DATA PROCESSING INFORMATION
The DOT FOR YOU Design Korlátolt Felelősségű Társaság business association (hereinafter referred to as “DOT FOR YOU or “data controller”) processes personal data provided it as specified in this Data Processing Information:
THE DATA CONTROLLER’S DATA:
Name: DOT FOR YOU Design Korlátolt Felelősségű Társaság
Company registration number: 01-09-326961
Seat: 1068 Budapest, Király utca 80. fszt. 11.
Postal address: 1072 Budapest, Klauzál tér 7. 3. em. 6a.
Telephone: +36 30 911 2726
Contact information of the data protection officer:
Name: Erika Baglyas
Postal address: 1072 Budapest, Klauzál tér 7. 3. em. 6a.
Former data processing registration number of the webpage https://dotforyoushop.com: NAIH-140096/2018.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
THE PURPOSE OF PROCESSING:
Purchases from DOT FOR YOU online shop, issue of invoices on the purchases, registration of Customers, performance of orders, documentation of purchases and payments, fulfilment of accounting obligation, customer relations, analysis of purchasing habits, more dedicated sales, contacting others with remarketing and direct marketing purposes, information on current offers and processing of employees’ data.
SCOPE OF DATA BEING PROCESSED:
The data controller learns the following personal data in the course of customer’s signing up, ordering/purchasing products and thereby processes in particular the following data: the client’s user name and e-mail address, and after the client is signed up, the client’s family and given names, shipping and/or billing address, telephone number, data pertaining to the product that is purchased, ordered or pre-ordered by the client (the name, quantity and price of the product) and the IP address.
The customer is required to provide his or her personal data for purchasing the product he or she has selected. Without the personal data, DOT FOR YOU cannot process the data subject’s order and no contract is concluded with the Data subject.
THE BASIS FOR THE PROCESSING:
for using cookies on dotforyoushop.com, signing up to the website and participating in promotional games: the data subject’s voluntary consent (Article 6(1) a) of the GDPR), the legitimate interest of the data controller
for purchasing from the online shop and for entering into employment contracts with: preparing and executing the contract entered into between the parties (Article 6(1) b) of the GDPR and Section 13/A (1) to (3) of Ektv) the legitimate interest of the data controller;
for direct marketing activities and profiling: the voluntary consent of the data subject (Article 6(1) b) of the GDPR, Section 6 (5) of the Act on Reklámtv.);
for invoicing, storing invoices and for employee data: obligations as per laws (including Számv.tv., Art., Áfatv.,Tbj., etc.).
RETENTION PERIOD FOR PERSONAL DATE SUBJECT TO PROCESSING:
The personal data of the data subject are retained as follows:
– for data processed on the basis of consent, until the deletion of registration/the consent is revoked;
– specified personal data, during the existence of the contractual relationship (under the legal title of performing the contract), and for 6 years after the contract is dissolved (for the legal interests of the data controller, taking into account the limitation period as per Art. and Ptk.); the invoices issued in connection with the contract, for eight years by the data controller (Section 169 (2) of the Számtv.);
– for the invoices issued, for 8 years, during the retention period as per the Act on Accounting (Section 169 (2) of the Számv. tv.);
– for data subjects participating in the promotional game, for six years after the prize is delivered;
– during the existence of employment relationship, for the purpose of fulfilling obligations under the law, and after the termination of the legal relationship for 6 years (for the legal interests of the data controller, taking into account the limitation period as per Mt. and Ptk.);
and upon the expiry of such periods, the data controller provides for the destruction or anonymization of such personal data.
If an authority or court proceedings has been launched for the enforcement of the rights or obligations arising from the contract within the retention period, the retention period is exceeded until the final completion of the proceedings.
Cookies to be used:
a) session cookie: is automatically deleted following the data subject’s visit. These cookies help the Data controller’s website to work more effectively and safer and thus are necessary for the proper operation of certain functions or applications of the website.
b) persistent cookie: persistent cookies are used for the purpose of providing a better customer experience. These cookies are stored for a longer period in the cookie file of the browser. This period depends on the settings of the data subject’s internet browser.
c) “Cookies used in password protected session”, “cookies required for carts” and “security cookies” may be used even without the data subject’s prior consent.
d) Cookies for statistical/market purposes:
The data controller uses Google Analytics, Google Remarketing, AdWords Conversion Tracking and Facebook Remarketing programmes for the purpose of measuring visits, monitoring the behaviour of visitors, making statistics and for checking the efficiency of advertisements. These programmes place so-called cookies on the user’s computer which later on collect data.
External servers assist in tracking the number of visitors and making other web analytical measures; the cookies for statistical purposes of Google Analytics serve this purpose. These cookies help to monitor as to how the visitors use the website and which websites the visitor visit. These cookies do not collect identification data; the data collected are anonymous; its sole purpose is to enable Google to analyse as to how the visitor used the website as well as to prepare reports on the activity of the website and to provide further services related to the use of the website and internet use.
Detailed information on the processing of the measurement data may be requested from and provided by the data controller to data subjects. Further information: https://policies.google.com/privacy?hl=en.
If the data subject does not want that the data be measures in such manner by Google Analytics, he or she should install an Ad blocker in the browser.
The Data controller also uses Google AdWords, using the service of Google conversion tracking. This means that a cookie is placed on the computer of the data subject when the data subject finds a certain website through a Google advertisement. These cookies are valid for a limited period and contain no identification data which means that the data subject cannot be identified through them; however, when the data subject is searching on certain pages of the website while the cookie is still valid, Google and the data controller see if the data subject clicks on the advertisement. Each AdWords client gets a unique cookie, therefore, other cookies cannot be traced on the websites of other AdWords clients. Such information is used by AdWords to prepare statistics for its clients that have chosen the service of tracking. DOT FOR YOU may gain information as to the number of visitors that click on the advertisement and are then forwarded to the website subject to conversion tracking. However, it may not obtain any information that could be used to identify users.
The aforementioned tracking may be rejected by blocking cookies in the browser. By choosing this option, you won’t be included in the conversion tracking statistics. Further information and the Google Data Protection Policy are available on: https://policies.google.com/privacy
The data controller uses the programme of Google Remarketing for its online advertisements, which means that the data controller’s advertisements are shown on the websites of external service providers, such as Google. The data controller and the external service providers, such as Google, place own cookies of their own (such as Google Analytics cookies) and cookies from third parties (such as DoubleClick cookies) to gain information on previous visits on the website by users and to optimise and display advertisements.
The data controller used the pixel of Facebook Remarketing to increase the efficiency of Facebook advertisement, for the purpose of building a so-called marketing list. The external service provider, such as Facebook, displays advertisement on websites after visits on the website. Remarketing lists cannot be used for identification. These lists do not contain the personal data of visitors, only the browsing software is identified.
The “Help” function available in the menu bar of most browsers provides information as to how to block cookies, how to accept new cookies or how to direct the browser to install new cookies or turn off other cookies. By blocking the application of cookies, the data subject acknowledges that the website won’t operate properly and certain functions of the website won’t not available or cannot be used properly.
Help to set cookies:
Chrome: https://support.google.com/accounts/answer/61416?hl=hu ,
Edge: Setting -> Advanced settings -> Cookies („Allow cookies” / „Block all cookies” / “Block only third-party cookies” or: F12 – Error view – Cookies
IE11: https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies ; https://support.microsoft.com/hu-hu/help/260971/description-of-cookies
SOCIAL MEDIA PAGES:
For the purpose of using certain social media functions, the links to Facebook, Pinterest and LinkedIn, with which the products can be shared on the profile of the data subject, are displayed on the data sheet of all products on the website, the controller is entitled to learn the public profiles of data subjects who has liked the website on their Facebook, Pinterest or LinkedIn social media pages or follow the data controller. In this case, the purpose of data collection is sharing and promoting the products and promotions of the data controller or the website itself. Data subjects may find information on the processing of data, the method and legal basis of data transfer on the respective social media pages. The data are processed on the social media pages, therefore, processing is subject to the regulations of the respective social media page.
The data controller, from time to time, organises and carries out promotional games on the page available at https://www.facebook.com/DOTforYOU/ in the interest of promoting and raising awareness to its products. The purpose of processing is participation in the promotional game, conducting lotteries, notifying the winners and complying with accounting obligations. In the course thereof, the data controller processed the name of the Facebook profiles of the Data subjects, the identification number, and other personal data provided voluntarily in the course of current games, including the contact information and address of the winner. The winner is chosen by the Data controller with the help of facebooknyertes.com, to which the data controller transfers only identification numbers attached to those participating in the game, and the service provider may not have access to data to specified persons. A separate information letter is available on the page of the respective promotions.
NEWSLETTERS, DIRECT MARKETING (DM):
By virtue of Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising activity, subject to the prior express consent of the data subject, the data controller may contact the data subject with its advertisements and other mails at the contact information provided by the data subject when signing up. If the data subject has subscribed to the newsletter, the personal data provided in the course of subscribing for the newsletter may be processed exclusively for the purpose of sending newsletters to the e-mail address of the data subject, if the data subject has provided his or her voluntary consent to the processing. The newsletter contains direct marketing elements and advertisement. The purpose of sending newsletters is to provide information on current information and promotions of DOT FOR YOU products, to send direct marketing requests and to keep in touch with.
The personal data of data subjects provided in connection with newsletters may be stored by the data controller until the data subject unsubscribes from the newsletter from clicking on the button on “Unsubscribe” or request to be deleted from the list of subscribes to newsletters in any other way (e-mail, mail). After the data subject has unsubscribed, the data controller may no longer send newsletters and offers to the data subject. The data subject is entitled to unsubscribe from the newsletter and revoke his or her consent at any time.
Collecting data for remarketing purposes qualifies as profiling under the GDPR. The visitors of the website are profiled on the basis of their interactions, the products they view or added to their carts or purchased.
The profiles are added to remarketing lists, which are used to target and customise advertisements. As a result of profiling, during their searches, data subjects are provided with personal marketing messages that are based on their activities.
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The aforementioned entitled may not be applied of the proceeding
is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
is based on the data subject’s explicit consent.
The data subject shall have the right to revoke his or her consent at any time. The revocation of consent shall not affect the lawfulness of processing based on consent before its revocation.
The processor must act upon the instruction of the data controller, and the method of using the data and the purpose of processing are specified by the data controller. Data processors must not process personal data received from the data controller for their own purposes or for purposes other than those specified in the contact.
The data controller uses the services of the following data processors for the following activities as of the time this information letter becoming effective.
Data processor: DHL Express Magyarország Kft., (seat: BUD International Airport, Terminal 1, DHL Building 302, 1185 Budapest, rules of data processing: https://www.dhl.hu/hu/jogi_informaciok.html#privacy; seat of parent company: Deutsche Post AG, Headquarters, Platz der Deutschen Post, 53113 Bonn)
Activities performed by the data processor: Delivering purchased products to the clients at the address provided by the client (data subject). Drivers are provided only with the personal data that are strictly necessary for the delivery (name, address, telephone number).
Personal taking over at pickup points
Data processor: Lumen Zöldség és Közösségi Szolgáltató (address: 1077, Budapest,
Csányi utca 2.)
Activities performed by the data processor: Storing the purchased products, handing such products over to the client or the client’s representative. The data processor is provided only with the data that are strictly necessary to identify the products and the order (order identification).
Payment on the online shop
Data processor: PayPal (seat: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg; data processing regulations: https://www.paypal.com/hu/webapps/mpp/ua/privacy-full#7)
Data processor: OTP Mobil Kft. (seat: 1093 Budapest, Közraktár u. 30-32. Tel.: +36(1)366-6611 +36(20)366-6611 +36(30)366-6611 +36(70)366-6611 ; e-mail: firstname.lastname@example.org ; https://simplepay.hu)
Data transfer statement:
I acknowledge the following personal data stored in the user account of DOT FOR YOU Design Korlátolt Felelősségű Társaság (1068 Budapest, Király utca 80. fszt. 11.) in the user database of https://dotforyoushop.com will be handed over to OTP Mobil Ltd. (1093 Budapest, Közraktár u. -32.) and is trusted as data processor. The data transferred by the data controller are the following: name, email address, phone number, billing address, delivery address.
Activities performed by the data processor: Online payments made in connection with purchases from the online shop.
Data processor: KBOSS.hu Kft. (seat: 1031 Budapest, Záhony utca 7/C., Phone: +36-30-35-44-789, https://www.szamlazz.hu, e-mail: email@example.com, data processing information: https://www.szamlazz.hu/adatvedelem/)
Activities performed by the data processor: issuing invoices on purchases from the online shop in compliance with legal provisions. The data processor is provided with billing name, address and the purchase price.
Data processor: MailChimp (https://mailchimp.com/contact/; seat: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA; data processing information: https://mailchimp.com/legal/privacy/)
Activities performed by the data processor: sending to the subscribers to newsletters marketing materials and information with content specified by the data controller. For this purpose, the data processor is provided with the list of the e-mail addresses of subscribers to the newsletters.
MailChimp is the framework to regulate trans-Atlantic exchange of personal data for commercial purposes; a USA company registered in the so-called Privacy Shield, the MailChimp undertook to provide adequate protection to personal data, and therefore, personal data from the territory of the European Union are allowed to be transferred to it.
Data processor: ProfiTárhely Kft. (seat: 6000, Kecskemét, Szolnoki út 23.)
Providing for the technical conditions of the online shop
Data processor: Horváth Sándor e.v. (seat: 6077 Orgovány, Szabadság u 30.)
Activities performed by the data processor: Making dotforyoushop.com available and operating it. The data processor is provided with the personal data of data subject in the course of operating the website and fulfilling its tasks; and the personal data must be used in compliance with their purpose and only in the extent necessary for the fulfilment of the data processor’s duties.
Data processor: “haMARhelp” KFT. (seat: 1121 Budapest, Kútvölgyi út 66/a. I/4.)
Activities performed by the data processor: Performing auditing, accounting and pay rolling tasks related to the data controller’s operation. The data processor is provided with the contents of the data controller’s invoices and the data of the data controller’s employees which may be processed only in the context of complying with legal regulations.
RIGHTS OF THE DATA SUBJECT:
The data subject may at any time request information on the processing of his/her personal rights from the data controller, and may request the rectification and, except for the processing of mandatory data, the erasure and withdrawal of his/her personal data, the restriction of processing, and may use the right of data portability, as well may object as specified at the time of data recording or through customer service.
Right to information (right to access):
All data subjects are entitled to proper and transparent information, which is the obligation of data controllers. The information must be provided to the data subjects in plain language and free of charge.
The data controller is obliged to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the envisaged period for which the personal data will be stored; the right to rectification, erasure, the restriction of processing and the right to objection; the right to lodge a complaint with a supervisory authority; any available information as to the source of data; the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
Right to rectification:
The data subject may request his or her inaccurate personal data processed by the data controller be rectified by the data controller and to supplement incomplete personal data, which the data controller is obliged to fulfil without undue delay.
Right to erasure (‘right to be forgotten’):
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay if
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based there is no other legal ground for the processing;
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services.
The erasure of data may not be fulfilled if data processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical; or for the establishment, exercise or defence of legal claims.
Right to restriction of processing:
The data subject shall have the right to obtain from the controller restriction of processing if
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Right to data portability:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Right to object:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The data subject shall have the right to revoke his or her consent at any time. The revocation of consent shall not affect the lawfulness of processing based on consent before its revocation.
The controller shall provide information on action taken on a request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
The data subject can initiate measure related to the aforementioned rights in the following ways:
– by post: 1072 Budapest, Klauzál tér 7. 3. em. 6a,
– via e-mail: firstname.lastname@example.org
PERSONAL DATA BREACH:
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication to the data subject shall not be required if any of the following conditions are met:
• the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
• it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.
As the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification is not made within 72 hours, the reasons for the delay should accompany the notification.
If the data subject has already contacted with data controller regarding the exercise of the aforementioned rights, but according to the data subject, his/her rights have been injured or there is an imminent risk thereof, or according to the data subject, the data controller restricts the data subject’s in exercising his or her rights related to his/her personal data or rejects his or her request, the data subject, with his/her report, may initiate an investigation at the competent authority, provided that he or she finds that the processing of his or her personal data does not comply with the legal regulations.
Such report may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information:
Hungarian National Authority for Data Protection and Freedom of Information 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, P.O. Box: 5.
Telephone: +36 -1-391-1400
The data subject is entitled to initiate court proceedings against the data controller due to the infringement of his or her rights under this information letter. The court proceeds as a matter of priority.
The data controller reserves the right to amend this information at any time. All data subjects must be notified of material amendments of the Policy appropriately (in newsletter, a pop-up window after logging in, etc.). By continuing to use the services, the data subjects acknowledge the amended rules and their consents deemed to be given.
Acts taken into account in the course of preparing this information letter:
– Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR);
– Act CXII of 2011 on informational self-determination and freedom of information (Infotv.);
– Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Ektv.)
– Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising activity (Grt. vagy Reklámtv.)
– Act C of 2000 on Accounting (Számv.tv.)