1. Introduction

 

The purpose of this Data Management Information Sheet is to record the data management principles and policy applied by the PANKA pálinka webshop (hereinafter referred to as Data Controller), which the operator, as Data Controller, recognizes as binding.

 

When developing the provisions of the Data Management Information, the Data Controller took into account in particular the provisions of Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation" or "GDPR"), CXII of 2011 on the right to information self-determination and freedom of information. Act ("Infotv"), Act V of 2013 on the Civil Code ("Ptk"), and Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising. the provisions of the Act (“Grtv.”).

 

The Data Controller reserves the right to change this information at any time, and will notify customers of any changes in a timely manner. If the data subjects have any questions that are not clear based on this notice, they can ask the Data Controller's contact details, where the Data Controller will answer them to the best of their knowledge. Although the Data Controller is committed to maintaining the quality of the services at the highest level, it does not assume responsibility for any damages resulting from the use of the system. The Data Controller is committed to protecting the personal data of its partners and users, and considers it of utmost importance to respect the right of its customers to self-determination of information. The Data Controller treats personal data confidentially and takes all security, technical and organizational measures that guarantee data security.

 

2. Data controller

Name of data controller: PANKA Pálinka Manufaktúra Kft

Headquarters: H-1147 Budapest, Czobor u. 104.

Tax number: 10352669-2-42

Company registration number: 01-09-065170

E-mail: info@pankalinka.hu

Data management information is available at: https://pankapalinka.hu/adatkezelesi_tajekoztato

 

3. Definitions

3.1. Personal data

Any data that can be linked to a specific (identified or identifiable) natural person (data subject), a conclusion regarding the data subject can be drawn from the data. During data management, personal data will retain its quality as long as the relationship with the data subject can be restored. A person can be considered identifiable in particular if he can be identified - directly or indirectly - on the basis of a name, identification mark, or one or more factors characteristic of his physical, physiological, mental, economic, cultural or social identity.

3.2. Registration system

The file of personal data divided in any way – centralized, decentralized, functional or geographically – and accessible based on specific criteria.

3.3. Data controller

The natural or legal person or organization without legal personality who determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or implements them with the data processor it has commissioned.

3.4. Data processor

The natural or legal person or organization without legal personality who processes personal data on behalf of the Data Controller.

3.5. Addressee

The natural or legal person, public authority, agency or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or member state law in the context of an individual investigation are not considered recipients. The handling of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the data management.

3.6. Affected

Any specific natural person identified on the basis of personal data or - directly or indirectly - identifiable.

3.7. Third party

A natural or legal person, or an organization without legal personality, who is not the same as the data subject, the Data Controller or the data processor.

3.8. Customer

A Data Subject who uses a service of the Data Controller.

3.9. User

Every natural person who contacts the Data Controller visits its website.

3.10. Data handling

Regardless of the procedure used, any operation or set of operations performed on the data, such as collection, recording, recording, organization, storage, alteration, use, transmission, disclosure, alignment or connection, blocking, deletion and destruction, as well as the further use of the data preventing. The taking of photographs, audio or video recordings, as well as the recording of physical characteristics suitable for identifying a person (e.g. fingerprints or palm prints, DNA samples, iris images) are considered data processing.

3.11. Profiling

Any form of automated processing of personal data in which personal data is used for the evaluation of certain personal characteristics of a natural person, in particular for the analysis of characteristics related to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement or used to predict.

3.12. Pseudonymization

Processing of personal data in such a way that, without the use of additional information, it is no longer possible to establish which specific natural person the personal data refers to, provided that such additional information is stored separately and technical and organizational measures are taken to ensure that it is identified or this personal data cannot be linked to identifiable natural persons.

3.13. Data processing

Performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application.

3.14. Contribution

The Data Subject's voluntary and firm declaration of his wishes, which is based on adequate information and with which he gives his unequivocal consent to the processing of his personal data - in full or covering certain operations.

3.15. Data protection incident

A breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise handled.

3.16. Protest

The Data Subject's statement objecting to the processing of his personal data and requesting the termination of data processing or the deletion of the processed data.

3.17. Data transfer

If the data is made available to a specific third party.

3.18. Data deletion

Making data unrecognizable in such a way that their recovery is no longer possible.

 

4. Basic principles during data management

The processing of personal data is legal only if and to the extent that at least one of the following is fulfilled:

 

A. the Data Subject has given his consent to the processing of his personal data for one or more specific purposes;

B. data processing is necessary to fulfill a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject prior to the conclusion of the contract;

C. data management is necessary to fulfill the legal obligation of the Data Controller;

D. data processing is necessary to protect the vital interests of the Data Subject or another natural person;

E. data management is in the public interest or is necessary for the execution of a task performed in the context of the exercise of public authority conferred on the Data Controller;

F. data processing is necessary to enforce the legitimate interests of the Data Controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

The Data Controller handles personal data in accordance with the principles of good faith, honesty and transparency, as well as the provisions of the applicable laws and regulations described in this Data Management Information.

The Data Controller uses the personal data based on the Data Subject's consent or for the purpose of fulfilling a contract, only for a limited purpose.

The Data Controller uses personal data only in this Data Management information sheet or it is managed for the purpose specified in the relevant legislation. The range of personal data handled is proportional to the purpose of data management. In any case, if the Data Controller intends to use the personal data for a purpose other than the purpose of the original data collection, the Data Subject shall be informed of this and obtain their prior, express consent, or provide them with the opportunity to prohibit the use.

The Data Controller does not check the provided personal data, the data subject providing it is solely responsible for their adequacy.

Personal data of a person under the age of 16 can only be processed with the consent of an adult exercising parental supervision over him. The Data Controller is not in a position to verify the authorization of the consenting person or the content of his statement, so the Data Subject or the person exercising parental supervision over him guarantees that the consent complies with the law. In the absence of a consent statement, the Data Controller does not collect personal data concerning the Data Subject under the age of 16, with the exception of the IP address used when using the service, which is recorded automatically due to the nature of internet services.

The Data Controller does not transfer the personal data it handles to third parties other than the Data Processors specified in this Data Management Information. An exception to the provision contained in this point is the use of data in a statistically aggregated form, which does not contain any other data capable of identifying the Data Subject in any form, and therefore does not qualify as data management or data transmission. In certain cases, the Data Controller may harm the interests of the Data Controller, endanger the provision of services, etc. - makes available personal data of the Data Subject accessible to third parties.

The Data Controller ensures the security of personal data, takes the technical and organizational measures and establishes the procedural rules that ensure that the recorded, stored and managed data are protected, and prevent their accidental loss, unlawful destruction, unauthorized access, unauthorized use and unauthorized alteration, unauthorized distribution. To fulfill this obligation, the Data Controller calls on all third parties to whom it transmits personal data.

Given the relevant provisions of the GDPR, the Data Controller does not appoint a data protection officer.

With regard to the data collected on the websites and online stores of customers who use its services, the service provider is considered a data processor, and does not perform data management in this regard. The Customer, as Data Controller, can provide information on the scope of the personal data managed in this way, the purpose, legal title and duration of its management, and the Customer bears sole responsibility for the data management of this data.

 

5. The scope of personal data processed, the purpose, legal basis and duration of data management

5.1. Website visitor data, logs

When visiting its own websites, the Data Controller records the time of the visit and the address of the page viewed. The Data Controller uses the data to operate the protection system, detect errors, clarify controversial issues, and prove abuses. The data is deleted after 2 months.

5.2. Customer registration, order

The Data Controller's services can only be ordered after registration. The purpose and legal basis of data management is to fulfill orders, provide services, maintain contact with the Customer, fulfill contractual obligations and exercise rights arising from the order, fulfill accounting obligations, and send newsletters and information letters. The personal data requested during registration are the following: username, password, name, address, telephone number, e-mail address. The Data Controller stores the data necessary for the performance of the contract for 5 years after the end of the subscription period, given that a civil claim related to the contract may arise within this period. Accounting receipts are required by Act C of 2000 on accounting, § 169 (2)

based on paragraph 2, the data controller will keep it for 8 years.

5.3. Newsletter

The purpose of data management is to send e-mail-based newsletters to interested parties, providing information on current information and services. The legal basis for data management is the voluntary consent of the data subject or the legitimate interest of the Data Controller and Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities. § 6 (5) of the Act. Scope of processed data: name, e-mail address. The duration of the data management lasts until the consent is withdrawn, and in the case of the legitimate interest of the Data Controller, until the right of objection is exercised. The data subject can exercise their right to withdraw their consent or protest by clicking on the link in the sent newsletter, or by sending a letter to the Data Controller's headquarters.

5.4. Customer service

The Data Controller provides customer service for Users. Depending on the form of the request, the User gives his consent to the processing of his personal data. Incoming e-mails, telephone conversations, messages sent using the contact forms on the website, online conversations, together with all voluntarily provided data, are recorded by the Data Controller, stored for a maximum of 5 years and used in connection with the provision of the service.

 

6. Scope of additional data managed by the Data Controller

In order to provide service, the Data Controller places a data package (so-called "cookie") on the User's computer, the primary purpose of which is process identification and load distribution. All cookies are necessary for the basic operation of the website and are not suitable for personal identification. The User can delete the cookie from his computer or set his browser to prohibit the use of cookies. By prohibiting the use of cookies, the User acknowledges that the operation of the given page is incomplete without cookies.

 

7. Method and security of data management

The Data Controller manages and stores all personal data electronically, no paper copies of personal data are made.

The Data Controller's computer systems and other data storage devices are located at its headquarters and on Wix.com's servers.

The Data Controller undertakes to apply appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the varying probability and severity of the risk to the rights and freedoms of natural persons. covering the entire scope of its data management activities. The Data Controller is obliged to protect the data with appropriate measures, in particular against unauthorized or illegal access, change, transmission, disclosure, loss, deletion or destruction, as well as against accidental destruction, alteration and damage, as well as inaccessibility resulting from changes in the technology used. The Data Controller is obliged to handle the data using the data security level corresponding to the current best industry practice, GDPR, current Hungarian legislation and any other data protection and data security legislation. In case of data loss due to the Data Manager's fault, the Data Manager is obliged to restore the data free of charge. Regardless of the protocol (e-mail, web, ftp, etc.), electronic messages transmitted over the Internet are vulnerable to network threats that lead to unfair activity, contract disputes, or the disclosure or modification of information. To protect against such threats, the Data Controller takes all the necessary precautions. Monitors systems to capture any security deviations and provide evidence for any security incidents. In addition, system monitoring also makes it possible to check the effectiveness of the precautions used.

 

8. The scope of the persons familiar with the data, data transmission, data processing

The Data Manager and the internal employees of the Data Manager are primarily entitled to know the data, but they are not published, and they are not passed on to third parties, except for data processors and cooperating external service providers.

The Data Controller may use a data processor or cooperate with external service providers to fulfill orders, ensure the operation of services, and settle settlements.

8.1. Data processors

The Data Manager does not transmit data regarding customers.

8.2. External service providers, recipients

In order to provide the service, the Data Controller may cooperate with external data controllers and may transmit personal data to them, as follows. The Data Controller is not responsible for the data management practices of external service providers.

A. FOXpost zrt. (3200 Gyöngyös, Batsányi János u. 9)

B. Fuvar.hu kft. (7626 Pécs, Farkas István utca 3/1. 1. fl. 3.)

 

9. Rights of the Data Subject

9.1. Right of access

The Data Subject has the right to receive feedback from the Data Controller as to whether his personal data is being processed and, if such data processing is in progress, he is entitled to learn about his personal data and the information listed in the regulation.

9.2. Right to rectification

The Data Subject has the right to have inaccurate personal data corrected without undue delay upon request by the Data Controller. Taking into account the purpose of the data management, the data subject is entitled to request the completion of incomplete personal data, including by means of a supplementary statement.

9.3. The right to erasure

The Data Subject has the right to request that the Data Controller delete the personal data concerning him without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

A. the personal data are no longer needed for the purpose for which they were collected;

B. the Data Subject withdraws the consent that forms the basis of the data management and there is no other legal basis for the data management;

C. the Data Subject objects to the processing of his data and there is no overriding legal reason for data processing.

If the Data Controller has disclosed the personal data and is obliged to delete it, taking into account the available technology and the costs of implementation, it will take reasonably expected steps - including technical measures - in order to inform the data controllers handling the data that the data subject has requested from them the personal data in question deleting links to data or copies or duplicates of these personal data.

9.4. The right to restrict data processing

The Data Subject is entitled to request that the Data Controller restricts data processing if

A. the Data Subject disputes the accuracy of the personal data;

B. The Data Controller no longer needs the personal data, but the data subject requires them to assert legal claims.

9.5. The right to data portability

The Data Subject is entitled to receive the personal data concerning him/her provided to the Data Controller in a segmented, widely used, machine-readable format, if the data processing is based on consent or a contract and the data processing is done in an automated manner.

9.6. The right to protest

The Data Subject has the right to object to the processing of his personal data at any time for reasons related to his own situation, if the processing of personal data is in the legitimate interest of the Data Controller.

 

10. Method of legal enforcement

With any questions or comments related to data management, the Data Controller can be contacted at the contact details specified in point 2.

The Data Subject can file a complaint about data management directly with the National Data Protection and Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website:www.naih.hu) can turn.

In the event of a violation of the Data Subject's rights, he may go to court. Adjudication of the lawsuit falls within the jurisdiction of the court. At the option of the Data Subject, the lawsuit can also be initiated before the court of the Data Subject's place of residence or residence. Upon request, the Data Controller informs the Data Subject of the possibility and means of redress.

 

11. Applicable law, other provisions

This Privacy Policy is governed by Hungarian law.

If the legislation in force in the User's country imposes stricter rules on the parties than those contained in this Data Management Information, the User is obliged to comply with them. However, the User acknowledges and accepts that the Data Controller's responsibility is based on the laws governing this Data Management Information and excludes its responsibility to the fullest extent possible based on the relevant laws and court decisions for non-compliance with the provisions of the User's country.

This Data Management information is for information purposes, it is not sufficient in itself for a complete understanding of data management. The User may request information from the Data Controller at the contact details indicated in point 2 for questions to which this Data Management information sheet did not provide a clear answer.