Download/print the document: HERE
The Hungarian version of the document is available HERE.
Privacy Notice
1. Data Controller
The online store available at https://www.mybettershelf.com/ is
operated by
Mybettershelf Kereskedelmi Korlátolt Felelősségű Társaság
Abbreviated name: Mybettershelf Kft.
Company registration number: 01-09-373198
Tax ID: 28768038-2-42
Registered office: Hungary, 1148 Budapest, Jerney Street 41, 3rd floor,
Door 12
Mailing address: Hungary, 1148 Budapest, Jerney Street 41, 3rd floor, Door
12
Email address:
info@mybettershelf.com
Website:
https://www.mybettershelf.com/
(hereinafter: Data Controller)
operates.
2. Legislation on data processing, scope of this notice
2.1.
The Data Controller specified above (hereinafter: Data Controller), which
operates the website accessible at the web address specified above
(hereinafter: website), provides its services from Hungary. Accordingly,
Hungarian and European
law governs the provision of the service as well as
matters concerning Users during their use of the service (including data
processing). The Data Controller processes Users’ data primarily
- REGULATION (EU) 2016/679 OF THE
EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation); (The EU General Data Protection Regulation),
(hereinafter: GDPR),
- Act CVIII of 2001 on Certain
Issues Concerning Electronic Commerce Services and Information Society Services
(Ekertv.),
- Act XLVIII of 2008 on the Basic
Conditions and Certain Restrictions of Commercial Advertising Activities
.
2.2.
The scope of
this notice applies to data processing carried out during the use of the https://www.mybettershelf.com/ website (hereinafter: the website), the use of the
services available there, and the fulfillment of orders placed in the online
store.
2.3.
For the
purposes of this notice, “User” means any natural person browsing the website
or using its services and features who is subject to data processing.
3.
Information technology data collection related to the
use of the website
3.1.
The Data Controller uses cookies to operate the
website and to collect technical data regarding website visitors.
3.2.
The Data Controller provides a separate notice
regarding data processing carried out by cookies: Privacy Notice on the Use of Cookies.
4.
Data processing related to receiving and responding to
messages
4.1.
Data
subjects: Users who send messages to the Data Controller via email using the
email address(es) listed on the website.
4.2.
Legal basis for
data processing: the User’s consent pursuant to Article 6(1)(a) of the GDPR. The
User provides consent by sending the email message.
The
User has the right to withdraw their consent at any time. Withdrawal of consent
does not affect the lawfulness of data processing carried out prior to
withdrawal. If the User withdraws their consent before replying to the message,
the Data Controller will not continue the exchange of messages and will not
answer previously asked questions, as they must delete the data processed on
the basis of consent.
4.3.
Scope of
processed data:
-
the User
sending the message:
o
name,
o
email
address,
-
the message
o
subject,
o
content,
o
and the
conclusions that can be drawn from them,
4.4.
Purpose of data
processing: To enable the User to exchange messages
with the Data Controller.
4.5.
Duration of
data processing: If no contract is concluded as a result of the message
exchange, the processing continues until the message is answered or the User’s
request is fulfilled. The Data Controller deletes the data processed for this
purpose after the message is answered or the request is fulfilled. If the
exchange of information involves multiple messages on related topics, the Data
Controller will delete the data upon completion of the exchange of information
or after fulfilling the request.
If a contract is concluded as a
result of the exchange of messages, and the content of the messages is relevant
to the contract, the legal basis and duration of data processing shall be as
described in Section 8 (Data processing related to orders).
In the case of messages related to
complaints, data processing shall be governed by the provisions of Section 12
(Data processing related to consumer complaints).
4.6.
Method of
data storage: electronically, in a separate data file within the Data
Controller’s IT system.
4.7.
Consequences
of failure to provide data: providing personal data is necessary to respond to
the message; without the above data, the Data Controller cannot respond to the
message.
5.
Data processing related to
requesting a quote
5.1.
Scope of
data subjects: Users who request a quote by clicking
the “Get a custom offer” button accessible via the “Customize!” menu item on
the website, or by sending a message to the Data Controller using the messaging
interface accessible via the “Contact us” menu
item on the website.
5.2.
Legal basis
for data processing: the User’s consent pursuant to Article 6(1)(a) of the
GDPR.
The
User has the right to withdraw their consent at any time. Withdrawal of consent
does not affect the lawfulness of data processing carried out prior to
withdrawal. If the User withdraws their consent before the request for a quote is
answered, the Data Controller will not continue the correspondence and will not
answer previously asked questions, as they must delete the data processed on
the basis of the consent.
5.3.
Scope of
processed data:
The User
sending the request for a quote:
- name,
- email address,
- phone number,
- content of the message.
5.4.
Purpose of data processing: to enable the User to
request a quote.
The purpose of processing the phone number is to allow
the Data Controller to answer more complex questions raised in the quote
request in a more effective manner, via a phone call.
5.5.
Duration of
data processing: if no contract is concluded as a result of the quote request,
then until the quote request is answered. If the exchange of information
involves multiple messages on related topics, the Data Controller will delete
the data upon completion of the exchange or after fulfilling the request.
If a contract is concluded following
the request for a quote and the content of the messages is relevant to the
contract, the legal basis and duration of data processing shall be as set forth
in Section 8 (data processing related to orders).
5.6.
Method of data storage: electronically, in a separate
data file within the Data Controller’s IT system.
5.7.
Consequences of failure to provide data: the provision of personal data is
necessary for the submission of an offer; without the provision of the above
data, the Data Controller cannot submit an offer.
6.
Data processing related to sending newsletters
6.1.
Data
subject: the User who subscribes to the newsletter by checking the consent box
on the website.
6.2.
Legal basis
for data processing: pursuant to Article 6(1)(a) of the GDPR, with regard to
Sections 6(1) and (2) of the Grt., the User’s consent. The User provides
voluntary consent by checking the box preceding the subscription statement
after filling out the fields for newsletter subscription.
The User has the right to withdraw
their consent at any time. The withdrawal of consent does not affect the
lawfulness of data processing carried out prior to the withdrawal.
In addition to providing useful
information, the newsletter is also intended for direct marketing by the Data Controller. Users may
subscribe to the newsletter independently of their use of other services. Subscription
is voluntary and is based on a decision made by the User after being adequately
informed. If the User does not subscribe to the newsletter, this will not
result in any disadvantage regarding the use of the website or the use of its
other services. The Data Controller does not make subscription a condition for
the use of any of its other services.
6.3.
Scope of
processed data:
To send newsletters, the
User:
- first name,
- email address,
to register the consent
provided online:
- the IP address of the
device used at the time of subscription,
- the date of
subscription.
6.4.
Purpose of
data processing: sending newsletters by the Data Controller to the User via
email. Sending newsletters involves sending information about the Data
Controller’s services, news, and current events, as well as promotional offers,
advertising, and sales-promoting content.
6.5.
Duration of
data processing: The Data Controller processes the data collected for the
purpose of sending newsletters until the User withdraws their consent
(unsubscribes) or until the data is deleted at the User’s request.
6.6.
Method of
data storage: electronically, in a separate data file within the Data
Controller’s IT system.
6.7.
Consequences
of failure to provide data: providing personal data is necessary for sending
newsletters; without it, the Data Controller cannot send the newsletter to
subscribed Users.
7.
Data processing related to
registration
7.1.
Data
subjects: Users who register on the website.
7.2.
Legal basis
for data processing: the User’s consent pursuant to Article 6(1)(a) of the
GDPR. The User provides voluntary consent by filling out the registration form,
then accepting the general terms and conditions and checking the data
processing statement, and finally by clicking the button to finalize
registration.
7.3.
Scope of
processed data:
For registration, the User
provides:
- email address,
- password,
to register the consent
provided online:
- the IP address of the device used during registration,
- the date of
registration.
Passwords are stored in an encrypted
format by the Data Controller’s system, meaning the Data Controller does not
have access to the User’s password.
7.4.
Purpose of data
processing: registration on the website, facilitating regular purchases.
7.5.
Duration of
data processing: for registered Users, data processing continues until the registered
User requests deletion. Data processing may also cease upon the User’s
cancellation of registration or the Data Controller’s deletion of the User’s
registration. A User may delete their registration at any time or request its
deletion from the Data Controller, and the Data Controller shall comply with
such a request without delay, but no later than within 10 business days of
receiving the request.
7.6.
Method of
data storage: electronically, in a separate data file within the Data
Controller’s IT system.
7.7.
Consequences of failure to provide data: providing
personal data is required for registration; without the above data, the Data
Controller cannot create a user account.
8.
Data processing related to orders placed by consumers
8.1.
Data
subjects: natural persons (consumers) who place orders on the website.
8.2.
Legal basis
for data processing: Article 6(1)(b) of the GDPR, according to which data
processing is necessary for the performance of a contract to which the User is
a party.
8.3.
Scope of
data processed: data processing concerns the following personal data and
contact information.
The User:
- last name,
- first name,
- billing address,
- shipping address,
- phone number,
- email address,
- description of the product(s) ordered,
- purchase price of the ordered product(s),
- method of pickup/delivery,
- payment method,
- coupon code (if applicable),
- any other information provided by the User at the time of ordering that is
necessary for the fulfillment of the order,
- date of the order,
- date of payment.
8.4.
Purpose of
data processing: to conclude and fulfill the contract arising from the order.
8.5.
Duration of
data processing: The
data controller processes the data based on its legitimate business
interest until the expiration of the statute of limitations for claims arising
from the contractual relationship—which is generally 5 years from the date the
claim becomes due. Any interruption of the statute of limitations extends the
duration of data processing until the new date on which the statute of
limitations expires.
During
the delivery necessary to fulfill the order, the processing of the data
required for this purpose (customer’s name, address, phone number, and data
related to the delivery of the ordered product and, in the case of cash on
delivery, payment of the price) continues until the delivery is completed. When
transferring the data necessary for the fulfillment of the delivery to the
delivery service provider, the Data Controller imposes a restriction on data
processing, whereby the delivery service provider may process the transferred
data only to the extent and for the duration necessary to fulfill the delivery,
in the interest of the Data Controller.
However,
the carrier’s legitimate interest is to retain the above data or a portion
thereof in the event of any complaints, claims, or civil disputes. This is
done, however, as an independent data controller; the User may find further
information on this in the data processing notice of the relevant service
provider. The service providers used by the Data Controller are listed in the
section of this notice titled “Use of Data Processors,” where the links to
their websites containing their privacy policies are also provided.
The
Data Controller retains the accounting documents issued in connection with the
order for the period necessary to comply with the document retention obligation
prescribed by the Accounting Act, in accordance with Chapter 11.
8.6.
Method of
data storage: electronically, in a separate data file within
the Data Controller’s IT system, and the data necessary for proper accounting is stored on accounting documents to fulfill the document retention obligation
prescribed by the Accounting Act.
8.7.
Consequences of failure to provide data: providing the
data necessary for order fulfillment is a prerequisite for fulfilling the
order. In the event of failure to provide data, the Data Controller will be
unable to fulfill the order.
9.
Processing of personal data of natural persons acting
on behalf of a business entity
9.1.
Scope of data subjects: Users (or “Representatives”)
who are natural persons acting on behalf of a business entity that contacts the
Data Controller via the website or places an order for a product.
9.2.
Legal basis for data processing: the legitimate
interest of the organization represented by the User (hereinafter: Business
Entity) pursuant to Article 6(1)(f) of the GDPR.
The legitimate interest of the
Business Entity establishing contact with the Data Controller is to facilitate
the exchange of information prior to placing an order, as well as to conclude
and perform a contract in accordance with its interests. All of this can be
accomplished through its natural person Representative.
The Data Controller processes the
Representative’s data exclusively within the scope of administrative matters,
communication, and contract performance related to the organization represented
by the Representative, to the extent and for the duration necessary for this
purpose, and limits the scope of data to only the necessary information.
The exchange of information
necessary for maintaining contact, processing orders, and fulfilling the contract
cannot take place without the processing of the Representative’s personal data;
therefore, data processing is essential for the Management Organization to
pursue its legitimate interests.
A separate document has been
prepared regarding the balancing of interests; the Data Subject may inquire
with the Data Controller regarding its availability.
9.3.
Scope of processed data:
The Representative:
- last name,
- first name,
- email address,
- phone number,
In the case of an order, also:
the company represented:
- legal form,
- name,
- mailing address,
- billing address,
- tax ID number, VAT number,
- company registration number.
as well as purchase-related data:
- description of the product(s)
ordered,
- purchase price of the ordered product(s),
- method of pickup/delivery,
- payment method,
- any other information provided by
the User at the time of ordering that is necessary for the fulfillment of the
order,
- date of the order,
- date of payment.
9.4.
Source of the data: generally, the User. If the
Representative identified during the contact or ordering process is not the
User themselves, but someone else from the Business Entity provides their data,
then the source of the data is the Business Entity. In such cases, the Data
Controller also obtains the Representative’s data in the legitimate interest of
the Business Entity. The Business Entity is obligated to inform the
Representative about the data processing it carries out and about the provision
of the Representative’s data to the Data Controller.
9.5.
Purpose of data processing: to maintain contact and to
conclude and fulfill the contract between the Data Controller and the Business
Entity resulting from the order.
In the case of an order, or if a
contract is concluded as a result of the exchange of messages, the Data
Controller processes the data based on its legitimate business interest until
the expiration of the statute of limitations for claims arising from the
contractual relationship—which is generally 5 years from the date the claim
becomes due. Any interruption of the statute of limitations extends the
duration of data processing until the new date on which the statute of
limitations expires.
The Data Controller processes the
accounting documents issued in connection with the contract for the period
necessary to fulfill the document retention obligation prescribed by the
Accounting Act, in accordance with Chapter 11.
9.7.
Method of data storage: electronically, in a separate
data file within the Data Controller’s IT system; in the event of a contract
being concluded, the data necessary for proper accounting is stored on
accounting documents to fulfill the document retention obligation prescribed by
the Accounting Act.
9.8.
Consequences of failure to provide
data: without personal data, an order cannot be placed and therefore cannot be
fulfilled, nor can contact be made with the Data Controller.
10. Data processing related to refunds
10.1.
In
the event of a refund, if the User paid via online credit card or another
online payment service, the amount paid will be refunded through the payment
service provider used. If the User paid via bank transfer or requests a refund in
this manner, the Data Controller will transfer the amount back to the User.
10.2.
Data
subjects: the User who placed the order subject to the refund.
10.3.
Legal
basis for data processing: compliance with a legal obligation to which the Data
Controller is subject, pursuant to Article 6(1)(c) of the GDPR.
10.4.
Scope
of data processed:
- order identification number,
- amount to be refunded,
- reason for the refund,
- User’s name,
- if the User requests a refund via bank transfer or to
their bank account, then the bank account number.
10.5.
Purpose
of data processing: if the matter concerns the exercise of rights related to
warranty, right of withdrawal, warranty, then, depending on the legal basis for
the refund, in Section 23(1) of Act V of 2013 on the Civil Code, or in Section
23(1) of Government Decree 45/2014 (II. 26.) on the detailed rules of contracts
between consumers and businesses, and Government Decree No. 151/2003. (IX. 22.)
on mandatory warranties for certain durable consumer goods.
10.6.
Duration
of data processing: The Data Controller processes the data based on a
legitimate business interest until the expiration of the statute of limitations
for claims related to refunds—which is generally 5 years from the date the
claim becomes due. Any interruption of the statute of limitations extends the
duration of data processing until the new date on which the statute of
limitations expires.
The
Data Controller processes the accounting documents issued in connection with
the order regarding the refund for the period necessary to fulfill the document
retention obligation prescribed by the Accounting Act, in accordance with
Chapter 10.
10.7.
Method
of data storage: electronically, in a separate
data file within the Data Controller’s IT system, and the data necessary for
proper accounting is stored on accounting
documents to fulfill the document retention obligation prescribed by the
Accounting Act.
10.8. Consequences of
failure to provide data: personal data is necessary to fulfill the specified
legal obligations. Without processing the above data, the Data Controller
cannot refund the amount.
11.
Data
processing related to the retention of accounting documents
11.1.
Data
subjects: Users placing orders on the website.
11.2.
Legal
basis for data processing: compliance with a legal obligation to which the Data
Controller is subject, pursuant to Article 6(1)(c) of the GDPR.
11.3.
Scope
of data processed:
The User’s:
- last name,
- first name,
- billing address,
- shipping address,
- phone number,
- email address,
- description of the ordered item(s),
- purchase price of the ordered item(s),
- method of pickup/delivery,
- payment method,
- any other information provided by the User at the
time of ordering that is necessary for the fulfillment of the order,
- date of the order,
- date of payment.
11.4.
Purpose
of data processing: to fulfill the obligations regarding the issuance of
invoices and the retention of accounting documents as specified in Section 169
of the VAT Act and Section 169(2) of the Accounting Act.
11.5.
Duration
of data processing: The Data Controller processes the above data for the period
necessary to comply with the document retention obligation prescribed by the
Accounting Act. Under the Accounting Act, this period is at least 8 years from
the date of issuance of the document; after this period has elapsed, the Data
Controller will delete the data within one year. This primarily includes data
appearing on invoices (customer name, address, and data regarding the ordered
product and payment of its price), as well as additional data contained in
orders and confirmations as part of the contractual documentation, which also
fall under the definition of an accounting document.
11.6.
Method
of data storage: In a separate data file within the data controller’s IT system,
electronically; and data necessary for proper accounting is stored
on accounting documents to comply with the document retention obligation
prescribed by the Accounting Act.
11.7.
Consequences of failure to provide data: The provision of
personal data is based on a legal obligation and is necessary to fulfill the
invoice issuance and document retention obligations set forth in Section 169 of
the VAT Act and Section 169(2) of the Accounting Act. If the User does not
provide the necessary data listed above, the Data Controller will be unable to
fulfill its legal obligations related to the order as described herein, and
consequently will be unable to sell the product.
12.
Data
processing related to consumer complaints
12.1.
Data
subjects: Users who submit consumer complaints.
12.2.
Legal
basis for data processing: the legal basis for data processing is the
processing necessary for compliance with a legal obligation under Article
6(1)(c) of the GDPR; the fulfillment of the legal obligations applicable to the
Data Controller regarding the handling of complaints, as defined in Section
17/A of the Fgytv.
12.3.
Scope
of processed data:
The User filing the complaint:
- last name,
- first name,
- address,
- place, time, and method of filing the complaint,
- a detailed description of the complaint,
- the information provided by the User in the
complaint; any personal data that the User discloses to the Data Controller in
connection with the complaint,
- personal data contained in any documents, records,
or other evidence submitted by the User,
- the place and time of the recording of the complaint
report,
- the User’s signature in the case of a complaint
submitted in writing,
- the User’s email address in the case of a complaint
sent via email,
- in the case of a verbal complaint made by telephone
or using another electronic communications service, the complaint’s unique
identification number and the User’s telephone number,
- if applicable, the identification number of the
order or other transaction related to the complaint and information regarding
its fulfillment.
The Data Controller does not record telephone calls.
12.4.
Source
of the data: the User provides the data to the Data Controller in their
complaint. Investigating the complaint may also require the processing of data
related to the User’s previous orders placed with the Data Controller. The Data
Controller does not obtain the User’s data from any other (external) sources.
12.5.
Purpose
of data processing: to investigate and respond to the complaint submitted by
the User; to fulfill the legal obligations of the Data Controller as set forth
in Section 17/A of the Fgytv.
The purpose of processing the User’s personal
identification data is to identify the User, which is necessary for
investigating and responding to the complaint.
The information containing personal data provided by
the User in their complaint, as well as the details of any prior order
potentially related to the complaint, will be used to investigate and respond
to the complaint on its merits, to the extent necessary for such purposes.
The User’s name and address will be used to address
postal mail in the event that the Data Controller sends the complaint report or
the response to the complaint in writing via postal mail.
The User’s name and email address may be used for
communication via email (if necessary for investigating the complaint), to
contact , or to respond to the complaint via email.
12.6.
Duration
of data processing: The Data Controller retains the record of the complaint, or
in the case of a written complaint, the submitted document and the response to
the complaint, for three years, after which it is destroyed.
If the submitted request does not qualify as a
complaint, the Data Controller will delete the data one month after the
communication regarding the request has been concluded.
If the submission does not qualify as a complaint, but
relates to a specific transaction concerning the Data Controller’s performance
and contains relevant content in that regard, the Data Controller will process
the data until the expiration of the statute of limitations for claims arising
from the contractual relationship—which is generally 3 years from the date the
claim becomes due—and will delete the data thereafter.
12.7.
Method
of data storage: electronically, in a separate
data file within the Data Controller’s IT system; depending on the method of
submission, possibly on paper, in the minutes of the complaint, and in the
document containing the response to the complaint.
12.8.
Consequences
of failure to provide data: the provision of personal data is based on the
above legal obligation and is necessary for its fulfillment. Without processing
the above data, the Data Controller cannot investigate and resolve the
complaint.
13.
Data
processing related to the submission of a complaint
13.1.
Data
subjects: Users who submit a claim for the enforcement of warranty or guarantee
rights.
13.2.
Legal
basis for data processing: The legal basis for data processing is Article
6(1)(c) of the GDPR, according to which data processing is necessary for
compliance with a legal obligation.
13.3.
Scope
of data processed:
The User:
- last name,
- first name,
- mailing address,
- place, time, and method of filing the complaint,
- a detailed description of the complaint,
- the information provided by the User in the
complaint; any personal data that the User discloses to the Data Controller in
connection with the complaint,
- method of resolving the complaint,
- content of the response to the complaint,
- the reason for the rejection of the complaint, if
applicable,
- conclusions that can be drawn based on any records,
documents, or other evidence presented or submitted by the User, as well as the
personal data contained therein,
- the User’s email address, if the complaint was sent
via email,
- in the case of a verbal complaint made by telephone
or via another electronic communications service, the unique identification
number of the complaint and the User’s telephone number,
- the identification number of the order or other
transaction to which the complaint relates.
The Data Controller does not record telephone calls.
13.4.
Source
of the data: the User provides the data to the Data Controller. The Data
Controller does not obtain the User’s data from any other source.
13.5.
Purpose
of data processing: to investigate and respond to complaints submitted by the
User regarding warranty or guarantee rights; Chapter XXIV of Act V of 2013 on
the Civil Code, concerning defective performance; Decree 19/2014. (IV. 29.) NGM
on the procedural rules for handling warranty and guarantee claims regarding
goods sold under a contract between a consumer and a business, and Government
Decree No. 151/2003. (IX. 22.) on mandatory guarantees for certain durable
consumer goods.
13.6.
Duration
of data processing: The Data Controller processes data handled during the
complaint resolution process until the expiration of the general statute of
limitations applicable to civil law claims, which is generally 5 years from the
conclusion of the complaint resolution. The statute of limitations must always
be calculated from the date the claim becomes due. The interruption of the
statute of limitations extends the duration of data processing until the new
date on which the statute of limitations begins to run.
If the Data Controller prepares a report on the
complaint, it shall retain it for 3 years from the date the report is drawn up,
pursuant to Section 4(6) of Decree No. 19/2014. (IV. 29.) NGM on the procedural
rules for handling warranty and guarantee claims regarding goods sold under a
contract between a consumer and a business.
13.7. Method of data storage: electronically, in a separate
data file within the Data Controller’s IT system, and in paper form in the
report prepared regarding the complaint.
13.8.
Consequences
of failure to provide data: the provision of personal data is based on the
above legal obligations and is necessary for their fulfillment. Without the
processing of the above data, the Data Controller cannot investigate and
resolve the complaint.
14. Automated decision-making and
profiling
14.1. Automated decision-making: no
automated decision-making takes place during the data processing operations
described in this notice. Even if automated operations occur during data
processing, decisions regarding the data processing are never made automatically.
14.2. Profiling: No profiling as defined
by the GDPR takes place during the data processing operations described in this
notice.
15.
Recipients (other data controllers)
15.1. Payment service provider
15.1.1.
Scope of
data recipients: Users who make online payments on the website.
15.1.2.
Recipients
of the data transfer:
Depending on the selected payment
method:
PayPal (Europe) S.a.r.l. et Cie,
S.C.A.
Company registration number: B118349
Tax ID: LU 22046007
Registered office: 22-24, Boulevard
Royal, 2449 Luxembourg, Luxembourg
Mailing address: 22-24, Boulevard
Royal, 2449 Luxembourg, Luxembourg
Email: dpo@paypal.com
Website: https://www.paypal.com/hu/home
the company, as the provider of the
online payment service available on the Data Controller’s website,
and
Stripe Payments Europe Ltd.
Company Registration Number: 513174
Tax ID: IE 3206488LH
Registered office: One Wilton Park,
Wilton Place, Dublin 2, D02 FX04, Ireland
Mailing Address: One Wilton Park,
Wilton Place, Dublin 2, D02 FX04, Ireland
Email: dpo@stripe.com
Website: https://stripe.com/
a business entity acting as the
provider of the online payment service available on the Data Controller’s
website.
15.1.3.
Legal basis
for data transfer: the Recipient’s legitimate interest pursuant to Article
6(1)(f) of the GDPR.
The Recipient is required by applicable law to operate a fraud prevention and
detection system in connection with the provision of payment services and is
authorized to process the personal data necessary for this purpose. The
Recipient has established a system in compliance with its legal obligations,
the operation of which requires data transfer by the Data Controller.
Accordingly, it is in the Recipient’s legitimate interest to be able to operate
the fraud prevention and detection system in order to fulfill its legal
obligations. The relevant legal provisions applicable to the Recipient:
- Section 165(5) of Act CCXXXVII of 2013 on Credit Institutions and Financial
Enterprises,
- Section 92/A(3)(f) of Act CCXXXV of 2013 on Certain Payment Service
Providers,
- Section 14(1)(v) of Act LXXXV of 2009 on the Provision of Payment Services.
The legitimate interest of the Data
Controller and the Recipient is to prevent fraud and ensure the proper
functioning of online payments. The proper functioning of payment services is
linked to the primary source of revenue for both organizations. Furthermore,
this is also in the User’s interest, particularly to prevent the misuse of
credit card data.
Data transfer enables the filtering
and detection of fraud, as well as the resolution of any obstacles that may
arise during the payment process.
Data is transmitted from the scope
of the User’s data processed during the order via an electronic channel
ensuring encrypted data traffic, exclusively to the Recipient and only upon
completion of the online credit card payment, which the Recipient does not use
for any other purpose. It follows from the above that the data transfer does
not pose a significant risk to the User and has no further perceptible impact
on them.
The transfer of data is necessary to
achieve the purposes described herein and is also suitable for making the
payment service more secure.
Taking the above into account, as
well as the built-in safeguards, the data transfer does not constitute an
unjustified intrusion into Users’ privacy; therefore, the transfer of data is a
necessary and proportionate data processing operation.
A separate document has been
prepared regarding the balancing of interests; Users may inquire with the Data
Controller regarding its availability.
15.1.4.
The scope of
the transferred data:
for fraud prevention purposes:
- name,
- phone number,
- email address,
- transaction amount,
- product name,
- product price,
- any discounts,
- shipping fee,
- IP address,
- transaction date, time, and ID,
- shipping address,
- billing address,
for payment processing purposes:
- name,
- phone number,
- email address,
- transaction amount,
- transaction date, time, and ID,
- shipping address,
- billing address.
The credit card details provided
during payment are entered by the User directly to the payment service
provider, so they do not come into the possession of the Data Controller.
15.1.5.
The purpose
of data transfer: the proper operation of the payment service and the technical
processing of the payment, confirmation of transactions, operating a fraud
monitoring system—a system designed to detect fraud by monitoring bank
transactions initiated electronically—to protect users’ interests, and
providing customer service assistance to the User.
15.1.6.
Data Security: Data security is based on data
segregation. The Data Controller receives order-related information from the
User, while the payment service provider receives only the data necessary for
the payment transaction on the payment page secured with 128-bit SSL
encryption. To make an online payment, your web browser must support SSL
encryption. SSL stands for Secure Sockets Layer, a widely accepted encryption
protocol. The browser used by the User encrypts payment data using SSL before
transmission, ensuring that it reaches the payment service provider in an
encrypted format, thereby preventing unauthorized individuals from deciphering
it.
15.1.7.
Regarding
data processing carried out by PayPal (Europe) S.a.r.l. et Cie, S.C.A., and Stripe
Payments Europe Ltd., as well as further details regarding data
processing—including, among other things, the legal basis, purpose, specific
scope of data processed, and duration of data processing—can be found at
https://www.paypal.com/hu/legalhub/paypal/privacy-full?locale.x=en_US and
https://stripe.com/en-hu/privacy.
16. Recipients (data
processors)
The Data Controller engages the
following business entities as data processors.
16.1. Hosting provider
16.1.1.
Scope of
data processing: Users as defined in this notice.
16.1.2. The Data Controller engages
Tárhely.Eu Service Provider Limited Liability Company
Abbreviated name: Tárhely.Eu Kft.
Company registration number: 01-09-909968
Tax ID: 14571332-2-42
Registered office: Hungary, 1144 Budapest, Ormánság Street 4, 10th
floor, Door 241
Mailing address: Hungary, 1538 Budapest, P.O. Box 510
Phone: +36 1 789 2 789
Email: support@tarhely.eu
Website:
https://tarhely.eu/
a business
entity acting as a web hosting provider (hereinafter: Data Processor).
16.1.3.
Scope of
data subject to processing: data processing potentially affects all data
specified in this notice; the specific scope of data is determined by the
functions used by the User, in accordance with the sections above regarding
individual data processing operations.
16.1.4.
Purpose of
engaging the data processor: to ensure the website’s operation in an IT sense by
providing the necessary electronic storage space.
16.1.5.
Nature of
data processing: processing is carried out electronically; the processing of
data consists solely of providing the electronic storage space necessary for
the IT operation of the website.
16.2. Service provider ensuring the
website’s software environment
16.2.1.
Scope of
data processing: Users visiting the website, regardless of whether they use the
services provided by the website.
16.2.2.
The Data
Controller engages
Shopify International Ltd.
Company registration number: 560279
Headquarters: 2nd Floor, 1-2 Victoria Buildings,
Haddington Road, Dublin 4, D04 XN32, Ireland
Mailing Address: 2nd Floor 1-2 Victoria
Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland
Email: support@shopify.com
Website: https://www.shopify.com/
a
business entity acting as the service provider developing the website framework
(hereinafter: Data Processor).
16.2.3.
Scope of
data subject to processing: data processing applies to all data specified in
this notice.
16.2.4.
Purpose of
engaging the Data Processor: to ensure the website’s operation in an IT sense,
using the necessary website software.
16.2.5.
Nature of
data processing: processing is carried out electronically; data processing
consists solely of technical operations necessary for the IT-related operation
of the website.
16.3. Data processing related to sending
newsletters
16.3.1.
Scope of
data processing: Users who subscribe to the newsletter on the website,
regardless of whether they use other services provided by the website.
16.3.2.
The Data
Controller engages
Seguno Software, Inc.
Company registration number: 6316469
Headquarters: 104 City Hall Plaza Suite 200,
Durham, NC 27701, USA
Mailing Address: 104 City Hall Plaza Suite 200,
Durham, NC 27701, USA
Email:help@seguno.com
Website: https://www.seguno.com/
a business entity acting as the developer and
maintainer of the newsletter sending software used by the Data Controller (hereinafter:
Data Processor).
16.3.3.
Scope of
data subject to processing: Data processing involves the first name and email
address of Users who subscribe to the newsletter.
16.3.4.
Purpose of
engaging the Data Processor: to ensure the IT-related operation of the software
used by the Data Controller to send newsletters, through data processing
manifested in the technical operations necessary for the secure operation of
the software.
16.3.5.
Nature of
data processing: processing is carried out electronically; data processing
consists solely of the technical operations necessary for the IT-related
operation of the newsletter-sending software.
16.4. Data processing related to the
provision of email software and storage space
16.4.1.
Scope of
data processing: Users identified in this notice with whom the Data Controller
communicates via email.
16.4.2. The Data Controller engages
Google Ireland Ltd.
Company registration number: 11603307
Tax ID: IE 6388047V
Registered office: Gordon House, Barrow Street, Dublin
4, Ireland
Mailing address: Gordon House, Barrow Street, Dublin
4, Ireland
Phone: +353 1 436 1000
Website:
https://www.google.ie/
a business entity acting as the hosting provider and
software developer for electronic mail (hereinafter: Data
Processor).
16.4.3.
Scope of data
subject to processing:
-
the User
sending the message:
o
name,
o
email
address,
-
the
o
subject,
o
content,
o
and the
conclusions that can be drawn from them.
16.4.4.
Purpose of
engaging the data processor: to ensure the operation of electronic
correspondence.
16.4.5. Nature of data
processing: processing is carried out electronically;
it consists solely of ensuring the functionality of the storage space and
software necessary for the IT-related operation of electronic correspondence.
16.5. Data processing related
to product delivery
16.5.1.
The scope of
data subjects: Users who place orders for delivery.
16.5.2.
The Data
Controller engages
Magyar Posta Zártkörűen Működő Részvénytársaság
Abbreviated name: Magyar Posta Zrt.
Company registration number: 01-10-042463
Tax ID: 10901232-2-44
Registered office: Hungary, 1138 Budapest,
Dunavirág Street 2-6
Mailing address: Hungary, 1540 Budapest
Phone: +36 1 767 8282
Email: ugyfelszolgalat@posta.hu
Website: https://www.posta.hu/
the business entity acting as the carrier
delivering the ordered product, as well as
FedEx Express International B.V.
Company registration number:
65939859
Registered office: Taurusavenue 111,
2132 LS Hoofddorp, Netherlands
Mailing address: Hungary, Budapest, BUD International Airport,
Logistic Center No. II, 1185
Phone: +36 80 980 980
Website:
https://www.fedex.com/
a business entity acting as
the carrier delivering the ordered products
(hereinafter collectively
referred to as: Data Processors).
16.5.3.
Scope of
data subject to processing: Data processing concerns the following User data
for the purpose of fulfilling the contract arising from the User’s order
(execution of delivery):
- last name,
- first name,
- phone number,
- email address,
- shipping address.
16.5.4.
Purpose of
engaging data processors: to fulfill the contract
arising from the User’s order by delivering the ordered product to the address
specified by the User, including, if necessary, coordinating the delivery
location and time via telephone.
16.5.5. Nature of data processing: Data
processing consists exclusively of data management operations necessary for the
fulfillment of delivery and delivery.
16.6. Data
processing related to the issuance of invoices
16.6.1.
Scope of data processing: Users who place
orders on the website, regardless of whether they use other services provided
by the website.
16.6.2.
The Data Controller engages
KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Abbreviated
name: KBOSS.hu Kft.
Company
registration number: 01-09-303201
Tax
ID: 13421739-2-41
Registered
office: Hungary, 1031 Budapest, Záhony Street 7
Mailing
address: Hungary, 1031 Budapest, Záhony Street 7.
Phone:
+36 30 3544 789
Email:
info@szamlazz.hu
Website: https://www.szamlazz.hu/
a business entity acting as the developer
and maintainer of the invoicing software used by the Data Controller
(hereinafter: Data Processor).
16.6.3.
Scope of data subject to processing: data
processing involves the name and address of the User placing the order, as well
as documents containing the description of the ordered item(s) , the date of
purchase, the purchase price, shipping fees, and any other applicable charges.
16.6.4.
Purpose of engaging the data processor: to
use the software for issuing invoices and to ensure its availability and
operation.
16.6.5.
Nature of data processing: data processing
consists solely of technical operations necessary to ensure the availability
and IT-related operation of the software used to issue invoices.
16.7. Data processing related
to accounting services
16.7.1.
Scope of data processing: Users placing orders.
16.7.2.
The Data Controller engages the following as a data processor
Anikó Damina, acting as
Registration number: 27079091
Tax ID: 65768136143
Registered office: Hungary, 1213 Budapest, 21st
District, Mókus út 5, Building A
Mailing address: Hungary, 1213 Budapest, 21st
District, Mókus út 5, Building A
a sole proprietor acting as the accountant for the Data Controller’s business
activities (hereinafter: Data Processor).
16.7.3.
Scope of data subject to processing: Data processing involves the name and
address of the User placing the order, as well as the details of the ordered
item(s), the date of purchase, and the purchase price, shipping fees, and any
other charges listed on the relevant receipts.
16.7.4.
Purpose of engaging the data processor: to fulfill the accounting obligations
prescribed by law regarding the Data Controller’s economic activities by
utilizing the services of the aforementioned data processor.
16.7.5. Nature of data
processing: data processing consists exclusively of
operations necessary for the fulfillment and verification of accounting
obligations, which the data processor performs by handling paper-based data
carriers and digital data managed in software.
16.8.
Data processing
related to administrative tasks
16.8.1.
Scope
of data processing: Users placing orders.
16.8.2.
The
Data Controller engages the following as a data processor
Siposné Mehlhoffer Szonja Nóra,
acting
Registration
number: 54569452
Tax
ID: 55830704127
Registered
office: Hungary, 2483 Gárdony, Szabadság út 14, 4th floor, apt. 33
Mailing
address: Hungary, 2483 Gárdony, Szabadság út 14, 4th floor, apt. 33
Email:
szonjasolutions@gmail.com
a
sole proprietor acting as the Data Processor engaged by the Data Controller to
perform administrative tasks related to invoice preparation and shipment
organization (hereinafter: Data Processor).
16.8.3. Scope of data
subject to processing: data processing involves the name, address, and phone
number of the User placing the order, as well as the description of the ordered
product(s), the date of purchase, and the purchase price and any other fees
listed on the receipt, as well as additional data related to the fulfillment of
the order.
16.8.4. Purpose of
engaging the data processor: to prepare for the fulfillment of accounting
obligations prescribed by law regarding the Data Controller’s economic
activities, as well as to organize delivery through the use of the
aforementioned data processor’s services.
16.8.5. Nature of data
processing: data processing consists exclusively of operations necessary for
the fulfillment and verification of accounting obligations, which are performed
by the data processor through the handling of paper-based data carriers and
digitally managed data, as well as through the performance of administrative
tasks necessary for organizing transportation. The data processor organizes
transportation exclusively through IT means.
16.9. Data processing
related to customer service and administrative tasks
16.9.1.
Scope
of data processing: Users who contact the Service Provider or place an order.
16.9.2.
The
Data Controller engages
Gyula
Szathmary, sole proprietor
Tax ID: DE320698042
Registered office: Wolkersdorfer
Str. 13, 83278 Traunstein, Germany
Mailing address: Wolkersdorfer
Str. 13, 83278 Traunstein, Germany
a sole proprietor, as
the Data Processor engaged by the Data Controller to perform general
administrative and customer service tasks
(hereinafter:
Data Processor).
16.9.3.
Scope
of data subject to processing: data processing potentially affects all data specified in this notice.
16.9.4. Purpose of
engaging the Data Processor: to perform customer service and other general
administrative tasks.
16.9.5. Nature of data
processing: carried out electronically.
16.10. Data
processing related to addressing
16.10.1.
Scope of
data processing: Users placing orders on the website.
16.10.2.
The Data
Controller engages
BÚTOR-TRIÓ Manufacturing, Trading,
and Service Limited Liability Company
Abbreviated
name: BÚTOR-TRIÓ Kft.
Company
registration number: 13-09-082486
Tax ID:
11859114-2-13
Registered
office: Hungary, 2045 Törökbálint M.M. Industrial Park, Dózsa György St. 105 /
52
Mailing
address: Hungary, 2045 Törökbálint M.M. Industrial Park, Dózsa György St. 105 /
52
Phone: +36
20 365 3641
Email:
butortrio@butortrio.t-online.hu
Website:
http://www.butortrio.hu/
the business entity engaged to
package, address, and hand over the ordered product to the courier service
(hereinafter: Data Processor).
16.10.3.
Scope of
data subject to processing: Data processing involves the name, shipping
address, billing address, and phone number of the User ordering the product.
16.10.4.
Purpose of
data processing: Addressing the package (product) sent by the Data Controller
to the User and handing it over to the courier service.
16.10.5. Duration of
data processing: The Data Controller will process the data for a period of 5
years from the date of contract conclusion—the general statute of limitations
applicable to civil law claims.
16.10.6. Nature of
data processing: The processing of data consists solely of operations necessary
to fulfill the delivery of the product to the User.
16.10.7.
The Data Controller does not engage any data processors other than those
specified in this notice and does not disclose personal data to any other
recipients. If required in court or other official proceedings, the Data
Controller will disclose the necessary personal data upon request by the
relevant authority.
17. Data Protection, Data Security
17.1. The Data Controller ensures the
security of data within the scope of its data processing activities and ensures
compliance with laws and other data and confidentiality protection rules
through technical and organizational measures as well as internal procedural
rules. It protects the processed data with appropriate measures, in particular
against unauthorized access, alteration, transmission, disclosure, deletion, or
destruction, as well as against accidental destruction and damage, and against
becoming inaccessible due to changes in the technology used.
17.2. The data serving as the basis for
measuring website traffic and mapping usage patterns is recorded by the Data
Controller’s IT system from the outset in such a way that it cannot be directly
linked to any individual.
17.3. Data is processed only to the extent
necessary and proportionate to achieve the lawful purposes specified in this
notice, in accordance with applicable laws and recommendations, and with
appropriate security measures in place.
17.4. To this end, the Data Controller
uses the “https” protocol to access the website, which allows web
communications to be encrypted and uniquely identified. In addition, in
accordance with the above, the Data Controller stores the processed data in
encrypted data files, organized into separate data processing lists for each
data processing purpose, to which the Data Controller’s designated – who
perform tasks related to the activities specified in this notice – may access
the data, and whose job responsibilities include the protection of the data and
its responsible handling in accordance with this notice and applicable laws.
17.5. The Data Controller enters into a
mandatory data processing agreement with the data processors it engages to
ensure compliance with applicable laws and to guarantee an adequate level of
data security.
17.6. Passwords are stored in an encrypted
format within the Data Controller’s system, as a result of which the Data
Controller does not have access to the User’s password.
18.
User Rights Regarding Data Processing
18.1.
Right
to information
18.1.1. By reading this
privacy notice, the User may obtain information about data processing at any
time. Upon the User’s request, verbal information may also be provided,
provided that the User’s identity has been verified by other means. The User
may request information both during and after the period of data processing.
The information covers all essential details of data processing, as well as the
manner in which the User may exercise their rights. Upon the User’s request,
the Data Controller shall also inform the User of the measures taken in
response to the User’s requests—or the reasons for any failure to act—while
indicating the forums available for filing a complaint.
18.1.2. The provision of
this information is free of charge. If the User’s request is clearly unfounded
or—particularly due to its repetitive nature—excessive, the Data Controller at
may, taking into account the administrative costs associated with providing the
requested information or taking the requested action:
a) may
charge a reasonable fee, or
b) may
refuse to take action based on the request.
18.1.3. The Data
Controller shall provide the information as soon as possible after the request
is submitted (without undue delay), but no later than one month.
18.2.
Right
of Access
18.2.1. The User has the
right to access the data processed about them. In the event of such a request,
the Data Controller shall inform the User whether data processing is currently
taking place regarding their personal data, as well as all relevant circumstances
related to the specific data processing.
18.2.2. Pursuant to the
right of access, the User may request a copy of their personal data processed
by the Data Controller, which the Data Controller shall provide free of charge
on the first occasion. For additional copies, the Data Controller may charge a
reasonable fee based on administrative costs.
18.2.3. The Data
Controller shall provide the copy in a widely used electronic format, unless
the User requests otherwise.
18.2.4. The Data
Controller shall provide access as described above within the shortest possible
time (without undue delay) from the submission of the request, but no later
than one month.
18.3.
Right
to Rectification
18.3.1. The User has the
right to request that the Data Controller rectify inaccurate personal data
concerning him or her without undue delay.
18.3.2. Taking into
account the purpose of the data processing, the User has the right to request
that incomplete personal data be completed, including by means of a
supplementary statement.
18.3.3. At the User’s
request, the Data Controller shall rectify, or where justified, supplement the
inaccurate personal data concerning the User without undue delay.
18.4.
Right
to erasure
18.4.1. The User has the
right to request that the Data Controller erase personal data concerning him or
her without undue delay, and the Data Controller is obligated to erase personal
data concerning the User without undue delay if any of the following grounds
apply:
a)
the personal data is no longer necessary
for the purpose for which it was collected or otherwise processed;
b)
the User withdraws the consent on which
the data processing is based, and there is no other legal basis for the data
processing (among the data processing activities covered by this notice, this
applies only to data processing carried out on the basis of consent, as
described in the following sections:
3.
Technical data processing based on consent related to the collection of
information technology data associated with the use of the website;
4. Data processing related to receiving and responding
to messages;
5. Data processing related to requests for quotes;
6. Data processing related to sending newsletters;
7.
Data processing related to registration;
c)
the User objects to the data processing,
and there is no overriding legitimate reason for the data processing (among the
data processing activities covered by this notice, this applies only to data
processing based on legitimate interest, as described in the following
sections:
3.
Technical data processing based on legitimate interest related to information
technology data collection associated with the use of the website;
9. Processing of data of natural persons acting on
behalf of a business entity;
15. Recipients (other data controllers) (payment
service provider);
d)
personal data was processed unlawfully;
e)
Personal data must be erased to comply
with a legal obligation under European Union or Member State law applicable to
the data controller.
18.4.2. The Data Controller
is not required to erase data necessary for the establishment, exercise, or
defense of legal claims, even upon the User’s request to that effect, nor is it
required to erase data whose processing is necessary to protect the vital
interests of the User or another natural person, or to comply with a legal
obligation under Union or Member State law applicable to the Data Controller (
). However, in the standard case, the Data Controller will delete the data even
without a request once the retention period has expired.
18.5.
Right
to Restriction of Processing
18.5.1. At the User’s
request, the Data Controller shall restrict data processing if any of the
following conditions are met:
a) the
User disputes the accuracy of the personal data; in this case, the restriction
applies for a period that allows the Data Controller to verify the accuracy of
the personal data;
b) the
data processing is unlawful, and the User opposes the erasure of the data and
requests the restriction of their use instead;
c) the
Data Controller no longer needs the personal data for the purposes of data
processing, but the User requires it for the establishment, exercise, or
defense of legal claims;
d) the
User has objected to the data processing; in this case, the restriction applies
for the period until it is determined whether the Data Controller’s legitimate
interests take precedence over the User’s legitimate interests (among the data
processing activities covered by this notice, this applies only to data
processing carried out on the basis of legitimate interest, as described in the
following sections:
3.
Technical data processing based on legitimate interests related to information
technology data collection associated with the use of the website;
9.
Processing of data of natural persons acting on behalf of a business entity;
15.
Recipients (other data controllers) (payment service provider);
18.5.2. If data processing
is subject to restriction, the Data Controller shall process such personal
data, with the exception of storage, only with the User’s consent, or for the
establishment, exercise, or defense of legal claims, or for the protection of
the rights of another natural or legal person, or for reasons of substantial
public interest of the European Union or of a Member State.
18.5.3. The Data
Controller shall inform the User, who has contested the accuracy of the
personal data and on this basis had data processing restricted, in advance of
the lifting of the restriction on data processing.
18.6.
Notification
Obligations Regarding the Rectification or Erasure of Personal Data, or the
Restriction of Data Processing
The Data Controller shall notify the User, as well as
all recipients to whom the data was previously transferred, of the
rectification, restriction, and erasure. Notification may be omitted if it
proves impossible or requires a disproportionate effort. At the User’s request,
the Data Controller shall provide information about these recipients.
18.7.
Right
to Data Portability
18.7.1. The User has the
right to receive the personal data concerning him or her, which he or she has
provided to the Data Controller, in a structured, commonly used, and
machine-readable format, and is also entitled to transmit this data to another
data controller without hindrance from the data controller to whom the personal
data was provided, if:
a)
the processing is based on the User’s
consent or on a contract concluded with the User; and
b)
the processing is carried out by automated
means.
18.7.2. Of the data
processing activities covered by this notice, the data processing activities
described in the following sections meet the above conditions; therefore, the
right to data portability may be exercised in relation to these:
a) those
carried out on the basis of consent:
3.
Technical data processing based on consent related to information technology
data collection associated with the use of the website;
4.
Data processing related to receiving and responding to messages;
5.
Data processing related to requests for quotes;
6.
Data processing related to sending newsletters;
7.
Data processing related to registration;
b) Conducted
on the legal basis of the performance of the contract concluded with the User:
8.
Data processing related to orders placed by consumers.
18.7.3. In exercising the
right to data portability as described above, the User is entitled to
request—if technically feasible—the direct transfer of personal data between
data controllers.
18.8.
Right
to object
18.8.1. The User may
object at any time, on grounds relating to their particular situation, to the
processing of their personal data based on legitimate interests.
18.8.2. In this case, the
Data Controller may continue to process the personal data only if it
demonstrates that the processing is justified by compelling legitimate grounds
that override the User’s interests, rights, and freedoms, or that are related
to the establishment, exercise, or defense of legal claims.
18.8.3. With respect to
the data processing activities covered by this notice, the User may exercise
their right to object regarding the data processing activities described in the
sections below, which are based on legitimate interest:
3. Technical data processing based on legitimate
interests related to information technology data collection associated with the
use of the website;
9. Processing of data of natural persons acting on
behalf of a business entity;
15. Recipients (other data controllers) (payment
service provider).
19. Fulfillment of User Requests
19.1. The Data Controller
shall provide the information and take the measures set forth in Section 18 free of charge. If the User’s request is manifestly
unfounded or excessive—particularly due to its repetitive nature—the Data
Controller, taking into account the administrative costs associated with
providing the requested information or taking the requested action, may:
a) charge a reasonable fee, or
b) may refuse to take action based on the request.
19.2. The Data Controller shall inform the
User of the actions taken in response to the request, including the provision
of copies of the data, without undue delay, but no later than one month from
the date of receipt of the request. If necessary, taking into account the
complexity of the request and the number of requests, this deadline may be
extended by an additional two months. The Data Controller shall inform the User
at of the extension of the deadline within one month of receiving the request,
specifying the reasons for the delay. If the User submitted the request electronically,
the Data Controller shall provide the information electronically, unless the User
requests otherwise.
19.3. If the Data Controller does not take
action in response to the User’s request, it shall, without delay but no later
than one month from the receipt of the request, inform the data subject of the
reasons for the failure to act, as well as of the fact that the data subject may
lodge a complaint with the supervisory authority specified in Section 20 and
may exercise their right to judicial remedy as described therein.
19.4. The User may submit requests to the
Data Controller in any manner that allows for the identification of the
individual. Identification of the User submitting the request is necessary
because the Data Controller may only fulfill requests for those who are
entitled to do so. If the Data Controller has reasonable doubts regarding
the identity of the natural person submitting the request, it may request
additional information necessary to confirm the identity of the User in
question.
19.5. Users may
submit their requests by mail to the Data Controller’s address at
1148 Budapest, Jerney utca 41, 3rd floor, Door 12, or by email to
the addresses
, info@mybettershelf.com, or[TS2]
. The Data Controller will only consider a request sent
by email to be valid if it is sent from the email
address provided by the User to the Data Controller and registered there;
however, the use of a different email address does not mean that the request
will be disregarded. In the case of email, the date of receipt shall be deemed
to be the first business day following the date of sending.
20. Enforcement of Rights
Data subjects may
exercise their legal remedies before a court of law and may also contact the
National Authority for Data Protection and Freedom of Information:
National Authority for
Data Protection and Freedom of Information
Address: Hungary, 1055
Budapest, Falk Miksa Street 9-11.
Mailing Address:
Hungary, 1363 Budapest, P.O. Box 9
Phone: +36 1 391 1400
Fax: +36 1 391 1410
Email:
ugyfelszolgalat@naih.hu
Website:
https://www.naih.hu/
If the User is located
in another Member State of the European Union, information regarding the
competent authority in their place of residence and its contact details can be
found here.
If legal action is
taken, the lawsuit may—at the User’s discretion—be filed with the court of the
User’s place of residence or location, as the court has jurisdiction over the
matter.
June 2, 2026
Mybettershelf Kft.