Privacy Policy

Introduction:

Andea SZOKOLI sole trader – Csülök Csárda (Headquarters: 2500 Esztergom, Batthyány L. u. 9.; Tax reg. no.: 56268298-2-31; registration number: 54903649; website: www.csulokcsarda.hu) (hereinafter: Provider, Controller) is to process the personal data provided in accordance with this Privacy Notice:

Amendments to the Privacy Statements will take effect upon publication at the above address.

The name and the availability of the Processor:

Name: Andrea SZOKOLI sole trader
Headquarters: 2500 Esztergom, Batthyány L. u. 9.
E-mail: csulokcsarda@invitel.hu
Phone number: +36-30-256-0238

The availability of the person responsible for data protection:

Name: Andrea SZOKOLI
Headquarters: 2500 Esztergom, Batthyány L. u. 9.
E-mail: csulokcsarda@invitel.hu
Phone number: +36-30-256-0238

Definitions:

Personal data”: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“Consent of the data subject” means: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Principles relating to processing of personal data

  • Lawfulness, fairness, and transparency: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Purpose limitation collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be in accordance with Article 89(1), not to be considered to be incompatible with the initial purposes
  • Data minimisation: the personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accuracy: the personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Storage limitation: personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the Data Subject;
  • Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
  • Accountability: The Controller shall be responsible for the compliance with the above points, and shall be able to demonstrate the compliance.

Data management

  1. The fact of collection, the scope of the data processed and the purpose of the processing:
    These are used for the management of request for quotes received via the website or by phone, for the preparation and fulfilment of orders, for the invoicing of services, for the registration of Data Subjects, for documenting the use of the service, for meeting with accounting obligations, for the maintenance of customer contact, for analysing customer behaviour, for targeting the sales, for direct marketing enquiries and providing information on current offers.
Personal dataThe purpose of the data processing
Surname and first nameRequired for contacting, reconciliation,
order fulfilment and proper invoicing.
E-mail addressFor liaising.
Phone number:For liaising, for billing, or
for the efficient reconciliation of order-related issues
Billing name and address, tax numberIssuance of a regular invoice, as well as the creation of the contract, the definition and modification of its content, the monitoring of its performance, the invoicing of the resulting fees and the enforcement of related claims.
Shipping Name and AddressTo allow home delivery.
PhotosFor using the photos uploaded by the customer in order to prepare the ordered product.

Th Processor will not use the personal data provided for purposes other than those set out in this data management information. The Processor does not check the personal data provided to him, the person providing it is solely responsible for the adequacy of the provided data.

Complaint handling

The fact of collection, the scope of the data processed and the purpose of the processing:

Personal dataPurpose of the data processing
Surname and first nameIdentification, liaising.
E-mail address:Communication
Telephone numberCommunication
Billing name and address, tax numberIdentification, managing quality complaints, questions and problems related to the services ordered.

Scope of Data Subjects: All data subjects who request a quote on the website and those who have quality complaints or complaints.

Duration of data processing, deadline for deletion of data: Copies of the minutes, transcripts of the statement of objections and the response thereto shall be provided in accordance with CLV Act 1997 on Consumer Protection Act 17 / A. § (7) shall be kept for 5 years.

Please note that the provision of personal data is a prerequisite for the conclusion of a contract between us. In the event of a complaint, you are obliged to provide the personal data in order to identify the contract or sale concluded with you and to enable us to deal with your complaint. Failure to provide this information will result in our inability to handle your complaint.

Social networking sites

The scope of the managed data: the Stakeholder’s Facebook / Instagram, etc. personal information available on a public profile on a social networking site.

Scope of Data Subjects: All those data subjects who have registered on Facebook / Instagram, etc. social networking sites and “liked” the website.

Purpose of data collection: To share or “to like” certain content elements, products, promotions, or the website itself, as well as to promote the products marketed by the Processor on different social media sites.

The data subject can get information about the source and the management of the data, as well as about the method and legal basis of the transfer on the given community page. Data management is realized on social networking sites, therefore the duration and method of data management, as well as the possibilities of deleting and modifying data are regulated by the given social networking site.

2. Management of cookies

Cookies collect information, remember the individual settings of the visitor, monitor the specific session of the Data Subject, prevent data loss, are used e.g., when using online shopping carts and generally make the website easier for visitors to use. At the first visit to the website, the Data Subject may decide whether to consent to the use of cookies. Our website uses the following cookies:

(I.) Session cookie: automatically deleted after the Data Subject’s visit. These cookies are intended to enable the Data Controller’s website to operate more efficiently and securely, therefore they are essential for certain functions of the website or certain applications to function properly.

(II.) Persistent cookie: The website may use a persistent cookie for a better user experience (e.g., to provide optimized navigation). These cookies are stored in the browser’s cookie file for a longer period. Its duration depends on what setting the data subject uses in their web browser.

(III.) No prior consent is required from the Data Subject for the use of a “password-protected session cookie” , “shopping cart cookies” , and “security cookie” used while the website is running.

The scope of data processed in such way: Unique identification number, location data, online ID, dates, times
Scope of Data Subjects: All visitors and customers of the website.
Purpose of the processing: The identification of users and to track visitors.
Legal basis for processing: The law on electronic commerce services and certain aspects of information society services of the Decree of 2001. On Electronic Commerce Services Act, Article 13/A (3) /session cookie/ and the consent of the Data Subject /persistent cookie/.

The data subject’s consent is not required in case the cookies are exclusively used for communication over an electronic communications network or where the use of cookies is specially required for the provision of an information society service expressly requested by the subscriber or user.

The “Help” function in the menu bar of your browsers provides information on how to disable cookies in your browser, how to accept new cookies, or how to give instructions to your browser to set a new cookie or turn off other cookies. By disabling the use of cookies, the Data Subject acknowledges that without a cookie, the site may not be fully functional, and certain features of the site may not be properly accessible or usable.

(IV.) The Use of Google AdWords conversion tracking

The Data Controller uses the online “Google AdWords” advertising program and uses the conversion tracking service of Google within the framework of this program. Google Conversion Tracking is an analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

When a user has access to a website through a Google ad, a cookie is installed on the user’s computer for conversion tracking. These cookies have a limited validity and do not contain any personal data; thus, the User cannot be identified by them.

When the User browses certain pages of the website and the cookie has not expired, Google and the Data Controller can see that the User has clicked on the ad.

Each Google AdWords client receives a different cookie; therefore they cannot be tracked through AdWords clients’ websites.

The information obtained with the help of conversion tracking cookies is used to generate conversion statistics for AdWords customers who opt for conversion tracking. Clients are thus informed of the number of users who clicked on their ad, and the number of those users who were directed to a page supplied with a conversion tracking tag. However, they do not have access to information that would allow them to identify any of these users.

In case you do not wish to participate in conversion tracking, you can refuse it by disabling the option to set cookies in your browser. In this case you will not be included in the conversion tracking statistics.

For more information and to read Google’s privacy statement, please visit www.google.de/policies/privacy/

(V.) The application of Google Analytics

The www.csulokcsarda.hu website uses Google Analytics, which is a web analytics service provided by Google Inc. (“Google”). Google Analytics uses text files, the so-called “cookies”, which are saved on your computer, thus those help to analyse the website visited by the User.

The information generated by the cookie about the website you use will usually be transmitted to and stored by Google on servers in the United States. By activating the IP anonymisation on the website, Google will shorten the IP address beforehand within the User within the Member States of the European Union or in other states party to the Agreement on the European Economic Area.

Only in exceptional cases will the full IP address be transmitted to a Google server and then be shortened there. On behalf of the operator of the present website, Google will use this information to evaluate your use of the website, furthermore, to compile reports on website activity for the website operator, and to provide additional services relating to website activity and internet usage.

Within Google Analytics, the IP address that had been transmitted by the User’s browser will not been associated with other Google data. The Users can prevent the storage of cookies by selecting the appropriate settings on their browser,

however, it is to be noted that if they do so, they may not be able to use all the functions of this website to their full extent. Furthermore, you may also prevent Google from collecting and processing information about your use of the website (including your IP address) by means of cookies by downloading and installing the browser plug-in available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

The scope of data subjects:

Visitors to www.csulokcsarda.hu.website; those who send RFQ via the website, and the employees of the Processor.

Legal basis for processing:

  • the use of cookies on the website www.csulokcsarda.hu, in terms of requests for offers on the website: voluntary consent of the Data Subject (Article 6(1)(a) GDPR) is the legitimate interest of the Controller.
  • in the case of acceptance of an offer via the website www.csulokcsarda.hu: the preparation and performance of the contract between the parties (Article 6(1)(b) GDPR and Article 13/A(1) to (3) of the GDPR) is in the legitimate interest of the Controller;
  • regarding invoicing, invoice storage: to comply with legal obligations (including Accounting Act, the Taxation Act, VAT Act, etc.), is the legitimate interest of the Data Controller.

The retention period for personal data:

Personal data of the Data Subject

  • Personal data of the Data Subject in the case of data processed based on consent (e.g., direct marketing), until the registration is cancelled, or consent is withdrawn.
  • For personal data provided in the context of a request for proposal, for the duration of the existing contractual relationship (by virtue of the performance of the contract) and for 6 years after the termination of the contract (considering the limitation period under Taxation Act and the Civil Code in the legitimate interest of the controller;)
  • in connection with contracts/purchases, the Processor shall keep the issued invoices for the period of retention specified by the Accounting Act, up to 8 years (pursuant to Section 169 (2) of the Act on Accounting), after which the Data Controller shall ensure the destruction or anonymisation of the personal data.
  • In case official or legal proceedings are initiated against the affected person within the storage period, the rights and obligations arising from the contracts, in the legitimate interest of the Data Controller, the storage period shall be extended until the final conclusion of such proceedings.

The transfer of personal data.

Personal data may be disclosed in full to the Controller’s responsible staff and to its partners designated below as data processors, to the scope and extent necessary for the performance of their tasks, in compliance with the principles set out above.

The authorized Data Processors :

  • Hosting provider

Provider: Zedality Számítástechnikai Szolgáltató és Kereskedelmi Kft.
Headquarters: 6000 Kecskemét, Batthyány utca 20.
Contacts: info@zedality.com
The scope of data processed: All personal data provided by the data subject on the website. Scope of Data Subjects: The scope of data subjects are:
Purpose of the processing: To make the website www.csulokcsarda.hu available and to ensure its proper functioning.
Activity performed by a data processor: Hosting service

  • Accounting, billing

Processor: Mészárosné Misznéder Edit
Place of business:
2500 Esztergom, Batthyány L. u. 3.
Contacts: ahegy@invitel.hu

Activity performed by a data processor: Accounting, financial, tax tasks, invoicing, management of receivables from service contracts.
The scope of data processed: Billing name, billing address, e-mail address. Scope of Data Subjects: All data subjects involved in online purchases.
Purpose of the processing: Performance of accounting tasks, compliance with legal obligations under tax legislation.

Data subjects’ rights in relation to data processing:

The Data Subject may at any time request information from the Controller about the processing of his/her personal data and may request the rectification, erasure, withdrawal or restriction of the processing of his/her personal data, and may exercise his/her rights of data portability and objection by the means indicated when the data were collected or by contacting his/her Customer Service.

  • Right to information (access):

All the Data Subject involved has the fundamental right for the transparent information, which obligation belongs to the Data Controller. The information must be provided in an intelligible manner, free of charge. The Data Controller is obliged to provide each piece of information in a concise, transparent, intelligible, and easily accessible form, clearly and plainly expressed.

The Data Subject has the right to receive feedback from the Data Controller as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; the envisaged period of storage of the personal data; the right to rectification, erasure or restriction of processing and the right to object; the right to lodge a complaint with a supervisory authority; information about the data sources; the fact of automated decision-making, including profiling, and the clear information about the logic used and the significance of such processing and their probable consequences for the Data Subject. In the event of a transfer of personal data to a third country or an international organisation, the Data Subject is entitled to get information about the appropriate guarantees that are related to the transfer.

  • The right of rectification:

The Data Subject may request the correction of inaccurate personal data relating to him or her processed by the Controller and the completion of incomplete data, which the Controller must comply with without undue delay.

  • Right to erasure (“right to be forgotten”):

The Data Subject shall have the right to obtain from the Data Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay in case

(I.) the personal data are no longer necessary for the purposes for which they were collected.
(II.) the Data Subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
(III.) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
(IV.) the personal data have been unlawfully processed;
(V.) the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Controller;
(VI.) the personal data have been collected to provide services in relation with the information society.

The erasure of data cannot be initiated if the processing is necessary:
for the exercise of the right to freedom of expression and information; to comply with an obligation under Union or Member State law that requires the controller to process personal data; or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

in the field of public health, or for archival, scientific, or historical research purposes, or for statistical purposes in the public interest; or for the establishment, exercise or defence of legal claims.

  • Right to restriction of processing:

The Data Subject has the right to obtain, at his or her request, the restriction of processing by the Controller in case

(I.) the Data Subject contests the accuracy of the personal data, in which case the restriction applies for the period of time, which period is required to have a control on the accuracy of the personal data to be verified;

(II.) the processing is unlawful, and the Data Subject opposes the erasure of the data and instead requests the restriction of their use;

(III.) the Controller no longer needs the personal data for processing purposes, but the Data Subject requires those for the establishment, exercise, or defence of legal claims; or

(IV.) the Data Subject has objected to the processing; in this case, the restriction shall refer to a period until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the Data Subject.

In case the processing is subject to restriction, personal data other than storage may be processed only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

  • Right to data portability:

The Data Subject has the right to receive the personal data concerning him or her that he or she has provided to the Controller in a structured, commonly used, machine-readable format and to transmit such data to another Controller.

  • Right to object:

The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, including the drawing up of a profile based on those provisions.
In the event of an objection, the Controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights, and freedoms of the Data Subject or those are related to the establishment, exercise, or defence of legal claims.
In case the processing of personal data is carried out for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including the creation of a profile, where it is directly connected with direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for such purposes.

The Data Subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.

The Data Controller shall inform the Data Subject of the action taken on the request pursuant to Articles 15 to 22 of the GDPR without undue delay, but no later than 1 month from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further 2 months. The Data Controller shall inform the Data Subject of the extension of the time limit within 1 month of receipt of the request, stating the reasons for the delay. If the Data Subject has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless the Data Subject requests otherwise.

The Data Subject may exercise these rights by the methods listed herewith:
by post: 2500 Esztergom, Batthyány L. u. 9.
by e-mail: csulokcsarda@invitel.hu
by phone: +36-30-256-0238

Other provisions

Upon request of public authorities, or upon request of other bodies on the basis of the law, the Data Controller is obliged to provide information, to disclose data, to transfer data or to hand over documents.

In such cases, the Data Controller shall disclose to the requesting party, provided that the latter has indicated the precise purpose, extent and scope of the data, only such personal data as are indispensable for the purpose of the request and to the extent necessary for the purpose of the request.

Security of data management

The Controller and the Processor shall implement appropriate technical and organisational measures, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the level of risk, including, where appropriate:

1, pseudonymisation and encryption of personal data;
2, ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to manage personal data;
3, the ability to restore access to and availability of personal data in the event of a physical or technical incident in a timely manner;3, the ability to restore access to and availability of personal data in the event of a physical or technical incident in a timely manner;
4, a procedure for the regular test, evaluation and analyses of the effectiveness, and the technical and organisational measures taken to guarantee the security of data processing.

Informing the data subject about the data protection incident

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.

The information provided to the data subject shall clearly and comprehensibly describe the nature of the personal data breach and provide the name and contact details of the data protection officer or other contact person who can provide further information; describe the likely consequences of the personal data breach; describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

The data subject need not be informed if any of the following conditions are met:

  • the controller has implemented appropriate technical and organisational protection measures and those measures have been applied to the data affected by the personal data breach, in particular measures such as the use of encryption which render the data unintelligible to persons not authorised to access the personal data;
  • the Controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
  • the provision of information would require a disproportionate effort. In such cases,

the Data Subject shall be informed by means of publicly disclosed information or a similar measure shall be made, which ensure that the data subject is informed in a similarly effective manner.

Where the Controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed.

Reporting a data protection incident to the authority

The data protection incident shall be reported by the Controller to the competent supervisory authority

  1. in accordance with Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is not likely to endanger the rights of individuals. and its freedoms. If the notification is not made within 72 hours, the reasons, which are to justify the delay, shall be enclosed.

Possibility to lodge a complaint

A complaint against a possible infringement by the Controller may be lodged

with the National Authority for Data Protection and Freedom of Information: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Postal address: 1530 Budapest, Po.box: 5

Phone number: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Conclusion

The following legislation has been taken into account in the preparation of this information:

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Information Law)
  • CVIII of 2001. Act on certain aspects of electronic commerce services and information society services (in particular Act No 13/ A)
  • XLVII of 2008 Act on the Prohibition of Unfair Commercial Practices for Consumers;
  • XLVIII of 2008 Act on the Basic Conditions and Certain Restrictions of Commercial Advertising (in particular § 6)
  • Act C of 2003 on Electronic Communications (specifically § 155)
  • Opinion No .16/2011 on the EASA / IAB Recommendation on Best Practices for Behavioural Online Advertising
  • Recommendation of the National Authority for Data Protection and Freedom of Information on data protection requirements for prior information
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46