Effective from: 3rd May 2024
1. Introduction
The purpose of this Data Management Notice is to define the legal procedure for the use of records and databases kept by Anna Papai-Vonderviszt I.E. (registered office: 16/b. 2/6. Diofa str., 8200 Veszprem, HUNGARY) data controller - hereinafter: Data Controller - and the principles of data protection, the enforcement of the right to informational self-determination and data security requirements.
The Data Controller acknowledges the content of this legal notice as binding on herself, and undertakes that all data processing related to its activities complies with the requirements set out in these regulations and the applicable legislation, as well as in the legal acts of the European Union.
The Data Controller is committed to protecting the personal data of its customers and partners, treats personal data confidentially, and takes all security, technical and organizational measures that guarantee data security.
This data management information sheet covers the data management activities of Anna Papai-Vonderviszt I.E., and regulates the data management of websites https://flowerwrap.hu and https://flowerwrap.eu.
The Privacy Policy is available from the following website: https://flowerwrap.eu/privacy_policy
2. Data of the Data Controller
Anna Papai-Vonderviszt I.E.
registered office: 16/b. 2/6. Diofa str., 8200 Veszprem, HUNGARY
registration number : 58171172
tax number: 41934135-1-39
phone number: +36 202011343
e-mail: flowerwrap.japan@gmail.com
3. Legislation on which data management is based
• Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC ( general data protection regulation; hereinafter: "GDPR")
• CXII of 2011 Act on the right to information self-determination and freedom of information (hereinafter: "Infotv") • Act V of 2013 on the Civil Code (hereinafter: "Ptk") • CXXX of 2016. Act on Civil Procedure (hereinafter: "Pp.") • CVIII of 2001. Act - on certain issues of electronic commercial services and services related to the information society (hereinafter: "Eker. tv."); • XLVIII of 2008 Act - on the basic conditions and certain limitations of economic advertising activity (hereinafter: "Grt.").
4. Concepts related to personal data and their interpretation
- concerned: any natural person identified or - directly or indirectly - identified on the basis of personal data;
- personal data: any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
- data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying;
- data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;
- data processing: the performance of technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;
- data processor: the natural or legal person, public authority, agency or any other body that manages personal data on behalf of the data controller;
- registration system: a file of personal data in any way - centralized, decentralized or divided according to functional or geographical aspects - which is accessible based on specific criteria;
- recipient: the natural or legal person, public authority, agency or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the handling of said data by these public bodies must comply with the applicable data protection rules in accordance with the purposes of the data management
- third party: the natural or legal person, public body, agency or any other body that is not the same as the data subject, the data controller, with the data processor or with the persons who have been authorized to handle personal data under the direct control of the data controller or data processor;
- the consent of the data subject: the voluntary, specific and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of his personal data;
- protest by the data subject: the statement of the data subject objecting to the handling of his personal data and requesting the termination of data management or the deletion of the processed data;
- data transfer: making the data available to a specific third party;
- disclosure: making the data available to anyone ;
- data erasure: rendering the data unrecognizable in such a way that their recovery is no longer possible;- data identification: providing the data with an identification mark in order to distinguish it;
- data blocking: providing the data with an identification mark in order to limit its further processing for a definitive or specified time;
- data destruction : the complete physical destruction of the data carrier containing the data;
- data protection incident: a violation of security that results in the accidental or illegal destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.
- third country: any state that is not an EEA state.
5. Principles of personal data management
5.1.
The processing of personal data must be carried out legally and fairly, as well as in a transparent manner for the data subject ("legality, fair procedure and transparency");
5.2.
Personal data should only be collected for specific, clear and legitimate purposes, and they should not be handled in a way that is incompatible with these purposes; in accordance with Article 89 (1), further data processing for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes is not considered incompatible with the original purpose ("purpose limitation");
5.3.
Personal data must be adequate and relevant for the purposes of data management and must be limited to what is necessary ("data sparing");
5.4.
Personal data must be accurate and, if necessary, up-to-date; all reasonable measures must be taken to promptly delete or correct personal data that is inaccurate for the purposes of data processing ("accuracy");
5.5.
Personal data must be stored in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management; personal data may be stored for a longer period only if the personal data will be processed in accordance with Article 89 (1) for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, the rights of the data subjects and subject to the implementation of appropriate technical and organizational measures required to protect your freedoms ("limited storage capacity");
5.6.
The processing of personal data must be carried out in such a way that adequate security of the personal data is ensured by the application of appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage of the data ("integrity and confidentiality"). The data controller is responsible for compliance with the above, and must also be able to prove this compliance ("accountability").
5.7.
Personal data may be forwarded to a data controller engaged in data management in a third country or transferred to a data processor engaged in data processing in a third country if the data subject has expressly consented to it, or if the aforementioned conditions for data management are met, and the management and processing of the transferred data in the third country is ensured adequate level of protection of personal data. Data transfer to the EEA states must be considered as data transfer within the territory of Hungary.
6. Management of personal data
6.1.
The Data Controller carries out its data processing based on the voluntary consent of the data subjects or on the basis of legal authorization. In the case of voluntary consent, the data subject may at any time request information about the scope of the processed data and the manner in which it is used, and may also withdraw his consent, except in specific cases in which the data processing continues based on a legal obligation - in such cases, the Data Controller provides the data subject with information about the further processing of the data. Personal data may be processed even if obtaining the data subject's consent would be impossible or disproportionately expensive, and the processing of personal data is necessary for the purpose of fulfilling a legal obligation to the data controller, or for the purpose of asserting the legitimate interest of the data controller or a third party, and the enforcement of this interest is based on the personal data is proportionate to the limitation of the right to protection.
6.2.
Data informants are obliged to provide all provided data accurately to the best of their knowledge.
6.3.
If the informant does not provide his own personal data, the informant is obliged to obtain the consent of the data subject.
6.4.
If the Data Controller forwards the data to data processors or other third parties, the Data Controller keeps a record of them. The record of data transmission must include the recipient, the method, the date of the data transmission, as well as the scope of the data transmitted.
6.5.
The consent of the legal representative is required for the declaration of an incapacitated person and a minor with limited legal capacity under the age of 16, except for those parts of the service where the declaration is aimed at data management that occurs en masse in everyday life and does not require special considerations. to provide, then the personal data of the data subject may be processed to the extent necessary to protect the vital interests of one's own or another person, as well as to eliminate or prevent a direct threat to the life, physical integrity or property of the person, provided that there are no barriers to consent.
7. Data management
7.1. Contacting by telephone or e-mail
Scope of personal data processed: name, telephone number, e-mail address
Purpose of data management:
Contact for the purpose of identifying the contracting party and the interested party and making the appropriate offer.
Legal basis for data management:
The Data Subject's consent is Infotv. Section 5 (1) point a) and Regulation 2016/679 of the European Parliament and of the Council based on Article 6 (1) point a): "the data subject has given his consent to the processing of his personal data for one or more specific purposes"
Duration of data management:
Until the offer is given, a maximum of six months. In the event that a service is used or a purchase is made after the offer is made in connection with the contact, the data management rules for "Conclusion of a contract - Use of a service" will be applied to the processing of the Data Subject's data.
7. 2 Shopping on the Website
Scope of processed personal data: After clicking
the "Place order" button on the " Checkout " page , the following data will be used to complete the order:
name, email address, phone number, billing address, delivery address.
The purpose of data management is:
a) Identification of the contractual partner and fulfillment of the obligation arising from the sales contract, b) Delivery of the shipment by the courier service to the appropriate addressee, fulfillment of the invoicing obligation, c) Retrievability and verification of the data in case of possible legal disputes or claims, because this without data, the contract cannot be concluded, the order cannot be fulfilled.
Legal basis for data management:
The legal basis for data management in this context is Article 6 (1) point b) of Regulation 2016/679 of the European Parliament and of the Council, according to which "data management is necessary for the performance of a contract in which the data subject is one of the parties, or the before the conclusion of the contract, it is necessary to take steps at the request of the data subject; After the completion of the sales contract, the legal basis for data management is Article 6 (f) of Regulation 2016/679 of the European Parliament and of the Council, according to which: "data management is the Company or a third party it is necessary to enforce the legitimate interests of a party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data take precedence over these interests, especially if the data subject is a child."
Duration of data management:
The Company stores the above-mentioned data for a period of 5 years + 1 year (until the statute of limitations for claims arising from the contract) from the performance of the sales contract or from the failure of performance. based on § 169 of the Act, it is stored for a period of 8 years.
7. 3 Online payment on the website
Scope of personal data handled: name, transaction identifier, transaction date and status, e-mail address
Purpose of data management: Online payment, confirmation of transactions and fraud-monitoring for the protection of users (abuses control), management of commission settlements.
Legal basis for data management:
It is based on the User's voluntary consent. The legal basis for data management in this context is Info TV. Section 5.1) point a) and Regulation 2016/679 of the European Parliament and the Council Article 6 (1) point a) "the data subject has given his consent to the processing of his personal data for one or more specific purposes" and electronic commercial services, and CVIII of 2001 on certain issues of services related to the information society. Act 13/A. (3) of §
Duration of data management:
The Data Controller receives an invoice supplement from the service provider handling the payment transaction in connection with the commission settlements, which supplement contains the above-recorded data needed to identify the transactions. The Company stores the above-mentioned data for a period of 8 years from the issuance of the invoice in order to fulfill the accounting obligations based on § 169 of Act C of 2000.
Data transfer:
If you choose an online payment method, the payment amount will be transferred to Stripe Payments Europe, Limited (3 Dublin Landings, North Wall Quay, Dublin 1, Dublin) financial intermediary system, which system is responsible for commission settlements related to transactions conducted through them the above data will be forwarded to the Service Provider as an invoice attachment. During online transactions, the Data Controller does not acquire any data that could be used to abuse a bank card, e-wallet, or bank account. Regarding the use and storage of this data, the Data Management information of the given financial service provider to the governing Customer.
The Customer acknowledges that the following personal data will be transferred to Stripe Payments Europe, Limited as a data processor.
The nature and purpose of the data processing activity carried out by the data processor can be found in the Stripe Privacy Center at the following link:
7. 4 Bank transfer
Scope of processed personal data: name, bank account number
Purpose of data processing: Processing online payments, confirmation of transactions
Legal basis for data processing: Based on the voluntary consent of the user. The legal basis for data management in this context is Info TV. Section 5.1) point a) and Regulation 2016/679 of the European Parliament and the Council Article 6 (1) point a) "the data subject has given his consent to the processing of his personal data for one or more specific purposes" and electronic commercial services, and CVIII of 2001 on certain issues of services related to the information society. Act 13/A. (3) of §
Duration of data management:
In order to fulfill accounting obligations, 8 years based on § 169 of Act C of 2000."Accounting documents directly and indirectly supporting the accounting (including ledger accounts, analytical and detailed records), it must be preserved for at least 8 years in a readable form, in a way that can be retrieved based on the reference of the accounting records"
7. 5 Refund
Bank card/online refund
In the case of money refunds, the Data Controller initiates a refund transaction by referring to the bank card number/user data retrieved from the Stripe system, previously linked to transactions on the online interface. The relevant bank card number/user data is stored in the above financial systems. The data required for reimbursement will be provided to the Data Controller with a reduced information content, which will be used exclusively for the purpose of identifying the customer. During online transactions, the Data Controller does not acquire any data that could be used to abuse a bank card, e-wallet, or bank account. Regarding the use and storage of this data, the Data Management information of the given financial service provider to the governing Customer.
Refunds
Refunds can also be made by bank transfer, which is preceded by a request for the Buyer's bank account number by e-mail. Data related to this transaction will only be used during the repayment process, and the Data Controller does not keep a record of this data.
7. 6 Billing
The scope of personal data handled:
The Company complies with CXXVII of 2007 on general sales tax. in order to fulfill the obligations set out in the law, it issues an invoice in which the following data is indicated:
In the case of private individuals: name, address, e-mail address.
In the case of companies with legal personality (enterprises): name, registered office, tax number, e-mail address.
Purpose of data management:
The CXXVII of 2007. Act and the fulfillment of the obligations contained in Act C of 2000 on accounting.
Legal basis for data processing:
Article 6 (1) point c) of Regulation 2016/679 of the European Parliament and of the Council, according to which: "data processing is necessary to fulfill a legal obligation concerning the Company" Act and Act C of 2000 on accounting.
Duration of data management:
In order to fulfill accounting obligations, 8 years based on § 169 of Act C of 2000."Accounting documents directly and indirectly supporting the accounting (including ledger accounts, analytical and detailed records), at least It must be preserved for 8 years in a readable form, in a way that can be retrieved based on the reference of the accounting records"
Transfer of data:
The Company transfers the Customer's data to a third party in the following cases: a) based on legal obligation to NAV (National Tax and Customs Admistration, Hungary).
b ) for the following company operating the invoicing system : KBOSS.hu Kft. (operator of invoicing.hu)
7. 7 Data management related to sending a NEWSLETTER on the website
Scope of processed personal data:
e-mail address
Purpose of data management:
To inform the User about business promotions, current news and events. Sending e-mail newsletters containing commercial advertising to interested parties, providing information on current information, special offers, inquiries with direct marketing content, making personalized offers, maintaining contact.
Legal basis for data management:
Data management for the purpose of sending the newsletter is based on the User's voluntary consent. The legal basis for data management in this context is Info TV. § 5.1) point a) and Regulation 2016/679 of the European Parliament and the Council Article 6 (1) point a) "the data subject has given his consent to the processing of his personal data for one or more specific purposes"
Duration of data management:
Personal data processed for the purpose of sending the newsletter and on a legal basis will be processed by the Company until consent is withdrawn. The declaration of consent can be revoked at any time without limitation or justification, free of charge. If the User does not request the deletion of their data, we will process their personal data for 8 years. If the law provides for further processing of personal data, the Company will inform the User separately.
8. General rules for website visitor data management:
In order to provide customized service, external service providers store a small data package on the user's computer, so-called cookies are placed and read back.
our website's latest cookie information here:
9 . Data processors/stores
Hosting provider
Hosting provider
Company name: RACKFOREST INFORMATIKAI KERESKEDELMI SZOLGÁLTATÓ ÉS TANÁCSADÓ ZRT.
Tax number: 32056842-2-41
Headquarters: 1132 Budapest, Victor Hugo utca 11., 5. emelet
email: info@rackforest.hu
Telephone: +36 1 211 0044
Scope of managed data: Storage of all personal data provided by the data subject.
Scope of stakeholders: All stakeholders who use the website. Purpose of data management: Making the website available and operating it properly. Duration of data management, deadline for data deletion: Until the termination of the agreement between the data controller and the storage provider, or until the data subject reaches the storage provider data management lasts until the deletion request is made.
Legal basis for data processing: User's consent, Infotv. Section 5 (1), Article 6 (1) point a) and CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. Act 13/A. (3) of §
Billing system operator
Name: KBOSS.hu Kft.
Company registration number: 01-09-303201
Tax number: 13421739-2-41
Headquarters: 1031 Budapest, Záhony utca 7., Hungary
email: info@szamlazz.hu
Scope of managed data: storage of invoicing data.
Purpose of data management: The CXXVII of 2007. Act and the fulfillment of the obligations contained in Act C of 2000 on accounting. Duration of data management, deadline for erasure of data: 8 years based on § 169 of Act C of 2000 in order to fulfill accounting obligations. and indirectly supporting accounting documents (including general ledger accounts, analytical and detailed records) must be kept in legible form for at least 8 years, in a way that can be retrieved based on the reference of the accounting records"
Legal basis for data processing: Article 6 (1) point c) of Regulation 2016/679 of the European Parliament and of the Council, according to which: "data processing is necessary to fulfill a legal obligation concerning the Company" The
relevant legal obligation is defined in CXXVII of 2007 on VAT Act and Act C of 2000 on accounting.
Tax authority
Name: National Tax and Customs Administration (Hungary)
Headquarters: 1054 Budapest, Széchenyi u. 2., Hungary
email: nav_kozpont@nav.gov.hu
Phone: +36 (1) 428-5100
Scope of managed data: processing of invoicing data.
Purpose of data management: The CXXVII of 2007. Act and the fulfillment of the obligations contained in Act C of 2000 on accounting. Duration of data management, deadline for erasure of data: 8 years based on § 169 of Act C of 2000 in order to fulfill accounting obligations. and indirectly supporting accounting documents (including general ledger accounts, analytical and detailed records) must be kept in legible form for at least 8 years, in a way that can be retrieved based on the reference of the accounting records"
Legal basis for data processing: Article 6 (1) point c) of Regulation 2016/679 of the European Parliament and of the Council, according to which: "data processing is necessary to fulfill a legal obligation concerning the Company"
Courier Service within Hungary
Name: FoxPost Zrt.
Tax number: 25034644-2-10
Headquarters: 3300 Eger, Pacsirta utca 35 A, Hungary
email: info@foxpost.hu
Telephone: 06-1-999-0-369
Data management information is available at the following link: https://foxpost.hu/en/general-terms-and-conditions
Scope of processed data: processing and storage of name, e-mail address, telephone number, delivery address.
The purpose of data management is: a) Identification of the contractual partner and fulfillment of the obligation arising from the sales contract, b) Delivery of the shipment by the courier service to the appropriate addressee, fulfillment of the invoicing obligation, c) Retrievability and verification of the data in case of possible legal disputes or claims, because this without data, the contract cannot be concluded, the order cannot be fulfilled.
Legal basis for data management: The legal basis for data management in this context is Article 6 (1) point b) of Regulation 2016/679 of the European Parliament and of the Council, according to which "data management is necessary for the performance of a contract in which the data subject is one of the parties, or the necessary to take steps at the request of the data subject prior to the conclusion of the contract; After the completion of
the sales contract, the legal basis for data management is Article 6 (f) of Regulation 2016/679 of the European Parliament and of the Council, according to which: "data management is carried out by the Company or a third party it is necessary to enforce the legitimate interests of a party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data take precedence over these interests, especially if the data subject is a child."
Duration of data management: The Company stores the above-mentioned data for a period of 5 years + 1 year (until the statute of limitations for claims arising from the contract) from the performance of the sales contract, or from the failure of performance.
Based on § 169 of Act C of 2000, it is stored for a period of 8 years from the issuance of the invoice in order to fulfill the accounting obligations.
Courier service to other countries than Hungary
Name: GLS General Logistics Systems Hungary Kft.
Registered office: 2351 Alsónémedi, GLS Európa utca 2. (Hungary)
Email: adatvedelem@gls-hungary.com
Data management information is available at the following link: https://gls-group.eu/GROUP/en/data-protection/
Scope of processed data: processing and storage of name, e-mail address, telephone number, delivery address.
The purpose of data management is: a) Identification of the contractual partner and fulfillment of the obligation arising from the sales contract, b) Delivery of the shipment by the courier service to the appropriate addressee, fulfillment of the invoicing obligation, c) Retrievability and verification of the data in case of possible legal disputes or claims, because this without data, the contract cannot be concluded, the order cannot be fulfilled.
Legal basis for data management: The legal basis for data management in this context is Article 6 (1) point b) of Regulation 2016/679 of the European Parliament and of the Council, according to which "data management is necessary for the performance of a contract in which the data subject is one of the parties, or the necessary to take steps at the request of the data subject prior to the conclusion of the contract; After the completion of
the sales contract, the legal basis for data management is Article 6 (f) of Regulation 2016/679 of the European Parliament and of the Council, according to which: "data management is carried out by the Company or a third party it is necessary to enforce the legitimate interests of a party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data take precedence over these interests, especially if the data subject is a child."
Duration of data management: The Company stores the above-mentioned data for a period of 5 years + 1 year (until the statute of limitations for claims arising from the contract) from the performance of the sales contract, or from the failure of performance.
Based on § 169 of Act C of 2000, it is stored for a period of 8 years from the issuance of the invoice in order to fulfill the accounting obligations.
1 0 . Method of storing personal data, security of data management
Data management
The Data Controller processes the data provided by the User during contact via the website within the territory of the European Union, on the server of the above-mentioned Data Processor's hosting provider.
Only the Data Controller has access to the data, it is managed only by the employees of the Data Controller company, and it is used exclusively for making contact and providing quotations.
- The data controller selects and operates the IT tools used for the management of personal data during the provision of the service in such a way that the managed data: a) is accessible to those entitled to it (availability); b) its authenticity and authentication are ensured (authenticity of data management); c) its immutability can be verified (data integrity); d) be protected against unauthorized access (data confidentiality). against becoming inaccessible due to a change in technology
- In order to protect the data files managed electronically in its various records, the data controller ensures with an appropriate technical solution that the stored data cannot be directly connected and assigned to the data subject, unless permitted by law.
In view of the ongoing development of technology, the data controller ensures the protection of the security of data management with technical, organizational and organizational measures that provide a level of protection corresponding to the risks associated with data management.
- The data controller preserves confidentiality during data management and protects the information so that only those who are authorized to do so can access it; preserves the integrity, protects the accuracy and completeness of the information and the method of processing, protects the availability, ensures that the right holder can access the desired information if necessary, and that the related tools are available.
- The data controller declares that its IT system and network are both protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security with server-level and application-level protection procedures.
- Data controller declares that the data it manages - in electronic form - are stored at its headquarters, with the exception of data stored at the Data Controller's data processors, which are stored at the data processors' headquarters.
The data controller uses an IT system that ensures that the data is accessible to those entitled to it (availability); the authenticity of the data must be ensured (authenticity of data management); the immutability of the data can be verified (data integrity); the data must be protected against unauthorized access (data confidentiality).
1 1 . Rights of the affected parties, legal remedies
Personal data may only be processed for a specific purpose, in order to exercise a right and fulfill an obligation. All stages of data management must comply with this purpose, and the collection and handling of data must be fair. Only such personal data can be processed that is essential for the realization of the purpose of data management, is suitable for achieving the purpose, and only to the extent and for the time necessary for the realization of the purpose.
The right to information: You can request information about the processing of your personal data, and you can request the correction of your personal data, or - with the exception of mandatory data processing - deletion or withdrawal, you can use your data portability and objection rights in the manner indicated when the data was collected, or at the contact details of the data controller specified in this Data Management Information .
You must be informed clearly, comprehensibly and in detail about all the facts related to the processing of your data, including in particular the purpose and legal basis of the data processing, the person entitled to the data processing and the data processing, the duration of the data processing, if your personal data is processed by the data controller with the consent of the data subject and the legal requirements applicable to the data controller. it is handled for the purpose of fulfilling an obligation or asserting the legitimate interests of a third party, as well as about who can see the data.
The right to access:
You have the right to receive feedback from the Data Controller as to whether your personal data is being processed, and if such data processing is underway, you are entitled to access your personal data and the information listed in the regulation. we provide information on whether data processing is in progress for you with regard to the following: - personal data relating to you - the purposes of data processing; - categories of personal data concerned; - the persons to whom the data subject's data has been disclosed or will be disclosed; - duration of data storage; - the right to correction, deletion, and restriction of data processing; - the right to appeal to the court or supervisory authority; - the source of the processed data; - profiling and/or automated decision-making, as well as the details and practical effects of such application; - the transfer of processed data to a third country or international organization. In the event of a data request, we are obliged to issue a copy of the data that we manage in accordance with the request. The deadline for issuing the requested data is 30 days from the receipt of the request.
Right to rectification:
You have the right to request that the data controller correct inaccurate personal data concerning you without undue delay. Taking into account the purpose of data management, you are entitled to request the completion of incomplete personal data, including by means of a supplementary statement.
Right to erasure:
You have the right to request that the Data Controller delete your personal data without undue delay, and the Data Controller is obliged to delete your personal data without undue delay under the following specified conditions: -
personal data is no longer needed for the purpose for which they were collected or otherwise processed; - the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management; - the data subject objects to the data processing and there is no overriding legal reason for the data processing; - personal data were handled illegally; - personal data must be deleted in order to fulfill the legal obligation prescribed by EU or Member State law applicable to the data controller; - personal data was collected in connection with the offering of services related to the information society. Data deletion cannot be initiated if data management is necessary: for the purpose of exercising the right to freedom of expression and information; for the purpose of fulfilling the obligation under the EU or Member State law applicable to the data controller requiring the processing of personal data, or for the execution of a task performed in the public interest or in the context of the exercise of public authority conferred on the data controller; affecting the field of public health, or for archival, scientific and historical research purposes or for statistical purposes, based on public interest; or to submit, assert or defend legal claims.
The right to limit data processing:
You have the right to have the data controller limit data processing at your request if one of the following conditions is met: - You dispute the accuracy of your personal data, in which case the restriction applies to the period that allows the data controller to check accuracy of personal data; - the data management is illegal and you oppose the deletion of the data and instead request the restriction of their use; - the data controller no longer needs the personal data for the purpose of data management, but you require them to submit, enforce or defend legal claims; - You objected to data processing; in this case, the limitation applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over your legitimate reasons.
Right to data portability:
You have the right to receive the personal data concerning you that you have provided to a data controller in a segmented, widely used, machine-readable format, and you are also entitled to transmit this data to another data controller without being hindered by the data controller to whom you made the personal data available.
Right to object:
If personal data is processed for direct business acquisition, you have the right to object at any time to the processing of your personal data for this purpose, including profiling, if it is related to direct business acquisition. If you object to the processing of personal data for direct business purposes, then the personal data may no longer be processed for this purpose. You have the right, for reasons related to your own situation, to object at any time to the processing of your personal data necessary for the performance of tasks carried out in the public interest or in the context of the exercise of public authority granted to the data controller, or the processing necessary to enforce the legitimate interests of the data controller or a third party, including profiling based on the aforementioned provisions . In the event of a protest, the Data Controller may no longer process the personal data, unless it is justified by compelling legitimate reasons that take precedence over your interests, rights and freedoms, or that are related to the submission, enforcement or defense of legal claims.
Automated decision-making in individual cases, including profiling:
You have the right not to be subject to the scope of a decision based solely on automated data management, including profiling, which would have legal effects on you or similarly significantly affect you.
The previous paragraph does not apply if the decision:
- is necessary to conclude or fulfill a contract between you and the data controller; - it is made possible by EU or member state law applicable to the data controller, which also establishes appropriate measures for the protection of your rights and freedoms, as well as your legitimate interests; or - based on your express consent. Right of withdrawal: You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal.
1 2 . Informing the Data Subject about the data protection incident
If the data protection incident likely entails a high risk for the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay.
In the information provided to the data subject, the nature of the data protection incident must be clearly and comprehensibly explained, and the name and contact details of the data protection officer or other contact person providing further information must be disclosed, the likely consequences of the data protection incident must be described, and the data controller must explain the data protection incident. measures taken or planned to remedy it, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
The data subject does not need to be informed if any of the following conditions are met:
- the data controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the application of encryption - which make the data unintelligible to persons not authorized to access the personal data; - after the data protection incident, the data controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future; - providing information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects. - If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to involve a high risk, may order the data subject to be informed.
The data controller shall report the data protection incident to the competent supervisory authority pursuant to Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to the rights of natural persons and freedoms. If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.
1 3 . Procedural rules
1 3 .1.
If GDPR 15-22 applies to the Data Controller. article, the data controller shall inform the data subject in writing as quickly as possible, but no later than within 30 days, of the measures taken based on the request.
1 3 .2.
If the complexity of the request or other objective circumstances justify it, the above deadline can be extended once, for a maximum of 60 days. The Data Controller shall notify the data subject in writing of the extension of the deadline, together with the appropriate justification for the extension.
1 3 .3.
The Data Controller provides the information free of charge, unless: a. the data subject repeatedly requests information/measures for essentially unchanged content; b. the request is clearly unfounded; c. the request is excessive.
The Data Controller is entitled to:
a.) refuse the request; b.) bind the fulfillment of the request to the payment of a reasonable fee related to it.
1 3 .4.
If the applicant requests the transfer of the data on paper or on an electronic data carrier (CD or DVD), the Data Controller will transfer a copy of the relevant data free of charge in the manner requested (unless the chosen platform would be technically disproportionately difficult). An administration fee of HUF 500 per page/CD-DVD is charged for each additional requested copy. 1 3 .5.
The data controller notifies all persons to whom the relevant data were previously disclosed of the correction, deletion, or restriction it has implemented, unless the disclosure is impossible or requires a disproportionately large effort. 1 3 .6.
If requested by the data subject, the Data Controller will provide information to which persons their data has been forwarded. 1 3 .7.
The Data Controller shall respond to the request in electronic form, unless: - the data subject specifically requests the answer in a different way, and it does not cause unreasonably high additional expenses for the Data Controller;
- the Data Controller does not know the electronic contact information of the data subject. 1 3 .8.
Exercising the right to object: The Data Controller examines the objection as soon as possible, but no later than 15 days after the submission of the request, makes a decision on its validity, and informs the applicant of its decision in writing. and also data transmission - terminates and locks the data, as well as notifies all those to whom the personal data affected by the protest was previously transmitted, about the protest and the measures taken based on it, and who are obliged to take measures to enforce the right to protest.
1 4 . Legal remedy
If you have any objections or problems regarding our data management , please feel free to contact us directly at the following address:
Anna Papai-Vonderviszt I.E.
registered office: 16/ b. 2/6. Diofa str., 8200 Veszprem, Hungary.
phone number: +36 202011343
Email: flowerwrap.japan@gmail.com
Compensation and damage fee
Any person who has suffered material or non-material damage as a result of a violation of the data protection regulation is entitled to compensation from the Data Controller or data processor for the damage suffered. The Data Processor is only liable for damages caused by data processing if it has not complied with the obligations set forth in the law, specifically burdening the Data Processor, or if it has ignored or acted contrary to the lawful instructions of the Data Controller. The Data Controller or the data processor is exempted from liability if it proves that it is not responsible in any way for the event that caused the damage.
Right to go to court:
If, according to the data subject's point of view, his rights have been violated by the Data Controller and/or the data processors, he is entitled to Pp. to apply to a court with jurisdiction and authority. The court acts out of sequence in the case.
Official data protection procedure:
You can file a complaint with the National Data Protection and Freedom of Information Authority: Name: National Data Protection and Information Freedom Authority Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Mailing address: 1530 Budapest, Pf.: 5. Telephone: 06-1/391-1400; fax: 06-1/391-1410 E-mail: ugyfelszolgalat@naih.hu Website: http://www.naih.hu
Cooperation with authorities If the Data Controller receives an official request from the authorized authorities, it will obligatorily hand over the specified personal data.
The Data Controller only transfers data that is absolutely necessary to achieve the goal specified by the requesting authority.
This Information Sheet serves as information for those concerned to present the data management practices of the Data Controller, with the Data Controller reserving the right to change this information sheet.
