Document certified and prepared by: Virtualjog.hu

View/download in PDF format: View/download

Date of last update: 13 April 2023

HAPPY NATURALS DATA PROTECTION POLICY

Natura Labs Kft.

Data processing information

Introduction

A/ Natura Labs Kft. (1132 Budapest, Visegrádi u. 43-45. 3/15, tax number: 28831990-2-41, company registration number/registration number: 0) (hereinafter: Service Provider, data controller) is subject to the following policy:

On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016), we provide the following information.

This privacy policy governs the data processing of the following websites/mobile applications: https://nutriqafoods.hu/

The privacy policy is available at the following address: https://nutriqafoods.hu/policies/privacy-policy

Amendments to the policy shall take effect upon publication at the above address.

Data controller and contact details

Name: Natura Labs Kft.

Registered office: 1132 Budapest, Visegrádi u. 43-45. 3/15

Email: hello@nutriqafoods.hu

Phone: +36706698575

Definitions

1. "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. "controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. "processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
5. "recipient" means a natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether a third party or not. Public authorities which may access personal data in the framework of a specific inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
6. ‘consent of the data subject’ means a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. "data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to the processing of personal data

Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency");
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; in accordance with Article 89(1), further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes ("purpose limitation");
3. they must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
4. they must be accurate and, where necessary, kept up to date;
5. every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");
6. they must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with paragraph 1 of Article 89 for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organizational measures required in this Regulation in order to safeguard the rights and freedoms of the data subject ( "limited storage");
7. processing must be carried out in such a manner that appropriate technical or organizational measures are applied to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage ("integrity and confidentiality").

The data controller is responsible for compliance with the above and must be able to demonstrate such compliance ("accountability").

The data controller declares that its data processing is carried out in accordance with the principles set out in this section.

Data processing related to the operation of the online store / use of services

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data Purpose of data processing Legal basis

User name Identification, enabling registration. Article 6(1)(b) of the GDPR and Section 13/A(3) of the Elker tv.

Password Serves to enable secure access to the user account.

First and last name Necessary for establishing contact, making purchases, issuing proper invoices, and exercising the right of withdrawal.

Email address Maintaining contact.

Phone number For maintaining contact and more efficient coordination of issues related to invoicing or delivery.

Billing name and address For issuing proper invoices, as well as for creating contracts, determining and modifying their content, monitoring their fulfillment, invoicing the resulting fees, and enforcing related claims. Article 6(1)(c) and Section 169(2) of Act C of 2000 on Accounting

Delivery name and address Enabling home delivery. Article 6(1)(b) of the GDPR and Section 13/A(3) of the Elker tv.

Date of purchase/registration Performing a technical operation.

IP address at the time of purchase/registration Performing a technical operation.

2. Scope of data subjects: All data subjects registered/purchasing on the webshop website. Neither the username nor the email address need to contain personal data.

3. Duration of data processing, deadline for data deletion: If any of the conditions set out in Article 17(1) of the GDPR apply, the data will be retained until the data subject requests its deletion. The data controller shall inform the data subject electronically of the deletion of any personal data provided by the data subject in accordance with Article 19 of the GDPR. If the data subject's request for deletion also covers the email address provided by them, the data controller shall also delete the email address after providing the information. This does not apply to accounting documents, as these data must be retained for 8 years pursuant to Section 169(2) of Act C of 2000 on Accounting. The contractual data of the data subject may be deleted upon expiry of the civil law limitation period, based on the data subject's request for deletion.

Accounting documents directly and indirectly supporting the bookkeeping (including general ledger accounts, analytical and detailed records) must be retained in a readable form for at least 8 years, in a manner that allows them to be retrieved based on references in the accounting records.

4. Persons authorized to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, in accordance with the above principles.

5. Description of the rights of data subjects in relation to data processing:

• The data subject may request the data controller to access, rectify, erase or restrict the processing of personal data concerning him or her, and
• the data subject has the right to data portability and to withdraw consent at any time.

6. The data subject may initiate access to, deletion, modification, or restriction of the processing of personal data, as well as data portability, in the following ways:

• by post at 1132 Budapest, Visegrádi u. 43-45. 3/15,
• by email at hello@nutriqafoods.hu,
• by telephone at +36706698575.

7. Legal basis for data processing:

1. Article 6(1)(b) and (c) of the GDPR,

2. Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter: Elker tv.):

The service provider may process personal data that is technically necessary for the provision of the service for the purpose of providing the service. The service provider shall, under the same conditions, select and operate the means used in the provision of information society services in such a way that personal data are processed only if this is absolutely necessary for the provision of the service and for the fulfilment of other purposes specified in this Act, but even in this case only to the extent and for the period necessary.

3. In the case of invoices issued in accordance with accounting legislation, Article 6(1)(c).

4. In the case of the enforcement of claims arising from a contract, 5 years in accordance with Section 6:22 of Act V of 2013 on the Civil Code.

Section 6:22 [Limitation period]

(1) Unless otherwise provided by this Act, claims shall become time-barred after five years.

(2) The limitation period shall commence when the claim becomes due.

(3) Any agreement to change the limitation period shall be made in writing.

(4) Any agreement that excludes the statute of limitations shall be null and void.

8. Please note that

• data processing is necessary for the performance of the contract and for making an offer.
• You are required to provide personal data so that we can fulfill your order.
• Failure to provide data will result in the consequence that we will not be able to process your order.

Contact

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data

Purpose of data processing

Legal basis

Name

Identification

Article 6(1)(a) and (b)

Email address

Maintaining contact, sending replies

Article 6(1)(a) and (b)

Phone number

Maintaining contact

Article 6(1)(a) and (b)

Message content

Necessary for replying

Article 6(1)(a) and (b)

Date of contact

Performing technical operations.

Article 6(1)(a) and (b)

IP address at the time of contact

Performing technical operations.

Article 6(1)(a) and (b)

The email address does not need to contain personal data.

2. Data subjects: All data subjects who send a message via the contact form.

3. Duration of data processing, deadline for erasure: If any of the conditions set out in Article 17(1) of the GDPR apply, the data will be retained until the data subject requests its erasure.

4. Persons authorized to access the data, recipients of personal data: Personal data may be processed by the data controller's authorized employees.

5. Description of the rights of data subjects in relation to data processing:

• The data subject may request the data controller to grant access to personal data concerning him or her, to rectify, erase or restrict the processing of such data, and
• the data subject has the right to data portability and to withdraw consent at any time.

6. The data subject may request access to, erasure, rectification or restriction of processing of personal data, as well as data portability, in the following ways:

• by post to 1132 Budapest, Visegrádi u. 43-45. 3/15,
• by email at hello@nutriqafoods.hu,
• by telephone at +36706698575.

7. Legal basis for data processing: consent of the data subject, Article 6(1)(a) and (b). By contacting us, you consent to the processing of your personal data (name, telephone number, email address) provided to us during the contact in accordance with this policy.

8. Please note that

• this data processing is based on your consent and is necessary for making an offer.
• You are required to provide personal data in order to contact us.
• Failure to provide data will result in you being unable to contact the data controller.
• The withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal.

Customer relations

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data

Purpose of data processing

Legal basis

Name, email address, telephone number.

Maintaining contact, identification, performance of contracts, business purposes.

Article 6(1)(b) and (c), Section 6:21 of Act V of 2013 on the Civil Code in the case of the enforcement of claims arising from the contract.

2. Scope of data subjects: All data subjects who are in contact with the data controller by telephone/email/in person or who are in a contractual relationship with the data controller.

3. Duration of data processing, deadline for data deletion: Letters containing requests will be kept until the data subject requests their deletion, but for a maximum of 2 years.

4. Persons authorized to access the data, recipients of personal data: Personal data may be processed by the data controller's authorized employees, in accordance with the above principles.

5. Description of the data subject's rights in relation to data processing:

• The data subject may request the data controller to access, rectify, erase or restrict the processing of personal data concerning him or her, and
• the data subject has the right to data portability and to withdraw consent at any time.

6. The data subject may initiate access to, erasure, modification, or restriction of the processing of personal data, as well as data portability, in the following ways:

• by post at 1132 Budapest, Visegrádi u. 43-45. 3/15,
• by email at hello@nutriqafoods.hu,
• by phone at +36706698575.

7. Legal basis for data processing:

Please note that

• data processing is necessary for the performance of the contract and for making an offer.
• You are obliged to provide personal data so that we can perform the contract/fulfill your other requests.
• Failure to provide data will result in the consequence that we will not be able to perform the contract/process your request.

Newsletter, DM activity

1. Pursuant to Section 6 of Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities, the User may give their prior and express consent to the Service Provider contacting them with advertising offers and other communications at the contact details provided during registration.

2. Furthermore, the Customer may consent to the Service Provider processing their personal data necessary for sending advertising offers, taking into account the provisions of this information notice.

3. The Service Provider shall not send unsolicited advertising messages, and the User may unsubscribe from receiving offers free of charge, without restriction or justification. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from advertisements by clicking on the link in the message.

4. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data

Purpose of data processing

Legal basis

Name, email address.

Identification, enabling subscription to the newsletter/promotional coupons.

Consent of the data subject,

Article 6 (1) (a).

Section 6 (5) of Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities.

Date of subscription

Execution of technical operation.

IP address at the time of subscription

Execution of technical operation.

5. Data subjects: All data subjects who subscribe to the newsletter.

6. Purpose of data processing: sending electronic messages containing advertising (e-mail, SMS, push messages) to the data subject, providing information about current news, products, promotions, new features, etc.

7. Duration of data processing, deadline for data deletion: data processing lasts until the withdrawal of the consent statement, i.e. until unsubscribing.

8. Persons authorized to access the data, recipients of personal data: Personal data may be processed by the data controller and its sales and marketing staff, in accordance with the above principles.

9. Description of the rights of data subjects in relation to data processing:

• The data subject may request the data controller to access, rectify, erase or restrict the processing of personal data concerning him or her, and
• may object to the processing of his or her personal data, and
• the data subject has the right to data portability and to withdraw consent at any time.

10. The data subject may request access to, erasure, rectification or restriction of processing of personal data, data portability or object to the processing of personal data in the following ways:

• by post to 1132 Budapest, Visegrádi u. 43-45. 3/15,
• by email at hello@nutriqafoods.hu,
• by phone at +36706698575.

11. The data subject may unsubscribe from the newsletter at any time, free of charge.

12. Please note that

• data processing is based on your consent and the legitimate interests of the service provider.
• You are required to provide personal data if you wish to receive our newsletter.
• Failure to provide data will result in us being unable to send you the newsletter.
• Please note that you can withdraw your consent at any time by clicking on the unsubscribe link.
• Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal.

Complaint handling

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data

Purpose of data processing

Legal basis

First and last name

Identification, maintaining contact.

Article 6(1)(c) and Section 17/A(7) of Act CLV of 1997 on consumer protection.

Email address

Maintaining contact.

Phone number

Maintaining contact.

Billing name and address

Identification, handling quality complaints, questions, and problems related to the products/services ordered.

2. Scope of data subjects: All data subjects who make purchases on the website and have quality complaints or make complaints.

3. Duration of data processing, deadline for data deletion: Copies of the report on the complaint, the transcript and the response to it must be retained for 3 years in accordance with Section 17/A (7) of Act CLV of 1997 on consumer protection.

4. Persons authorized to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, in accordance with the above principles.

5. Description of the rights of data subjects in relation to data processing:

• The data subject may request the data controller to access, rectify, erase or restrict the processing of personal data concerning him or her, and
• the data subject has the right to data portability and to withdraw consent at any time.

6. The data subject may initiate access to, erasure, modification, or restriction of the processing of personal data, as well as data portability, in the following ways:

• by post at 1132 Budapest, Visegrádi u. 43-45. 3/15,
• by email at hello@ nutriqafoods.hu, or
• by phone at +36706698575.

7. Please note that

• the provision of personal data is based on a legal obligation.
• The processing of personal data is a prerequisite for the conclusion of the contract.
• You are required to provide personal data so that we can handle your complaint.
• Failure to provide data will result in us being unable to handle your complaint.

Cookie management

1. The use of so-called "password-protected session cookies," "shopping cart cookies," "security cookies," "necessary cookies," "functional cookies," and "cookies responsible for managing website statistics" do not require prior consent from the data subjects.

2. The fact of data processing, the scope of data processed: Unique identification number, dates, times

3. Scope of data subjects: All data subjects visiting the website.

4. Purpose of data processing: Identification of users, tracking of visitors, ensuring customized operation.

5. Duration of data processing, deadline for data deletion:

Cookie type

Legal basis for data processing

 

Duration of data processing

Session

cookies or other cookies essential for the operation of the website

 

Article 6(1)(f) of the GDPR.

The legitimate interest of the data controller for the purpose of operating the website, ensuring the functionality and basic functions of the website, and the security of the computer system.

 

The relevant

period until the end of the visitor's session

Persistent or saved cookies

Article 6(1)(f) of the GDPR.

The legitimate interest of the data controller in operating the website, ensuring the functionality and basic features of the website, and the security of the computer system

 

Data processing lasts until the data subject is deleted, or until cookies with a specific validity period (permanent, saved) are deleted, but they are stored on the computer until their expiry date at the latest.

Statistical and marketing cookies

Article 6(1)(a) of the GDPR

1 month - 2 years

6. Persons authorized to access the data: The data controller may access personal data.

7. Description of the data subject's rights regarding data processing: Data subjects have the option to delete cookies in the Tools/Settings menu of their browser, usually under the Privacy settings.

8. Most browsers used by our users allow you to set which cookies to save and allow (specific) cookies to be deleted again. If you restrict the storage of cookies on certain websites or do not allow third-party cookies, this may mean that our website can no longer be used in its entirety under certain circumstances. Here you will find information on how to customize cookie settings in common browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)

Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)

Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)

Safari (https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)

Use of Google Ads conversion tracking

1. The data controller uses the online advertising program "Google Ads" and, within this framework, also uses Google's conversion tracking service. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
2. When a User accesses a website via a Google ad, a cookie required for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, so the User cannot be identified by them.
3. When the User browses certain pages of the website and the cookie has not yet expired, Google and the data controller can see that the User has clicked on the ad.
4. Each Google Ads customer receives a different cookie, so they cannot be tracked across the websites of Ads customers.
5. The information obtained through conversion tracking cookies is used to compile conversion statistics for Ads customers who have opted for conversion tracking. This allows customers to see the number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that could be used to identify individual users.
6. If you do not wish to participate in conversion tracking, you can opt out by disabling cookies in your browser. You will then not be included in the conversion tracking statistics.
7. Further information and Google's privacy policy can be found at: https://policies.google.com/privacy

Use of Google Analytics

1. This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help analyze how users use the website.
2. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. By activating IP anonymization on this website, Google will truncate your IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area.
3. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to to evaluate your use of the website, to compile reports on website activity for the website operator, and to provide other services related to website and internet usage.
4. Within the framework of Google Analytics, the IP address transmitted by the User's browser is not combined with other data from Google. The User can prevent the storage of cookies by adjusting the settings of their browser accordingly, but please note that in this case, not all functions of this website may be fully usable. You can also prevent Google from collecting and processing data generated by cookies and related to your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu
   

Google Tag Manager

Google Tag Manager is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") that allows you to create, update, and manage tags. Tags are small pieces of code on our website that are used, among other things, to measure traffic and visitor behavior and to determine the impact of online advertising and social media channels. When you visit our website, the current tag configuration is sent to your browser. This tells you which tags to activate. The tool itself does not collect any personal data, but it ensures that other tags are activated that may collect data. For more information on how Google Tag Manager works, please visit: https://support.google.com/tagmanager/#topic=3441530

Facebook pixel

The Facebook pixel is a code that is used to generate reports on conversions on the website, compile target audiences, and provide the site owner with detailed analysis data on how visitors use the website. With the help of the Facebook remarketing pixel tracking code, you can display personalized offers and advertisements to website visitors on Facebook. The Facebook remarketing list is not suitable for personal identification. For more information about Facebook Pixel / Facebook image pixel, please visit: https://www.facebook.com/business/help/651294705016616

Recipients with whom personal data is shared

"recipient" means a natural or legal person, public authority, agency, or any other body with whom personal data is shared, regardless of whether they are a third party.

1. Data processors (who process data on behalf of the data controller)

The data controller uses data processors to facilitate its own data processing activities and to fulfill its contractual obligations to data subjects and its legal obligations.

The data controller places great emphasis on using only data processors who provide adequate guarantees to implement appropriate technical and organizational measures to ensure compliance with the requirements of the GDPR and the protection of the rights of data subjects.

The data processor and any person acting under the authority of the data controller or data processor who has access to personal data shall process the personal data contained in this policy solely in accordance with the instructions of the data controller.

The data controller is legally responsible for the activities of the data processor. The data processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations specifically imposed on data processors by the GDPR, or if it has disregarded or acted contrary to the lawful instructions of the data controller.

The data processor has no substantive decision-making power with regard to data processing.

The data controller may use a hosting service provider to provide IT support and a courier service to deliver the ordered products as data processors.

2. Individual data processors

Data processing activities

Name, address, contact details

Hosting service

MediaCenter Hungary Kft., 6000 Kecskemét, Sosztakovics u. 3. II/6, +36 21 201 0505, mediacenter@mediacenter.hu

Other data processors (e.g. online invoicing, web development, marketing)

Szamlazz.hu (KBOSS.hu Kft., 1031 Budapest, Záhony utca 7/C., info@szamlazz.hu, +36-30-35-44-789)

"third party": a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

3. Data transfer to third parties

Third-party data controllers process the personal data we provide on their own behalf and in accordance with their own privacy policies.

Data controller activities

Name, address, contact details

Transport

GLS Hungary, 2351 Alsónémedi, GLS Európa u. 2., (+36 29) 88 66 70, info@gls-hungary.com

Online payment

 

OTP Mobil Szolgáltató Kft.

Registered office: 1143 Budapest, Hungária krt. 17-19.

E-mail: ugyfelszolgalat@simple.hu

 

Phone: +36 1/20/30/70 3-666-611

Social media

1. The fact of data collection, the scope of data processed: Name registered on social media sites such as Meta/Twitter/Pinterest/Youtube/Instagram, etc., and the user's public profile picture.
2. Scope of data subjects: All data subjects who have registered on Meta/Twitter/Pinterest/Youtube/Instagram, etc. social media sites and have "liked" the Service Provider's social media page or have contacted the data controller through the social media site.
3. Purpose of data collection: Sharing, "liking," following, and promoting certain content elements, products, promotions, or the website itself on social media sites.
4. Duration of data processing, deadline for data deletion, persons authorized to access the data, and description of the data subjects' rights related to data processing: The data subject can find information about the source of the data, its processing, the method of transfer, and the legal basis on the given social media site. Data processing takes place on social media sites, so the duration and method of data processing, as well as the options for deleting and modifying data, are governed by the regulations of the given social media site.
5. Legal basis for data processing: the data subject's voluntary consent to the processing of their personal data on social media sites.

Customer relations and other data processing

1. If the data subject has any questions or problems while using our services, they can contact the data controller using the methods provided on the website (telephone, email, social media sites, etc.).
2. The data controller will delete the emails, messages, telephone calls, Meta, etc. received, together with the name and email address of the interested party and other personal data provided voluntarily, after a maximum of 2 years from the date of data disclosure.
3. We will provide information about data processing not listed in this notice at the time of data collection.
4. In the event of an exceptional request from an authority or a request from other bodies based on legal authorization, the Service Provider is obliged to provide information, disclose and transfer data, and make documents available.
5. In such cases, the Service Provider shall only disclose to the requesting party – provided that the exact purpose and scope of the data has been specified – the personal data that is strictly necessary to achieve the purpose of the request.

Rights of data subjects

1. Right of access

You have the right to obtain confirmation from the data controller as to whether your personal data is being processed and, if so, you have the right to access your personal data and the information listed in the Regulation.

2. Right to rectification

You have the right to request that the controller rectify inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.

3. Right to erasure

You have the right to request that the data controller erase personal data concerning you without undue delay, and the data controller is obliged to erase personal data concerning you without undue delay under certain conditions.

4. Right to be forgotten

If the data controller has made the personal data public and is obliged to erase it, it shall take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform controllers who process the data that you have requested the erasure of any links to, or copies or replications of, that personal data.

5. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following applies:

• You contest the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defense of legal claims;
• you have objected to the processing; in this case, the restriction applies for a period until it is established whether the legitimate grounds of the controller override your legitimate grounds.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided. (...)

7. Right to object

In the case of data processing based on legitimate interests or public authority powers, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, including profiling based on those provisions.

8. Objection in the case of direct marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling to the extent that it is related to such direct marketing. If you object to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.

9. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph does not apply if the decision:

• is necessary for entering into, or performance of, a contract between you and the data controller;
• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• is based on your explicit consent.

Deadline for action

The data controller shall inform you of the action taken on the above requests without undue delay, but in any case within one month of receipt of the request.

If necessary, this period may be extended by two months. The data controller shall inform you of any extension of the deadline, stating the reasons for the delay, within one month of receiving the request.

If the data controller does not take action on your request, it will inform you without delay, but no later than one month after receiving the request, of the reasons for not taking action and that you may lodge a complaint with a supervisory authority and seek judicial remedy.

Security of data processing

The data controller and data processor shall take appropriate technical and organizational measures to ensure the security of the data processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk, including, as appropriate:

1. pseudonymization and encryption of personal data;
2. ensuring the ongoing confidentiality, integrity, availability, and resilience of the systems and services used to process personal data;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5. The data processed must be stored in such a way that unauthorized persons cannot access it. In the case of paper-based data carriers, this is achieved by establishing a system of physical storage and archiving, and in the case of data processed in electronic form, by using a central authorization management system.
6. The method of storing data using IT methods must be chosen in such a way that it can be deleted at the end of the data deletion period, even if the deletion period differs, or if necessary for other reasons. The deletion must be irreversible.
7. Paper-based data carriers must be stripped of personal data using a document shredder or by engaging an external organization specializing in document shredding. In the case of electronic data carriers, physical destruction must be ensured in accordance with the rules on the disposal of electronic data carriers, and, if necessary, the data must be securely and irreversibly deleted in advance.
8. The data controller shall take the following specific data security measures:

In order to ensure the security of personal data processed on paper, the Service Provider shall apply the following measures (physical protection):

1. Documents shall be stored in a secure, lockable, dry room.
2. If personal data processed on paper is digitized, the rules governing digitally stored documents shall apply.
3. When performing their work, the Service Provider's data processing staff may only leave the room where data processing is taking place after locking away the data carriers entrusted to them or locking the room.
4. Personal data may only be accessed by authorized persons; third parties may not access it.
5. The Service Provider's building and premises are equipped with fire protection and property protection equipment.

IT protection

1. The computers and mobile devices (other data carriers) used for data processing are the property of the Service Provider.
2. The computer system used by the Service Provider to store personal data is equipped with virus protection.
3. To ensure the security of digitally stored data, the Service Provider uses data backup and archiving.
4. Only persons with the appropriate authorisation and designated for this purpose may access the central server.
5. The data stored on the computers can only be accessed with a username and password.

Informing the data subject about the data protection incident

If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject without undue delay.

The information provided to the data subject shall be clear and understandable and shall describe the nature of the data breach and provide the name and contact details of the data protection officer or other contact person providing further information; describe the likely consequences of the data breach; it shall describe the measures taken or planned by the controller to address the personal data breach, including, where appropriate, measures to mitigate any adverse effects of the personal data breach.

The data subject shall not be informed if any of the following conditions are met:

• the controller has implemented appropriate technical and organizational protection measures and those measures were applied to the data affected by the personal data breach, in particular those measures, such as encryption, which render the data unintelligible to any person who is not authorized to access it;
• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
• the communication would require a disproportionate effort. In such cases, the data subjects shall be informed by means of a public communication or a similar measure that ensures that the data subjects are informed in a similarly effective manner.

If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to result in a high risk, order that the data subject be informed.

Notification of a personal data breach to the supervisory authority

The controller shall notify the supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it to the competent supervisory authority pursuant to Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must also be provided.

Review in the case of mandatory data processing

If the duration of mandatory data processing or the periodic review of its necessity is not determined by law, local government regulation, or a binding legal act of the European Union, the data controller shall review at least every three years from the start of data processing whether the processing of personal data by the data controller or by a data processor acting on its behalf or on its instructions is necessary for the purpose of data processing.

The data controller shall document the circumstances and results of this review, retain this documentation for ten years after the review has been carried out, and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) at the Authority's request.

Complaint procedure

Complaints against any infringement of the data controller's rights may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf. 9.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Closing

In preparing this information notice, we have taken into account the following legislation:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) (27 April 2016);
• Act CXII of 2011 on the right to self-determination in information and freedom of information (hereinafter: Infotv.);
• Act CVIII of 2001 on certain issues of electronic commerce services and information society services (in particular Section 13/A);
• Act XLVII of 2008 – on the prohibition of unfair commercial practices against consumers;
• Act XLVIII of 2008 – on the basic conditions and certain restrictions of economic advertising activities (in particular Section 6);
• Act XC of 2005 on electronic freedom of information;
• Act C of 2003 on electronic communications (specifically Section 155);
• Opinion No. 16/2011 on the EASA/IAB Recommendation on best practices for behavioral online advertising;
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements for prior information.

Previous versions of the Happy Naturals Privacy Policy

• Happy Naturals Privacy Policy (Effective date: 01.06.2021)

Document certified and prepared by: Virtualjog.hu

View/download in PDF format: View/download

Date of last update: 13.04.2023