The data controller is the operator of the website: https://thehungarianamphoraproject.com/ (hereinafter: Website), in terms of data processing, as follows:
1. Data Controller
Information of the data controller:
Vinemaxus Bor Korlátolt Felelősségű Társaság
Registered office: Lovassy Sándor u. 8., 8360 Keszthely, Hungary
Tax number: 26105545-2-20
Company registration number: 20-09-075667
Registration organisation: Registry Court of Zalaegerszeg
hereinafter referred to as: Data Controller.
2. The purpose, scope and duration of data processing
The personal data of the Website’s visitors and customers, as data subjects, that are necessary for contacting and communicating with Vinemaxus Bor Kft. providing information about the Website’s offers and promotions, fulfilling sales and purchase contracts concluded through the Website and exercising other rights related to the contracts or fulfilment of obligation (e.g. right of withdrawal or warranty claims) are controlled by the Data Controller. The recurring visitors of the Website have the option to register by providing some of their personal data, however it is still possible to make a purchase through the Website without registering on it.
The Data Controller controls the following categories of personal data:
– identification data: name, address
– contact data: e-mail, phone
– payment/invoice data: bank account number, tax number
– identification of visitor’s device: IP address.
Personal data is collected by the Data Controller or by persons/organizations providing data processing for the purpose and consent specified by the Data Controller. The data collection lasts as long as the fulfilment of contractual or legal obligations, the enforcement of claims arising from the contract or other data management purposes require it. Personal data will be deleted from the Data Controller’s records or properly anonymised if they are no longer needed.
The Data Controller has the right to forthwith delete the personal data provided in case of unlawful, deceptive use of personal data and/or in case of a criminal offence carried out by the person concerned, moreover in case of an attack on the Data Controller’s IT system. However, in case of an ongoing authority or court procedure concerning the above-mentioned, the personal data may be stored for the duration of the procedure of the proceedings or for the time the court indicates. Insofar as the court or authority legally mandates, the Data Controller must carry out the erasure of the personal data in accordance with the mandate.
3. Legal grounds for processing data
The Data Controller establishes the legal grounds for controlling the subject’s data in the section below, as follows:
Contract: the processing of personal data is necessary for fulfilment of the contract in which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 (1) (b) GDPR).
Fulfilment of legal obligation: the processing of certain personal data (mainly from tax, accounting purposes) is obligatory due to legal obligations, and authority or court request may also make data processing obligatory for the Data Controller (Art. 6 (1) (c) GDPR).
Consent: the Data Controller in all cases requests explicit consent to the processing of certain personal data which are necessary for the communication of information for marketing purposes (e.g. newsletters, advertisements, promotions) (Art. 6 (1) (a) GDPR).
Legitimate interest: the processing of specified data is necessary for the purposes of the legitimate interest pursued by the Data Controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require the protection of personal data (Art. 6 (1) (f) GDPR).
4. Principles of data processing
The Data Controller performs the data processing lawfully, fairly and in a transparent manner, in accordance with the principles of purposefulness, data saving, accuracy, limited storage, integrity, confidentiality and accountability.
The Data Controller draws the attention to the fact that the provision of personal data to the Data Controller is voluntary, but in the absence of specific data or in case of inaccurate data, the Data Controller may not be able to communicate properly, enter into and/or fulfil the contract therefore, it is important that the provision of the data is accurate and complete. The Data Controller also explicitly indicates on the Website which data is essential for contracting, or entering into and fulfilling of the contract.
The provided personal data is not verified by the Data Controller. The provider of personal data is solely responsible for the adequacy of the personal data; however, the Data Controller shall take all reasonable measures to immediately delete or correct personal data that is not necessary for the purposes of data processing or that is incorrect or inaccurate.
5. Third-party services
The Data Controller uses accounting, IT, banking and delivery services for its economic activities provided by third parties. Based on the contracts conclude by the Data Controller with the service providers, a certain range of personal data may be transferred to these service providers for the purpose of data processing due to the nature of the service.
Service providers and services used by the Data Controller performing data control in connection with the services provided:
Company name: ADMIRÁL Adótanácsadó Kft.
Registered office: 8360 Keszthely, Lovassy S. u. 8., Hungary
Company registration number: 20-09-060656
Tax number: 10591266220
Company name: Promex BV
Registered office: Spelonckvaart 64A, 9180 Moerbeke-Waas, Belgium
Tax number: BE0899229986
Company name: Liegl & Dachser Szállítmányozási és Logisztkai Kft.
Registered office: 2085 Pilisvörösvár, Ipartelep utca 1., Hungary
Company registration number: 13-09-081858
Tax number: 11815798-2-44
Company name: K&H Bank Zrt.
Registered office: 1095 Budapest, Lechner Ödön fasor 9., Hungary
Company registration number: 01-10-041043
Tax number: 10195664-4-44
Certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information which are required to provide to them for your purchase-related transactions. For these providers, its recommended to read their privacy policies so the manner in which personal information will be handled by these providers is understood.
6. Storage of personal data, data security
The Data Collector’s computer systems and other locations for data storage are at its seat.
The Data Controller protects the data against all potential risks, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage or inaccessibility due to changes in the technology used. The Data Controller ensures the protection of security of data processing by all appropriate means, especially, with the all-time technical and organizational measures that provide a level of protection appropriate to the risks related to data processing.
7. Data subject’s rights concerning data processing
The following rights are applicable to the data subjects whose personal data is controlled by the Data Controller:
Right to Information: the data subject has the right to receive information on the course of data collection prior to the start of the obtainment of personal data (Art. 13 GDPR).
Right of Access: the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data copy of the personal data which are the subject of the processing (Art. 15 GDPR).
Right to rectification: the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Art. 16 GDPR).
Right to Erasure: the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and if any of the grounds for erasure under (b)-(f) of Article 17 (1) GDPR apply (Art. 17 GDPR).
Right to Restriction of Processing: the data subject has the right to obtain from the controller restriction of processing especially, if the controller no longer needs the personal data for the purposes of the processing or in case the processing is unlawful or in case any other grounds stipulated under (a)-(d) of Article 18 (1) GDPR are applicable (Art. 18 GDPR).
Notification obligation regarding rectification or erasure or personal data or restriction of processing: the controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it (Art. 19 GDPR).
Right to Data Portability: in accordance with the conditions stipulated under Article 20 GDPR the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (Art. 20 GDPR).
Right to Object: the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on (f) of Art. 6. (1) GDPR (Art. 21 GDPR).
Right to automated individual decision-making, including profiling: the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effect concerning him or her or similarly significantly affects him or her (Art. 22 GDPR).
Right to communication of a personal data breach to the data subject: when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (Art. 34 GDPR).
Right to File a Complaint with a Supervisory Authority: every data subject has the right to file a complaint with a supervisory authority without prejudice to other administrative or judicial legal remedies, in particular in the member state of their residence, their workplace or the place the alleged offense occurred, if the data subject is of the view that the processing of personal data concerning him or her breaches these legal provisions (Art. 77 GDPR).
Right to an effective judicial remedy against a supervisory authority: each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them or if the competent supervisory authority does not hand a complaint or does not inform the data subject within three months on the progress of the outcome of the complaint lodged (Art. 78 GDPR).
Right to an effective judicial remedy against a controller or processor: each data subject shall have the right to an effective judicial remedy where he or she considered that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data (Art. 79 GDPR).
8. Legal provisions
9. Legal remedy, Data Protection Authority
On the basis of Article 52. § (2) paragraph of Infotv., anyone may have the right to make a complaint to the National Data Protection Authority (NAIH) claiming to have their personal data processed in an unlawful manner or in breach of their right.
Data Protection Authority in Hungary:
Nemzeti Adatvédelmi és Információsszabadság Hatóság
address: Falk Miksa utca 9-11., 1055 Budapest, Hungary
phone: +36 (1) 391-1400
fax: +36 (1) 391-1410
Detailed information may be found on the website of the authority: https://naih.hu.
Moreover, the data subject may initiate court proceeding against the Data Controller if he believes that the Data Controller or third-party service providers contracted by them are infringing the legal provisions on personal data control or the prescribed European Union regulations.
10. Questions, remarks and requests related to the data processing
No data protection officer has been appointed by the Data Controller. Any questions, remarks, requests relating to data processing may be sent to firstname.lastname@example.org E-mail address.
Vinemaxus Bor Kft.