Data privacy policy 

Introduction

Balázs Korom e.v., sole proprietor (hereinafter referred to as the Service Provider, Data Controller) adheres to the following privacy policy.

In accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (General Data Protection Regulation or GDPR) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, we provide the following information.

This privacy policy governs data processing on the following website: www.speltavita.hu

The privacy policy is available at: https://speltavita.hu/adatvedelmi-nyilatkozat

Modifications to the privacy policy shall take effect upon publication at the above address.

Data Controller and Contact Information

Name: Korom Balázs e.v.
Registered office: 1136 Budapest, Pannónia street 10, fsz 7/a
E-mail: speltavitaeu@gmail.com
Phone: +36 30 139 36 69

Definitions

"Personal data": Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Processing": Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Controller": The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

"Processor": A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

"Recipient": A natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

"Data subject's consent": Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

"Data breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Principles Relating to the Processing of Personal Data

Personal data shall be:

1. Processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes (“purpose limitation”);
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject (“storage limitation”);
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The Data Controller shall be responsible for, and be able to demonstrate compliance with, the above principles (“accountability”).

Data Processing

Data Processing Related to the Operation of the Online Store

The Nature of the Data Collected, Scope of the Personal Data Processed, and the Purpose of Processing:

Personal Data	Purpose of Data Processing
Username	Identification, enabling registration.
Password	Ensures secure access to the user account.
First and last name	Necessary for contact, purchases, and issuing valid invoices.
E-mail	Contact purposes.
Phone	Contact, and more effective coordination of billing or delivery-related issues.
Billing name and address	Issuing invoices, establishing and managing the contract, tracking performance, invoicing.
Shipping name and address	Enabling home delivery.
Date of registration/purchase	Technical operation.
IP address at registration/purchase	Technical operation.

Neither the username nor the email address is required to contain personal data.

2. Data Subjects: All users who register or make a purchase on the website www.speltavita.hu.
3. Duration of Data Processing / Data Retention: Personal data is deleted immediately upon deletion of the registration. The controller informs the data subject electronically about the deletion of any personal data in accordance with Article 19 of the GDPR. If the deletion request includes the email address, this is also deleted after notification.

Exception: Accounting documents are retained for 8 years in accordance with Section 169(2) of Act C of 2000 on Accounting, which mandates that all documents supporting bookkeeping must be preserved in a retrievable and legible format.

4. Az adatok megismerésére jogosult lehetséges adatkezelők személye, a személyes adatok címzettjei: A személyes adatokat az adatkezelő sales és marketing munkatársai kezelhetik, a fenti alapelvek tiszteletben tartásával.
5. Rights of the Data Subject Regarding Data Processing:

• The data subject may request from the data controller: access to personal data, rectification or deletion, restriction of processing
• objection to data processing
• data portability withdrawal of consent at any time

6. Requests regarding personal data can be submitted via:

• Postal address: 1136 Budapest, Pannónia utca 10, fsz 7/a
• Email: speltavitaeu@gmail.com
• Phone: +36 30 139 3669

7. Legal Basis for Processing:
8. GDPR Article 6(1)(b): Processing is necessary for the performance of a contract.
9. Act CVIII of 2001 on Electronic Commerce (Elker tv.) Section 13/A(3): Personal data may be processed if it is technically essential for providing the service.

The service provider must ensure that personal data is only processed when essential for providing the service and for the fulfillment of legal obligations, and only to the minimum extent and for the necessary duration.

7. GDPR Article 6(1)(c): Processing necessary for compliance with a legal obligation (e.g. issuing accounting documents).
8. Civil Code (Act V of 2013), Section 6:21 & 6:22: For the enforcement of contractual claims, the limitation period is 5 years unless otherwise specified by law.

Section 6:22 [Statute of Limitations]

(1) Unless otherwise provided by this Act, claims shall lapse after five years.

(2) The limitation period begins when the claim becomes due.

(3) Any agreement to alter the limitation period shall be made in writing.

(4) Any agreement excluding the statute of limitations shall be null and void.

8. Important Notice

• the processing of personal data is necessary for fulfilling the contract..
• providing personal data is mandatory in order for us to process your order.
• Failure to provide data will result in us being unable to process your purchase.

Data Processors Used

Shipping

1. Activity by Processor: Product delivery, transportation
2. Data Processors:

GLS General Logistics System Hungary Csomag-Logisztikai Kft • 2351 Alsónémedi, GLS Európa utca 2. • +36 29 886 660 • info@gls-hungary.com
FoxPost Zrt. • 3200 Gyöngyös, Batsányi utca 9. • +36 1 999 0369 • info@foxpost.hu
Magyar Posta Zrt. • 1138 Budapest, Dunavirág utca 2-6 • +36 1 767 8282 • ugyfelszolgalat@posta.hu
Packeta Hungary Kft. • 1097 Budapest, Könyves Kálmán körút 12-14 • +36 1 400 8806 • privacy@packeta.hu
Noblehunt Kft. • 3264 Kisnána, Béke utca 43. • +36 30 738 3761 • support@kvikk.hu

3. Processed Data: Shipping name, shipping address, phone number, email address
4. Scope of Data Subjects: All individuals who request home delivery
5. Purpose: To deliver the ordered product
6. Duration: Until the delivery is completed

Legal Basis: GDPR Article 6 (1) point b)

Web Hosting Provider

1. Processor Activity: Hosting services
2. Processor:
   Hostinger International Ltd. • 6023 Larnaca, Ciprus, 61 Lordou Vironos str.• gdpr@hostinger.com
3. Processed Data: All personal data provided by the data subject
4. Scope: All users of the website
5. Purpose: Ensuring availability and proper operation of the website
6. Duration: Until termination of the agreement with the hosting provider or deletion request by the data subject
7. Legal Basis: GDPR Article 6 (1) point c) – Legal obligation, GDPR Article 6 (1) point f) – Legitimate interest, Section 13/A (3) of Act CVIII of 2001 on e-commerce and information society services.

Recipients (Data Transfers)

Online Payment

Recipient's Activity: Processing online payments

Recipient:

Barion Payment Zrt. • 1117 Budapest, Irinyi József street 4-20. Building B 2nd floor • +36 1 464 7099  • www.barion.com

Processed Data: Name, billing information, email address

Scope of Data Subjects: All individuals choosing online payment

Purpose: Execution of the payment, transaction confirmation, and fraud monitoring

Duration: Until the completion of the online transaction

Legal Basis: GDPR Article 6 (1) point b) – Processing necessary for performing a contract at the request of the data subject

Rights of the Data Subject:

You have the right to be informed about the circumstances of the data processing.

You are entitled to receive feedback from the data controller on whether the processing of your personal data is ongoing, and you have access to all information related to the data processing.

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

You have the right to request the data controller to rectify any inaccurate personal data concerning you without undue delay.

Cookie Management

Typical cookies used by webshops include so-called "password-protected session cookies," "shopping cart cookies," and "security cookies," the use of which does not require prior consent from the affected individuals.

Nature of the Data Processing, Scope of Data Managed: Unique identifier, dates, timestamps

Scope of Data Subjects: All individuals visiting the website.

Purpose of Data Processing: User identification, tracking the shopping cart, and monitoring visitors.

Duration of Data Processing, Deadline for Deletion of Data:

Type of Cookie	Legal Basis for Processing	Duration of Data Processing	Data Managed
Session Cookies	Section 13/A (3) of Act CVIII of 2001 on Electronic Commerce	Until the end of the relevant visitor session	connect.sid

Authorized Data Processors: The controller does not manage personal data through the use of cookies.

Rights of Data Subjects Regarding Data Processing: The subject may delete cookies in their browser settings, typically found under the Privacy section.

Legal Basis: Consent is not required if the sole purpose of cookie use is to transmit messages via an electronic communication network or if it is essential to provide an information society service explicitly requested by the subscriber or user.

Use of Google AdWords Conversion Tracking

The controller uses the online advertising service "Google AdWords" and its conversion tracking service. This is an analytics service by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

When a user reaches the website via a Google ad, a cookie necessary for conversion tracking is placed on their device. These cookies are limited in duration and do not contain personal data; thus, users cannot be identified.

When the user visits certain pages of the website and the cookie is still active, both Google and the controller can see that the user clicked on the ad.

Each Google AdWords customer receives a different cookie, which means cookies cannot be tracked across different customers' websites.

The information collected using conversion cookies is used to create conversion statistics for AdWords customers. These customers can see the number of users who clicked on their ad and were redirected to a page with a conversion tag. They do not receive any information that personally identifies users.

If you do not wish to participate in conversion tracking, you can disable the storage of cookies in your browser settings. In that case, you will not appear in conversion tracking statistics.

Further information and Google's privacy policy can be found at:  www.google.de/policies/privacy/

Use of Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses "cookies," which are text files stored on your computer, to help analyze how users interact with the website.

Information generated by cookies regarding your use of the website is typically transferred to and stored on Google servers in the USA. If IP anonymization is activated, Google truncates the IP address within EU member states or other countries in the European Economic Area.

Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. Google uses this information on behalf of the website operator to evaluate the use of the website, compile reports, and provide other services related to website activity and internet usage.

The IP address transmitted by your browser as part of Google Analytics is not merged with other Google data. You can prevent cookie storage by configuring your browser settings; however, this may limit the full functionality of the site. Additionally, you can prevent Google from collecting and processing cookie-based data (including your IP address) by downloading and installing the browser plugin from: https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter and Direct Marketing Activities

According to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, the user may give prior and explicit consent to be contacted by the provider via the contact details provided during registration with promotional offers and other materials.

Users may also consent to the processing of their personal data necessary for sending advertising offers.

The service provider does not send unsolicited advertisements, and users may unsubscribe freely, without justification or limitation. In that case, all related personal data will be deleted, and no further offers will be sent. Users can unsubscribe by clicking the link in the message.

The Nature of the Data Collected, Scope of the Personal Data Processed, and the Purpose of Processing:

Personal Data	Purpose of Data Processing
Name, email address	Identification, enabling newsletter subscription
Date of subscription	Technical operation.
IP address at time of subscription	Technical operation.

Scope of Data Subjects: All individuals subscribed to the newsletter.

Purpose of Data Processing: To send electronic messages (emails, SMS, push notifications) containing advertisements, provide updates on current information, products, promotions, and new features.

Duration of Data Processing: Until the user withdraws their consent (i.e., unsubscribes).

Az adatok megismerésére jogosult lehetséges adatkezelők személye, a személyes adatok címzettjei: A személyes adatokat az adatkezelő sales és marketing munkatársai kezelhetik, a fenti alapelvek tiszteletben tartásával.

Rights of the Data Subject Regarding Data Processing:

• The data subject may request from the data controller: access to personal data, rectification or deletion, restriction of processing
• objection to data processing
• data portability withdrawal of consent at any time

Requests regarding personal data can be submitted via:

• By mail: 1136 Budapest, Pannónia utca 10, fsz 7/a
• Email: speltavitaeu@gmail.com
• Phone: +36 30 139 36 69

User can at any time unsubscribe from newsletters, completely free of charge.

Legal Basis: User consent, Article 6(1)(a) and (f) of the GDPR, and Section 6(5) of Act XLVIII of 2008:

Advertisers may keep records of those who have given consent. These records may only be processed in accordance with the given consent and may only be shared with third parties with prior consent.

Important Notice

• Data processing is based on your consent.
• Providing personal data is necessary to receive newsletters.
• Without providing data, newsletters cannot be sent.

Complaint Management

The Nature of the Data Collected, Scope of the Personal Data Processed, and the Purpose of Processing:

Personal Data	Purpose of Data Processing
First and last name	Identification, communication
E-mail	Contact purposes.
Phone	Contact purposes.
Billing name and address	Identification and complaint resolution related to ordered products

Scope of Data Subjects: All individuals purchasing from www.speltavita.hu and submitting quality-related complaints.

Duration: Copies of the complaint and response documents are retained for 5 years per Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

Az adatok megismerésére jogosult lehetséges adatkezelők személye, a személyes adatok címzettjei: A személyes adatokat az adatkezelő sales és marketing munkatársai kezelhetik, a fenti alapelvek tiszteletben tartásával.

Rights of the Data Subject Regarding Data Processing:

• The data subject may request from the data controller: access to personal data, rectification or deletion, restriction of processing
• objection to data processing
• data portability withdrawal of consent at any time

Requests regarding personal data can be submitted via:

• By mail: 1136 Budapest, Pannónia utca 10, fsz 7/a
• Email: speltavitaeu@gmail.com
• Phone: +36 30 139 36 69

Legal Basis for Processing: Article 6(1)(c) of the GDPR and Section 17/A (7) of Act CLV of 1997.

Important Notice

• Providing personal data is a  contractual obligation. 
• Data processing is a prerequisite for fulfilling the contract.
• Providing personal data is mandatory for complaint management.
• Without providing data, your complaint cannot be handled.

Social Media

Nature of Data Collection: User's public profile name and picture on platforms like Facebook/Google+/Twitter/Pinterest/Youtube/Instagram.

Scope of Data Subjects: All users who are registered on these platforms and have liked or followed the website.

Purpose of Data Collection: Sharing, liking, or promoting content or the website on social media.

Duration, Access Rights, and Legal Basis: Information about data sources, processing, and transfer is governed by the terms of the respective social media platforms.

Legal Basis: Voluntary consent by the user for data processing on social media.

Customer Service and Other Data Processing

If users have questions or issues while using the services, they may contact the data controller through the provided channels (phone, email, social media).

Emails and messages, including name and contact info, are stored for up to 2 years from receipt, along with any voluntarily provided personal data.

For data processing not listed in this notice, users will be informed at the time of data collection.

In the case of legal authority requests or legal obligations, the Service Provider is required to provide personal data or documents as specified.

In such cases, only the minimum necessary data will be provided for fulfilling the official request.

Data Subjects’ Rights

Right of Access

You have the right to obtain confirmation from the data controller as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the regulation.

Right to Rectification

You have the right to request the data controller to rectify inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure

You have the right to request the erasure of personal data concerning you without undue delay, and the data controller is obliged to erase such data without undue delay under certain conditions.

Right to Be Forgotten

If the data controller has made the personal data public and is obliged to erase the data, it shall take reasonable steps — including technical measures — considering the available technology and the cost of implementation, to inform other controllers processing the personal data that you have requested the deletion of any links to, or copies or replications of, those personal data.

Right to Restriction of Processing 

You have the right to request the restriction of processing if any of the following applies:

• You contest the accuracy of the personal data — for a period enabling the controller to verify the accuracy of the personal data;
• The processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead;
• The controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defense of legal claims;
• You have objected to processing — pending verification whether the legitimate grounds of the controller override yours.

Right to Data Portability 

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided (…).

Right to Object 

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you (…), including profiling based on those provisions.

Objection to Direct Marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing. If you object to such processing, the personal data may no longer be processed for that purpose.

Automated Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you.

This does not apply if the decision:

• is necessary for entering into or performing a contract between you and the controller;
• is authorized by Union or Member State law that also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests;
• is based on your explicit consent.

Deadline for Action

The data controller shall inform you without undue delay, but in any case within 1 month of receipt of the request, of the action taken in response to your request.

If necessary, this period may be extended by 2 months. The controller shall inform you of any such extension within 1 month of receiving the request, together with the reasons for the delay.

If the controller does not act on your request, they shall inform you without delay, and at the latest within 1 month of receipt, of the reasons for not taking action and on your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

Data Security

Taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:

1. the pseudonymization and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

Informing the Data Subject About a Data Breach

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

This communication shall describe in clear and plain language the nature of the data breach and shall include: the name and contact details of the data protection officer or other contact point; the likely consequences of the breach; the measures taken or proposed by the controller to address the breach, including any measures to mitigate its possible adverse effects.

Notification is not required if any of the following conditions are met:

• the controller has implemented appropriate technical and organizational protection measures (e.g. encryption) and these measures were applied to the data affected by the breach;
• the controller has taken subsequent measures to ensure the high risk to rights and freedoms is no longer likely to materialize;
• it would involve disproportionate effort. In such cases, data subjects may be informed via public communication or similar means.

If the controller has not yet notified the data subject, the supervisory authority may require them to do so after assessing the level of risk.

Reporting a Data Breach to the Supervisory Authority

The controller shall report a personal data breach to the competent supervisory authority under Article 55 without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it must be accompanied by reasons for the delay.

Review in Case of Mandatory Data Processing

If the law, municipal decree, or a binding EU legal act does not specify the duration of mandatory data processing or the period for its regular review, the controller shall review at least every three years from the start of processing whether the personal data it (or its processor) manages are still necessary for achieving the purpose.

The circumstances and result of this review must be documented, retained for ten years following the review, and made available to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) upon request.

Complaint Option

You may lodge a complaint against any unlawful processing of your data with the Hungarian National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Final Note

This privacy notice was prepared in accordance with the following legal regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)
• Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Info Act)
• Act CVIII of 2001 on Electronic Commerce Services (esp. Section 13/A)
• Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising (esp. Section 6)
• Act XC of 2005 on Electronic Freedom of Information
• Act C of 2003 on Electronic Communications (esp. Section 155)
• Opinion No. 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
• Recommendations of the Hungarian National Authority for Data Protection and Freedom of Information on the requirements for prior information