318 2375
Controller treats the personal data obtained through the use of the Web site in accordance with the requirements set out in the present data management policy and the existing legislation.
Present statement provides information relating the data stored by the Controller and how the Controller uses them through the web site.
In case you should have any questions relating the interpretation of the content or the use of content of the Statement, please feel free to contact us via e-mail or telephone:
Contact person: Éva Dr. Keczéryné Vass as manager
If required, in each case according to the content of the customer request we supply detailed information on the treated personal data, the aim, legal ground, length of the time of data management and all activities related to it.
I. Data to be treated:
The Supplier is entitled to treat the data of the Customer for identification purposes in connection with the Order of Products marketed for online shopping, respectively the modifications thereof, deliveries and the tracking of the deliveries, invoicing, satisfying claims relating to them and keeping contact with the Customers under the link “Online Shopping” on web page in favor of purchase (“Purchase”). The necessary data are the followings: natural person’s (customer’s) full name as identification data, delivery and billing address, e-mail address and data relating to the payment such as bank account and the name of the account holding bank, data relating to purchase, specifically relating the date and completion of purchase, communication language, the geographical place of purchase as well as all the data required for the completion of purchase technically such as shoe size, the complete specification of the ordered product (name of the product, shoe trees, color, size, sole respectively the features of them, in case of a belt the size, color, in case of a bag the type, color, information on the use of products and services such as the time of order, deadline of performance, data technically required for billing e.g., the currency of payment, payment terms, data necessary for complaint, e.g. the exact description of repair (“Data”).
II. The aim of data management:
The aim of the data management is to specifically complete the orders placed in the web shop, the delivery of the ordered products, treating warranty and other legal claims, keeping contact with the customers. In order to do so, the Data Controller treats the data.
According to the Data Controller the registration is the condition for the purchase/order (“Order”) by which the personal data of the Customer are obtained by the Data Controller, however, the supplying of data is volunteer in each case. To use the services provided on the Web site (registration, placing order, repair, etc.) personal data are required. If someone fails to supply these data he/she is not entitled to use the services of the Web site. Personal data are necessary for placing and completing an Order respectively for the settlement of repair/complaint. By the registration the Customer approves that the Data are obtained by the data base of the Data Controller. Data are stored by the Data Controller in a “note-book”, Excel table and Naturasoft accounting software.
Data supplied by the Customer shall not be completed by the Data Controller and shall not be assigned to any data or information deriving from other resources. Data Controller can disclose the Data supplied by the Customers for any Third Party on the basis of such authorization or legislative obligation.
Data Controller is entitled to disclose the Data of the Customer to partners and contractual partners such as Fedex that provides services for the completion of Order on the territory of the European Economic Area or within the place of delivery. To perform the delivery Data Controller uses the own system of Fedex (with an entry code) that contains all the necessary data for the delivery (Fedex is entitled to access to these data for delivery performance).
Data Controller pays attention to that the Data are forwarded exclusively to service providers that effectively complete or take part in the Order treating the data with utmost confidentiality. Data Controller shall inform the Customer that to comply with legistlative obligations data are forwarded to its accountant [Poroline KFt. 4 Szőlőkert street, 1033 - Budapest; Mrs. György Porodán : email@example.com). The information technological data process of the Data is carried out by Cheppers Zrt (22 Szent István krt.,
1137- Budapest, 3rd floor/door 3., tel.: +36/30-941-2730)
In case the relevant authorities ask the Data Controller to supply the personal data according to the legislation, it shall supply the required and available information fulfilling its legal obligation.
Data Controller shall guarantee the protection of Data taking all the necessary technical and organizational measures against unauthorized access, altering, forwarding, disclosure, cancellation or termination as well as against accidental termination or harm.
Business materials and newsletters can be sent by the Data Controller only with the prior consent of the Customers and the opportunity to terminate these communication services shall always be ensured.
Data Controller shall cancel the Data upon the termination of the purpose of data processing or the expiration of the deadline of data storage stipulated by the relevant law respectively upon the Customer’s request.
Upon cancelling the registration of the Customer the recorded data are also cancelled.
III. Legal basis for data management
Registration: Registration is the condition for the purchase on the web page. Registration is volunteer. On the basis of registration when the Customer registers, the legal ground for the data management is his/her approval of Item A of Paragraph 1 of Article 6 of GDPR.
Completion of Order: By placing Orders upon registration and by their confirmations the Customer and the Data Controller enter into a contract. The completion of Order and contacting the Customer as well as the delivery and managing the necessary personal data for the assertion of possible legal claims related to the Order is based on the completion of contract concluded with the subject in line with Item B of Paragraph 1 of Article 6 of GDPR, respectively the fact that the data management is necessary to take measures at the request of the subject prior to the conclusion of the contract.
Direct marketing, market research: For the purpose of direct marketing and market research data management can be performed solely with the prior consent of the subject. The legal ground for the data management is the volunteer consent of the subject in accordance with Item A of Paragraph 1 of Article 6 of GDPR.
Sending information and addressed content to customers: in certain cases Customers can be sent information material, when the legal ground of data management is the performance of the contract concluded by the Customer pursuant to Item B of Paragraph 1 of Article 6 of GDPR. In certain cases information is sent upon the fulfillment of legal duties (such as conformation of Order); in this case the further legal grounds of data management is Item C of Paragraph 1 of Article 6 of GDPR. (data management is necessary for the performance of legal obligations relating the Data Controller).
Statistics, the technical development of IT system, the protection of Customers’ rights:
Data Controller treats the personal data given by the Customers for statistical purposes and for the protection of the Customers’ rights as well as for technical developments to provide services at the highest level possible. The legal ground for this kind of data management is the legal interest of the Data Controller of a Third Party pursuant to Item F of Paragraph 1 ofArticle 6 of GDPR. In this case the assertion of legal interest prevails the right of disposal of the personal data of Customers using the web page. Restriction of rights is commensurate with and necessary for the safe operation of the web page as well as the fulfillment of data security requirements thereof. Data management based on legislation respectively for the fulfillment of public interest: Different laws contain the regulations on the basis of which the Data Controller is obliged to treat certain personal data. E.g. according to tax and accountancy laws prescribe a sales- note/receipt keeping obligation for a determined time. In this case the legal ground for data management is the legal duty borne by the Data Manager pursuant to Item C of Paragraph 1 of Article 6 of GDPR.
IV. The term of data management
The Data Manager shall cancel the Data upon the termination of the purpose of data processing or the expiration of the deadline of data storage stipulated by the relevant law respectively upon the Customer’s request. Certain laws stipulate obligations relating the storage of certain data and documents that may contain some personal data. Data management is started by the registration of the Customer or by placing an order. Upon cancelling the registration of the Customer the recorded data are also cancelled. Also, the Customer’s data are cancelled immediately upon the cancellation of statement on data management except the further management of data is performed for other purposes and according to different legislation (e.g. the performance of legal duties, assertion of legal demands, data management for statistical and research purposes).
Cookies do not involve any personal data and information, respectively they are not appropriate for the identification of any individual users. The legal ground and background of cookies:
The legal background of data management is the respective provisions of Act CXII of 2011 on informational self-determination and freedom of information (Info Law) respectively Act CVIII of 2001 on certain issues of electronic commerce activities and information society services. The legal basis for data management is the personal and volunteer consent of the Customer.
VI. The rights of the subject and the assertion thereof
In accordance with the provisions of GDPR the Data Controller ensures the followings to its Customers:
Right to information
The subject has the right to ask for information relating the legal ground of all data processing. All information shall be given in writing including electronic way as well. Information and arrangements shall be supplied free of charge but if the request of the subject is clearly unfounded or repetitive or- exaggerated the Data Controller-considering the administration fee relating the supply of the required information or the required arrangements -can charge a reasonable fee or it can refuse to do the required arrangements. Oral information may be supplied at the request of the subject provided that the personal identification of the relevant person has been proved in another way. Without any undue delay but within maximum 30 days as of the receipt of the request the Data Controller shall inform the subject on the arrangements made based on the subject’s request relating other rights of the subject. If necessary, considering the complexity of the request and the numbers thereof the deadline of 30 days can be extended with 60 days. If the request is submitted in an electronical way by the subject the information shall be supplied preferably in electrical way except the subject requests otherwise. The Data Controller complies with the compulsory information duty by posting it as “Data management policy” so that everybody can access to it.
Right of access
The Customer has the right of access relating the legal ground of all data processing. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, access to the personal data and the following information:
Right to rectification
The Data Subject has the right to ratification relating the legal ground of all data processing. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him/ her. The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right of erasure (right to be forgotten)
Subject has no automatic right of erasure (right to be forgotten) relating the legal ground of all data processing. The controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based (in case of data management based on consent) and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing (data processing based on public authority or legitimate interest)
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
The Controller shall draw up minutes of the erasure to certify the process of it. The Controller shall inform all subjects on the duty of erasure to whom the personal data have been forwarded.
Right to restrict processing:
The subject may restrict data processing on any legal ground. The Controller informs all subjects on the duty to whom the personal data have been forwarded.
Right to object
The data subject shall have the right to object in case of data management legal grounds based on public authority or legitimate interest. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to data portability
The subject has the right to portability if the data management is based on consent or contract assuming the data management is carried out by an automated means. The controller ensures that the subject receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
VI. Complaint, remedy
Subject Customers have the right to lodge a complaint directly to the Controller at any of the above written availabilities that will do its utmost to terminate or remedy the possible default. In accordance with par. (3) of Article 7 of GDPR the Customer as subject has the right to withdraw his/her consent to the management of his/her data at any time. The withdrawal shall not concern the data management based on consent before the withdrawal. Customer has the right to withdraw his/her consent in the simple way as it was given. The right to remedy of the Customer before the court according to par. 22 of Info Law: in case of illegal use of data court action should be taken against the Controller. The legal action falls under the competence of the court. The legal action-according to the choice of the subject- can be initiated at the local court (see the list of courts and their availabilities on http://birosag.hu/torvenyszekek). Without the harm of other public administrative or court remedy all subjects are entitled to lodge a complaint to a Surveillance Authority - specifically at his/her usual residence, workplace or in the member state where the alleged infringement has taken place- in case the
subject considers that the management of personal data concerning him/her violates the GDPR.
The relevant Surveillance Authority in Hungary:
National Agency for Data Protection (NAIH)
22/c Szilágyi Erzsébet fasor, 1125 Budapest
1530 Budapest, Pf.: 5
+36 (1) 391-1400
+36 (1) 391-1410