Data Protection Notice for customers of the website vetom-probiotikum.hu

vetom-probiotikum.hu – effective from: 2024-08-20

Introduction

The protection of our customers’ personal data is important to us, therefore, in this Data Protection Notice we explain what personal data we process about you in the course of our business activities, for what purpose and on what legal basis, and what organizational and technical measures we take to protect your personal data.
The Data Protection Notice also contains the data protection rights you have when using our services.

1. Name of the data controller, hereinafter referred to as the Service Provider

• Company name: Intellexconn Kft.
• Tax number: 13767330-2-42
• Registered office: 1065. Bp. Nagymező utca 3.
• Mailing address: 1065 Budapest, Nagymező u. 3. – 1. em. 52.
• Telephone number: +36-20-22-83-418
• Email: shop@vetom-probiotikum.hu
• Company registration number: Cg. 01-09-872154
• Representative person: Attila Szilczer
• Bank account number: 11103406-13767330-01000003

2. Main legal provisions taken into account during data processing

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR or General Data Protection Regulation)
• Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.)
• Act V of 2013 on the Civil Code (Ptk.)
• Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (E-ker.tv.)
• Act CXXVII of 2007 on value added tax Act (VAT Act)
• Act C of 2000 on Accounting (Accounting Act)
• Act CLV of 1997 on Consumer Protection (Consumer Protection Act)

3. Definitions

Personal data: any information relating to an identified or identifiable natural person (“data subject”);

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special data: short name for special categories of personal data, special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the purpose of uniquely identifying a natural person, as well as data concerning health, data concerning the sex life or sexual orientation of a natural person.

Data processing: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Legal basis: authorization for data processing; the legal basis may be the consent of the data subject, preparation and/or performance of a contract, compliance with a legal obligation, protection of the vital interests of the data subject or of another person, performance of a public task or exercise of official authority, or the legitimate interests of the data controller or a third party.

Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear and unambiguous action, signifies agreement to the processing of personal data concerning him or her.

Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific aspects of its designation may also be determined by Union or Member State law.

Processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation: the processing of personal data in such a way that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is stored separately and that technical and organisational measures are taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person.

Recipient: the natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether or not a third party.

Third party: the natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process the personal data.

Data breach: any breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Supervisory authority: an independent public authority established by a Member State in accordance with Article 51 of the GDPR. In Hungary, the National Data Protection and Freedom of Information Authority (headquarters: 1055 Budapest, Falk Miksa u. 9-11.) is the data protection supervisory authority.

4. Data processing principles

The Data Controller takes into account the following principles when processing personal data, such that personal data:

1. is processed lawfully and fairly, and in a manner that is transparent to the data subject (“lawfulness, fairness and transparency”);
2. is collected only for specified, explicit and legitimate purposes and is not processed in a manner that is incompatible with those purposes (“purpose limitation”)
3. is adequate and relevant for the purposes of the data processing, and is limited to the necessary extent (“data economy”);
4. accurate and, where necessary, kept up to date; and shall take all reasonable steps to ensure that personal data which are inaccurate, having regard to the purposes of the processing, are erased or rectified without delay (“accuracy”);
5. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
6. shall implement appropriate technical or organisational measures to ensure the security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (“integrity and confidentiality”).

5. Data processing activities

5.1. Data processing related to the request for quotation

Personal data processed

Purpose of data processing

Name, e-mail address, telephone number of the requesting client, other data provided in the request for quotation (e.g. address) offer management (preparation, sending of a quote, etc.).

Legal basis for data processing: GDPR Article 6 (1) b): preparation of a contract

Retention period of personal data: 5 years from the performance of the contract pursuant to Section 6:22 of the Hungarian Civil Code (if no order is placed following the request for quotation, the Data Controller will delete this data 6 months after the offer has been submitte

5.2. Data processing related to ordering and concluding a contract

Ordering on the website (webshop) is considered a contract concluded between distant parties. The contractual terms related to the order are contained in the General Terms and Conditions of Contract.

Personal data processed

Purpose of data processing

Name, (billing) address, e-mail address, telephone number, delivery address of the ordering/contracting customer

Order fulfillment

Concluding a contract

Legal basis for data processing: GDPR Article 6 (1) point b): performance of contract

Retention period of personal data: 5 years from the performance of the contract pursuant to Section 6:22 of the Civil Code, or 8 years from the performance of the contract pursuant to Section 169 (2) of the Accounting Act

Data processing related to the order and conclusion of the contract also includes the tax number of the legal entity, which does not qualify as personal data, but the tax identification number of natural persons is personal data. The tax identification number of a natural person is only included in the purchase contract and/or invoice if the data subject expressly requests it.

It is not necessary to register on the website in advance to place an order.

5.3. Data processing related to invoicing and electronic payment

Personal data processed

Purpose of data processing

name of the customer, billing address, payment identifier in case of electronic payment, other identifier requested by the customer

invoice management (issuance, storage, etc.)

Legal basis for data processing: Article 6 (1) point c) of the GDPR: Section 159 (1) of the VAT Act and Section 166 (1) of the Accounting Act

Duration of data processing: 8 years pursuant to Section 169 (1) of the Accounting Act

Data processing related to invoicing also includes the tax number of the legal entity, which does not qualify as personal data, however, the tax identification number of natural persons is personal data. The tax identification number of a natural person is only included in the invoice if expressly requested.

Information about electronic payment:

The vetom-probiotikum.hu webshop allows you to pay for your products using online payment services. The general terms and conditions of use of the service providers’ online payment services are available at the following link:

5.4. Data processing related to contact for the preparation or performance of a contract

Personal data processed

Purpose of data processing

Name, e-mail address and telephone number of the requesting party/ordering party/contracting client

Contact (including sending an electronic invoice)

Legal basis for data processing: GDPR Article 6 (1) point b): performance of a contract

Duration of data processing: 5 years pursuant to Section 6:22 of the Civil Code (if no order is placed, the personal data of the contact person will be deleted 6 months after the offer is made)

In the case of a legal person contracting party, in addition to the above data of the natural person of the contact person, we also process the name and registered office of the workplace on the legal basis and for the retention period specified in this point.

5.5. Data processing related to a complaint related to a contract

Personal data processed

Purpose of data processing

Name, e-mail address of the customer making the complaint, other data provided in the complaint (e.g. address, order details)

Complaint handling

Legal basis for data processing: Article 6 (1) c) of the GDPR: Consumer Protection Act § 17/A

Duration of data processing: 3 years from the date of the complaint pursuant to § 17/A (7) of the Consumer Protection Act

5.6. Data processing related to the use of the website (registration)

In order for the data subject to be able to use the advanced services of the website (loyalty points system, storage of billing and shipping data), registration involving the provision of personal data is required. The data subject is not obliged to provide personal data (register), and failure to do so will not have any adverse consequences for him/her (he/she can read the content of the website, place an order, initiate contact, etc.).

Personal data processed

Purpose of data processing

name, nickname, e-mail address, password, photo

comments on entries appearing on the website, contact

Legal basis for data processing: GDPR Article 6 (1) a): consent of the data subject

Duration of data processing: until the data subject withdraws their consent (see also: point 9.3 regarding the deletion of personal data)

The data subject gives their consent by completing the registration, and the consent is withdrawn by clicking on the “delete registration” button.

The registration is completed when the data subject clicks on the confirmation link sent to the provided e-mail address. In the event that there was no order and the data subject only used the website for browsing, the data of the completed registration will be stored as long as the registered user account is maintained by the data subject, i.e. in the event of deletion of the user account, the data provided during registration will also be deleted.

If the registration has been successfully completed (confirmed) and the data subject places an order via the website, the further points of the Data Processing Information regarding the processing and retention period of personal data must also be read.

The data of the incomplete (unconfirmed) registration will be deleted after 10 days.

The password provided during registration is stored by the website in a way that is not readable by the Data Controller or the website operator (with hidden characters).

In case of a forgotten password, the stored password will be deleted and a new password generated for a specific period of time (e.g. 24 hours) will be sent to the registered e-mail address. The customer must change the password sent by e-mail instead of the forgotten password upon first login.

A regisztráció során megadhatók a számlázási és a szállítási címre vonatkozó adatok, így az ismétlődő megrendelések esetén nem szükséges minden alkalommal kitölteni azokat. Az érintett bármikor módosíthatja vagy törölheti a regisztrációs felületen megadott számlázási és/vagy a szállítási címre vonatkozó adatokat, amely csak a módosítás, törlés időpontját követő számlákra és megrendelésekre lesz hatással. Leadott megrendelés miatt már kiállított, illetve a korábban elkészült számlák adatai a regisztrációs felületen való törlés hatására nem törlődnek, azok a számlázási adatok nyilvántartásában a megőrzési idő elteltéig (lásd 5.3. pont) megmaradnak. A szállítási cím adatainak módosítása vagy törlése a csomagszállítónak már átadott csomagok esetében nem érvényesül.

5.7. Use of website cookies

When the visitor/customer visits the vetom-probiotikum.hu website, a small file, so-called “cookie” (hereinafter referred to as “cookie”) is placed on his/her IT device (e.g. computer, laptop, tablet, mobile phone, hereinafter referred to as “device”), which can serve several purposes. Cookies allow, for example, the website to remember the settings of the visitor to the website for a certain period of time (e.g. chosen language), so that this data does not have to be entered again the next time the user visits the site. Some cookies are essential for the proper functioning of the website, others collect information about the use of the website to make the website even more convenient and useful. Essential (in other words, necessary) cookies are needed to browse the vetomprobiotikum.hu website and use the website’s functions; without their use, the smooth use of the website cannot be ensured.

Ensuring the proper functioning of the website is done in accordance with the provisions of Section 13/A (3) of the E-ker.tv. Some cookies are only temporary and disappear when the browser session is closed, but there are also those that remain on the device for a longer period of time. Permanent cookies are those that, unlike session cookies, are permanently stored on the data subject’s computer, so they are not automatically deleted when the browser is closed. The vetomprobiotikum.hu website does not use permanent cookies. Cookies can also be used to collect anonymized (not linked to an identified person) statistical data, which the Service Provider can use to get an idea of the browsing habits and user experiences of its website visitors.

Necessary cookies cannot identify the data subject visiting the website by themselves. We use cookies to record and process the following data about the data subject’s device and the browser used:

• the IP address used by the user,
• the type of browser used,
• the characteristics of the device used for browsing and its operating system,
• the exact time of the visit,
• the function or service used on the website,
• the time spent on the website
• the fact of accepting the cookie.

The purposes of managing cookies used on the vetom-probiotikum.hu website are:

• operating the website,
• facilitating the navigation of the user visiting the website on the website,
• ensuring access to the website functions,
• preparing web analytics measurements for statistical purposes on which parts of the website the user visiting the website visits.

Legal basis for data processing: GDPR Article 6(1)(a): consent of the data subject (given by visiting the website).

Cookies used by the Service Provider remain on the data subject’s device until deleted by the data subject or for 90 days. Different browsers allow you to change the cookie settings. Most browsers accept cookies as a default setting, but the data subject can change these settings, so that you can prevent automatic cookie acceptance or set a deletion time.

Further detailed information about the cookie settings of individual browsers:

• Google Chrome
• Firefox
• Safari
• Microsoft Internet Explorer
• Microsoft Edge
• Opera

5.8. Newsletter

Anyone who subscribes to the newsletter can be informed about the Service Provider’s latest offers, news and posts. Subscribing to the newsletter is not a condition for using the website.

Personal data processed

Purpose of data processing

name, nickname, e-mail address, password

marketing messages, contact

Legal basis for data processing: GDPR Article 6(1)(a): consent of the data subject

Duration of data processing: until the data subject withdraws their consent (see also: Section 9.3 regarding the deletion of personal data)

Unsubscribing from the newsletter is equivalent to withdrawing the data subject’s consent. The data subject can unsubscribe from the newsletter at any time, in which case the data subject will no longer receive notifications about the Data Controller’s offers.

5.9. Profiling, automated decision-making

The Service Provider does not use profiling (grouping according to certain characteristics, evaluation, etc.) and automated decision-making (decisions made exclusively by machine and affecting the data subject) with the personal data it processes.

6. Access to data, data transfer

Personal data may be accessed by the Service Provider and its contracted partners, as well as by employees of organizations involved in business activities, solely for the purpose of performing their duties and to the extent necessary.

Some of the Service Provider’s partners are considered data controllers, while others are considered data processors. Partner data controllers are involved in the following activities:

6.1. Electronic payment

Paypal

OTP SimplePay

6.2. Parcel delivery

Our contracted delivery partners – data processing policy:

Foxpost

Magyar Posta

Packeta

6.3. Community page

The Service Provider has created a business fan page within the social networks Facebook and Instagram (under the name Vetom probiotic) in order to share content, present its activities, products and the social events it organizes to the users of the social network and to the visitors of the Service Provider’s fan page. The business interface provided by Facebook and Instagram contains a number of options that the creator of the business fan page can use, but does not have the ability to change. This includes, for example, the cookies that Facebook and Instagram use to track (count and analyze user behavior) the visitors of the fan page.

As the operator of the fan page, the Service Provider may access demographic data regarding its target audience (e.g. composition by age, gender, marital status and professional status), data regarding the lifestyle and interests of its target audience (including data regarding online purchases of people visiting its page), as well as geographic data based on which it can make shared content more targeted and decide where to offer special discounts or organize events.

The Service Provider uses statistical data provided by Facebook and Instagram only to the extent necessary. Given that the data groupings provided by Facebook and Instagram may sometimes be suitable for personal identification, but the Service Provider has no influence on the collection and analysis of this data, it is advisable for users (visitors of the Service Provider’s fan page) to set privacy permissions in their personal Facebook and Instagram profiles that allow the sharing of information belonging to their private sphere to the narrowest possible circle. The privacy settings can be accessed by clicking on the symbol in the upper right corner of the Facebook and Instagram profile.

More details about Facebook’s privacy policy can be found here:

https://hu-hu.facebook.com/help…

More details about Instagram’s privacy policy can be found here:

https://www.facebook.com/help…

In addition to what is described in this Data Protection Notice, the Service Provider only transfers the personal data it processes to third parties (e.g. authorities, courts, or other state bodies) in a manner and for purposes specified by law.

7. Data Processors

The Service Provider also works with collaborators in the course of its business activities. Some of the collaborators are considered data controllers, as discussed in the previous section. Other collaborators may also have access to personal data processed by the Service Provider and perform data processing operations on behalf of the Data Controller (e.g. accounting, invoicing, website operation), therefore they are considered data processors under the GDPR.

Data Processors do not make independent data processing decisions, they are only authorized to act in accordance with the contract concluded with the Service Provider and the instructions received. The Service Provider only uses data processors that implement appropriate technical and organizational measures in order to guarantee a level of data security appropriate to the level of risk. The specific tasks and responsibilities of the Data Processor are included in the contract between the Service Provider and the Data Processor.

7.1. The Service Provider uses the invoicing program called Bilingo of Billingo Technologies Zrt. (registered office: 1133 Budapest, Árbóc utca 6. I. floor, company registration number: 01-10-140802, tax number: 27926309-2-41) to issue the invoice for the order, as well as maintenance and support services related to the program.

The Service Provider transfers data to the National Tax and Customs Administration (NAV) based on a legal obligation (VAT Act). The obligation to provide data to the NAV applies to the mandatory data content of the invoice or document considered to be an invoice according to the VAT Act.

7.2. In order to fulfill its obligations related to the operation of the Service Provider, it uses the accounting services of BENCE Kft., Registered Office: 1121, Budapest, Szabina u. 1, Tax ID: 12392719243).

7.3. In order to develop and operate its website, the Service Provider uses the services of Kovács Ferenc EV. (1204 Budapest, Wesselényi Utca 144., registration number: 58435274, tax ID: 47341182-1-43).

7.4. The Service Provider uses the services of nethely.hu as a hosting provider.

9. Rights of the data subject in relation to data processing

9.1. Right to request information

The data subject may request information in writing from the Service Provider, via the contact details provided in point 1, about

• what personal data,
• on what legal basis,
• for what purpose of data processing,
• from what source,
• for how long it is processed, and
• to whom, when, on the basis of what law, the Data Controller has provided access to which personal data of the data subject or to whom it has forwarded them.

The Service Provider shall comply with the data subject’s request within a maximum of one month by sending a response to the contact information provided by the data subject.

In the event that the data subject requests the information pursuant to this point in multiple copies, the Data Controller shall be entitled to charge a fee proportionate to the administrative costs of preparing the additional copies and at a reasonable rate.

If the data subject’s right of access pursuant to this point adversely affects the rights and freedoms of others, in particular the business secrets or intellectual property of others, the Service Provider shall be entitled to refuse to comply with the data subject’s request to the extent necessary and proportionate.

Before complying with the request, the Service Provider may request the data subject to clarify the content of the request and to specify the requested information and data processing activities.

9.2. Right to rectification

The data subject may request in writing, through the contact details provided in point 1, that the Service Provider modify (correct or supplement) any of his/her registered personal data (for example, he/she may change his/her e-mail address or other contact details at any time).

The Data Controller shall comply with the request within a maximum of one month, notifying the data subject of the completion thereof by letter sent to the contact details provided by him/her.

The data subject may also modify the data provided during registration on the Service Provider’s website himself/herself (see point 5.6), and the Data Controller shall inform the data subject of the completion thereof by a message sent to the data subject’s e-mail address.

9.3. Right to erasure

The data subject may request the Service Provider to erase his/her personal data in writing via the contact details provided in point 1. The Service Provider will not comply with the erasure request if the law obliges the data subject to continue storing the personal data and the data processing deadline specified in the law has not yet expired.

However, if there is no such obligation, the Service Provider will process the data subject’s request within a maximum of one month and will notify the data subject of the erasure by letter sent to the contact details provided by him/her.

The data subject may also delete the data provided during registration on the Service Provider’s website himself/herself (see point 5.6), and the Data Controller will inform the data subject of the event by sending a message to the data subject’s e-mail address.

9.4. Right to blocking (restriction of data processing)

The data subject may request in writing, through the contact details provided in point 1, that the Service Provider block his/her personal data. Blocking is done by clearly indicating the limited nature of data processing and by storing it separately from other data. This means that no other data processing operations can be performed on the data other than storage. Blocking lasts as long as the reason indicated by the data subject requires the blocked storage of personal data. The data subject may request the blocking of personal data, for example, if he/she believes that the Service Provider has processed his/her personal data unlawfully, but for the sake of the official or court proceedings initiated by him/her, it is necessary for the Data Controller not to delete the personal data. In this case, the Service Provider will store the personal data in a blocked state until the authority or court requests it, and will delete or continue to process them after the end of the official proceedings.

9.5. Right to data portability

The data subject may request in writing, through the contact details provided in point 1, that the Service Provider provide the personal data processed by automated means based on the data subject’s consent [GDPR Article 6 (1) a)] or performance of a contract [GDPR Article 6 (1) b)] in a structured, commonly used and machine-readable format.

In the event that the data subject’s right to data portability adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Service Provider shall be entitled to refuse to comply with the data subject’s request to the extent necessary.

9.6. Right to object

The data subject may object in writing to the processing of personal data carried out on the basis of legitimate interest of the controller or a third party [GDPR Article 6 (1) (f)] through the contact details provided in point 1. The data subject may object to the processing, for example, if the Service Provider would transfer or use the personal data for the purpose of public opinion polling or scientific research without the data subject’s consent.

The Service Provider shall examine the data subject’s objection within a maximum of one month and shall notify the data subject of the result (including the notification of the deletion of any unlawfully processed personal data) by letter sent to the contact details provided by the data subject.

10. Legal enforcement and redress options related to data processing

In order to enforce their rights related to the protection of their personal data, the data subject may contact the Service Provider via the contact details specified in point 1.

If the data subject believes that their rights related to the protection of their personal data have been violated, they may contact the following authority for legal redress:

National Data Protection and Freedom of Information Authority (NAIH)
seat: 1055 Budapest, Falk Miksa u. 9-11.
mailing address: 1363 Budapest, Pf. 9.
telephone: +36 (1) 391-1400
website: www.naih.hu
email: ugyfelszolgalat@naih.hu

If the data subject experiences unlawful processing of his/her personal data, he/she may initiate court proceedings (civil lawsuit) against the Data Controller. The court shall be competent to adjudicate the case. The case may also be initiated – at the choice of the data subject – before the court of the data subject’s place of residence (you can view the contact details of the courts via the following link: https://birosag.hu/torvenyszekek)

11. Updating and Availability of the Privacy Policy

The Service Provider reserves the right to unilaterally amend this Privacy Policy. The Privacy Policy may be amended in particular if necessary due to changes in legislation, data protection supervisory authority practice, business needs or newly discovered security risks.