DATA PROCESSING

PRIVACY POLICY

Agria Vino 2010 Kft. (company registration number: 10-09-033819, registered office: 3300 Eger, Verőszala út 22., hereinafter referred to as “Controller“) processes the data of the persons who visit its Website, register there and place orders (hereinafter referred to collectively as “Data Subject“) during the operation of the website www.galtibor.hu (hereinafter referred to as “Website“). Detailed provisions on the processing of data of natural persons are contained in the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”) and in Act CXII of 2011 on Information Self-determination and Freedom of Information.

This policy will be posted by the Controller in a conspicuous place on the above website visited by its consumers and will take effect upon publication and will remain in force until the Controller publishes a new Data Processing Policy. The Controller reserves the right to unilaterally amend this Data Processing Policy. In this case, browsing, purchasing and data management activities that were initiated but not completed prior to the publication of the amended policy will be subject to the previous policy. For reasons of transparency and customer orientation, the Controller publishes a separate notice on its website about any changes to this policy.

By using the Website, the Data Subject accepts the terms of the Data Processing Policy and consents to the data processing described below.

PURPOSE OF PROCESSING

The Controller stores and manages the data provided by the Data Subject for the purposes of fulfilling the order, invoicing, delivering the products, handling complaints, contacting customers, proving the terms of the contract and sending newsletters, if the Data Subject is subscribed.

Automatically collected data is used to manage statistics and for the technical development of the IT system.

  1. The legal powers that apply to your personal data include, but are not limited to, the following:
  • Act CXII of 2011 on Information Self-determination and Freedom of Information
  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (the “E-Commerce Act”)
  • Act V of 2013 on the Civil Code
  • the GDPR Regulation referred to above
  1. Definitions:

personal data: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

processing: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

controller: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

processor: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; who carries out purely technical tasks (e.g. data collection) in connection with data processing;

personal data breach: ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

recipient: ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

third party: ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

III. Principles of data processing:

It is of utmost importance for the Controller to process, safely use and store the personal data provided by the users of its services and products in accordance with the applicable laws and other regulations, to fully guarantee the informational self-determination of the visitors and to provide detailed information on the processing of personal data.

The Controller will process your data in accordance with the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability, and will require its staff and employees to fully enforce these principles.

Purpose limitation applies to data processing for the specified and explicit purposes listed below, while data minimisation means that the Controller processes the data strictly necessary to achieve the purpose according to the principle of storage limitation and for the time strictly necessary.

At the end of the period specified below, the Controller will irrevocably destroy your personal data and, in order to carry out statistical analyses and calculations and for its development activities, will only store data that can no longer be linked to you and that does not make you identifiable at all.

  1. Lawfulness of processing – applied legal bases according to article 6 of the GDPR:

1./ Processing based on consent: ‘consent’ of the Data Subject/Visitor/Buyer means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her;

2./ Processing for the purpose of performance of a contract: performance of a contract to which the Data Subject/Visitor/Buyer is a party;

3./ Processing to fulfil a legal obligation: processing is necessary to fulfil the legal obligation of the controller (e.g.: fulfilment of accounting obligations);

4./ Processing in cases of legitimate interest: the data processing is necessary in order to protect the legitimate interests of the Controller or of a third party; The conditions for the application of this legal basis are laid down in the internal data protection rules of the Controller, which set out the circumstances taken into account in the legitimate interest balancing test and the procedure followed.

5./ Data processing as defined in Section 13/A of the E-Commerce Act: The Controller may process personal data (name, maiden name, mother’s maiden name, place and date of birth) of the Data Subject/Visitor/Buyer, suitable and sufficient for the identification thereof, for the purpose of drawing up the contract for the information society service, determining and modifying the contents thereof, monitoring the performance thereof, billing the charges arising therefrom as well as enforcing the claims related thereto. For the purpose of billing for charges arising under the contract for the information society service, the Controller may process personal data related to the use of such service, as well as data regarding the time, duration and place of using the service.

  1. Map of data assets

In the following you will find information on the scope of the personal data processed by us as well as on the lawfulness and purpose of the data processing:

When data subjects visit our Website and use our services, they may have two user roles. The scope of personal data processed and collected in both roles is set out below:

user role 1 – visitor:

If you visit our Website as a visitor and only collect information, you will use our website services as a visitor (hereinafter referred to as “Visitor”). We do not receive any personal data about you as a Visitor that would enable us to identify you, and in this case we will not store any data about you. However, when you visit our website, we generate a text file, a so-called cookie, which does not collect any personal data about you, but provides us with information about the usage behaviour in relation to the computer on which you are currently logged in. This way we get information about the pages you open on your computer and the number of clicks, but they are not linked to you, only to the computer you are using. Cookies are used to make our website more convenient, efficient and pleasant to use and to provide you with personalised offers and advertisements. The data required to create the text file is not provided by you, but – as described above – we collect this information while you are using our website, i.e. the data exchange occurs automatically during communication between computers.

The legal basis for the use of cookies is your consent, since by clicking on the “Accept” button in the pop-up window you give your consent to the lawful use of cookies. However, you can delete the cookie from your computer or disable its use in your browser. Cookies are usually managed under the same name in the Tools/Settings menu of your browser under the Privacy tab. Disabling cookies is considered a withdrawal of your consent.

user role 2 – buyer:

If you wish to make purchases via the webshop accessible on our Website, you must provide your personal data, which does not require registration.

For detailed information on the data processed in this section, please refer to the following table:

Buyer records:

Data category

Source of data

Purpose of processing

 

Lawfulness of processing

(legal bases)

Duration of the processing

1. last name and first name *

Provided by buyer

Buyer identification, registration

Performance of the contract (Section IV.2.)

until termination of the contract / cancellation of the registration

ensuring communication

Performance of the contract (Section IV.2.)

until termination of contract

drawing up the contract, defining and amending its content and monitoring its performance

Section 13/A of the E-Commerce Act (Section IV.5.) and performance of the contract (Section IV.2.)

until termination of contract

invoicing of the fees incurred (e.g. purchase price) when a contractual relationship is established

Section 13/A of the E-Commerce Act (Section IV.5.) and fulfilment of a legal obligation (IV.3.)

for a period of 8 years after the issue of an invoice pursuant to Section 169 of Act C of 2000

possible enforcement of claims and prevention of fraud

Legitimate interest (IV.4.)

until the expiry of the limitation period

2. year of birth

(with regard to the fact that persons under the age of 18 are not allowed to buy alcoholic products) *

Provided by buyer

drawing up the contract, defining and amending its content and monitoring its performance

Section 13/A of the E-Commerce Act (Section IV.5.) and performance of the contract (Section IV.2.)

until termination of contract

Buyer identification

Performance of the contract (Section IV.2.)

until termination of contract

Prevention of possible offences and crimes

Legitimate interest (IV.4.) and fulfilment of a legal obligation (IV.3.)

until the expiry of the limitation period

3. email address*

Provided by buyer

According to Section 1

According to Section 1

According to Section 1

4. phone number*

Provided by buyer

Buyer identification

Performance of the contract (Section IV.2.)

until termination of contract

ensuring communication

Performance of the contract (Section IV.2.)

until termination of contract

drawing up the contract, defining and amending its content and monitoring its performance

Section 13/A of the E-Commerce Act (Section IV.5.) and performance of the contract (Section IV.2.)

until termination of contract

5. password*

Provided by buyer

Buyer registration and identification

in both cases performance of the contract (IV.2.)

until termination of the contract and cancellation of registration

Ensuring communication

6. billing information * (name (company name), county, city, postal code, street, house number) – if different from the shipping information in Section 7

Provided by buyer

drawing up the contract, defining and amending its content and monitoring its performance

Section 13/A of the E-Commerce Act (Section IV.5.) and performance of the contract (Section IV.2.)

until termination of contract

possible enforcement of claims and prevention of fraud

Legitimate interest (IV.4.)

until the expiry of the limitation period

7. shipping information * (name of recipient, county, city, postal code, street, house number)

Provided by buyer

drawing up the contract, defining and amending its content and monitoring its performance

Section 13/A of the E-Commerce Act (Section IV.5.) and performance of the contract (Section IV.2.)

until termination of contract

possible enforcement of claims and prevention of fraud

Legitimate interest (IV.4.)

until the expiry of the limitation period

8. purchase amount and the name and quantity of the products purchased*

Provided by buyer

drawing up the contract, defining and amending its content and monitoring its performance

Section 13/A of the E-Commerce Act (Section IV.5.) and performance of the contract (Section IV.2.)

until termination of contract

invoicing of the fees incurred (e.g. purchase price) when a contractual relationship is established

Section 13/A of the E-Commerce Act (Section IV.5.), performance of the contract (Section IV.2.) and fulfilment of a legal obligation (IV.3.)

for a period of 8 years after the issue of an invoice pursuant to Section 169 of Act C of 2000

possible enforcement of claims and prevention of fraud

Legitimate interest (IV.4.)

until the expiry of the limitation period

Please note: In order to be able to buy in our webshop, you must provide the information marked with * in the table above, which is essential for the conclusion of the contract. Without the above-mentioned personal data, we are not able to conclude a contract with you.

  1. Controller and processor

A.) Controller:

The personal data listed in section V below will be processed by our company as Controller:

Agria Vino 2010 Kft.

Company data | Company registration number: 10-09-033819, based in 3300 Eger, Verőszala út 22., tax number: 22723084-2-10, represented by: Tibor Ádám Gál, Managing Director

Contact details of our customer service:

Email: brand[at]galtibor.hu

Phone: +36202193264

We would like to point out that the data mentioned in section V are accessible to the Controller and its employees, which is regulated by internal data protection regulations and is binding for all employees of our company.

In terms of the GDPR regulation, our company does not have a position of data protection officer.

 B.) Processors:

Our company will transfer the personal data referred to in Section V to the following companies, and these companies will have access only to the data processed by us that is necessary to fulfil the purposes listed below:

COLOR&CODE KFT. (company registration number: 10-09-034928, based in 3300 Eger, Fazola utca 6., tax number: 25044935-2-10) that carries out the development and maintenance of our website on a regular basis and operates our webshop via its web server.

KBOSS.hu Kft. (szamlazz.hu) (company registration number: 01-09-978937, based in 1031 Budapest, Záhony utca 7., tax number: 13421739-2-41) that issues the electronic invoice for you and sends it to your email address or to your billing address in paper form.

BORGUN hf. (based in Ármúli 30, 108 Reykjavík, Iceland, email: borgun[at]borgun.com) that performs the online credit card payments.

Barta és Barta Kft. (company registration number: 10-09-020924, based in 3300 Eger, Dónát út 8/A., tax number: 11161233-2-10), an accounting firm that does the bookkeeping for our company.

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (company registration number: 13-09-111755, based in 2351 Alsónémedi, GLS Európa utca 2.), a parcel service that delivers packages to our customers.

We conclude a data processing contract with all the above-mentioned providers, in which the data processors guarantee the protection of your personal data, but our company does not guarantee and expressly disclaims any liability for the compliance and implementation of data protection laws by these data processors.

VII. Right to email marketing – Newsletters

Please note that by providing your first and last name and email address on our website, you can subscribe to our regular newsletters, which contain advertising, offers and other information to ensure that you are promptly informed about our latest products and services. The legal basis for the processing of your personal data defined in this section is a legitimate interest of the Controller, as we have a right to email marketing for the purpose of direct marketing. You can subscribe to the newsletter by providing the above information and clicking on the “Subscribe” button. The indication and processing of your year of birth is also subject to a legal obligation, as we are not allowed to sell or send alcoholic beverages or offers to persons under 18 years of age. Your information provided in this way will be processed until the newsletter service used by the Controller is up and running, but if you object to this and the GDPR conditions apply, your personal data listed in this section will be deleted and no further newsletters will be sent to you.  Please note that all personal data provided in this section is required if you wish to use our newsletter service, otherwise we will not be able to send you our newsletter.  

VIII. Your rights regarding the processing of your personal data

Right of access: You have the right to demand information from us about the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations and the envisaged period for which the personal data will be stored, or the criteria used to determine that period. You can request a one-time free copy of the data we process. A fee will be charged for additional copies.

Right to rectification and erasure (‘right to be forgotten’): You have the right to request the Controller to correct, rectify, amend or supplement your personal data at any time if you discover that it has not been properly recorded or if there has been a change in your data. Upon receipt, our company is obliged to comply with this request immediately. You may request the deletion of the data in the cases provided for by law if the conditions of Article 17 of the GDPR are met. In such a case your data will be permanently and irrevocably deleted from our records.

Right to restriction of processing: in the cases referred to in Article 18 of the GDPR, you can ask us to restrict the processing of your data.

In connection with the above rights, we also inform you that, in the event of requests with the above content, we will inform all recipients to whom we have previously disclosed your personal data of these operations, unless this would give rise to disproportionate difficulties.

Right to data portability: In accordance with Article 20 of the GDPR, you may request that your personal data processed with your consent or as part of the performance of a contract be transferred to you or, at your request, transferred directly to another controller.

Right to object: You may object at any time to the processing of your data whose legal basis is the legitimate interest of the Controller.

Withdrawal of consent: If our data processing activity is based on the consent given by you, you can withdraw this consent at any time. However, please note that withdrawals are not retroactive and do not affect the legality of our previous processing.

Right of complaint: If you discover an unlawful processing of your data or if your rights are violated by our data processing activity, you have the right to lodge a complaint with the supervisory authority or to bring a civil action before the competent court.

Contact details of the supervisory authority:

Hungarian National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

Website: https://naih.hu/

  1. Ensuring data security

If we become aware of a data privacy incident, we will report this circumstance immediately, but at the latest within 72 hours, to the supervisory authority referred to in Section VIII. If we find that a privacy incident is likely to pose a significant threat to your rights and freedoms, we will notify you within 72 hours at the latest.

We would like to point out that we have internal data privacy guidelines in conformity with the law as well as measures which, in addition to the measures described above, ensure the secure handling of your personal data in our organisational and technical systems.