Pursuant to the Hungarian legislation in force and the relevant provisions of Regulation 2016/679 of the European Parliament and of the Council (hereinafter: the Regulation), you may contact VITAREX STÚDIÓ Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1114 Budapest, Bartók Béla út 77. 3rd floor. 3.; registered with the Commercial Court of the Metropolitan Court of Budapest under company registration number 01-09-567160; e-mail address: [email protected]) – hereinafter referred to as: the Data Controller – by contacting us electronically, you voluntarily consent to the Data Controller processing your personal data for the purposes of the processing specified in point 5, in compliance with the legal provisions referred to.
The present Privacy Policy and Information Notice (hereinafter referred to as the “Privacy Policy”) is published on the website of VITAREX STÚDIÓ Kft. as the data controller, https://vitarex.hu/ and other websites available at the addresses specified therein (hereinafter referred to as the “Website”), the processing of personal data of natural persons, contracting partners (hereinafter referred to as the “User”) of the Websites operated by VITAREX STYLE SA, as the data controller, in accordance with the provisions of the Regulation and Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Data Protection Act”) and the Users’ data protection information.
Please note that the User has the right to withdraw his/her consent to data processing at any time.
The User is entitled at any time to.
- request information about the processing,
- request access to their personal data and information relating to their processing,
- request the rectification or integration of your personal data,
- request the restriction of the processing of your personal data; and
- request the erasure of your personal data
by sending a letter to 1114 Budapest, Bartók Béla út 77. 3/3. or by email to [email protected].
We would also like to draw your attention to the fact that you have the right to refuse or prohibit the processing of your data for direct marketing purposes by sending an e-mail to 1114 Budapest, Bartók Béla út 77. 3/3. or to [email protected].
The Data Controller shall process the personal data provided by the User in the course of providing the services offered on the website and sending e-mail newsletters until the purpose of the processing is fulfilled.
Section 11 of this Privacy Policy provides detailed information on the rights of the User, while Section 12 of this Privacy Policy provides detailed information on the possibilities of enforcement.
Withdrawal of consent to processing does not affect the lawfulness of the processing carried out up to that point.
The Data Controller shall not be liable for the accuracy of the data provided by the User.
1. GENERAL PROVISIONS
The Data Controller shall process the User’s personal data in accordance with this Privacy Policy, taking into account the information provided by the authority responsible for data protection (currently the National Authority for Data Protection and Freedom of Information, whose registered office is at Szilágyi Erzsébet fasor 22/C, 1125 Budapest, Hungary and its website is www.naih.hu) and the published judicial practice. The User expressly and voluntarily consents to the processing of his/her data by the Data Controller in accordance with the provisions of this Privacy Policy when contacting the Data Controller. Please also refer to Section 4 (User’s Declaration) for the User’s declarations in relation to his/her consent under this Privacy Policy.
Please note that if the User is an existing contractual partner of the Data Controller, the lawfulness of the processing does not require the separate consent of the User, in which case the legal basis for processing is the performance of the contract.
2. MODIFICATION
The Data Controller reserves the right to unilaterally modify this Privacy Policy by informing the Users through the Website. The amended Privacy Policy will be published by the Controller on the Website no later than five (5) days before the amended Privacy Policy comes into force. The Data Controller may also notify changes to this Privacy Policy to registered Users of the Website through the user account available on the Website (hereinafter “User Account”) or, in the case of both registered and non-registered Users, through one of the contact details provided at registration or when using the Website, no later than five (5) days before the amended Privacy Policy comes into force. The User declares that he/she consents to be contacted through the User Account or through the contact details provided by him/her at the time of registration or when using the Website or contacting the Data Controller in accordance with this Privacy Policy.
3. PURPOSE OF THE DATA PROCESSING POLICY
The purpose of this Privacy Policy is to.
- promote compliance with data protection laws;
- define the scope of the User’s personal data as defined in point 6 and processed by the Data Controller, the method of processing, respect for the privacy of natural persons, data protection and data security requirements in accordance with other applicable laws;
- inform the Users of the facts related to the processing, the identity (name and contact details) of the Controller, the purpose and duration of the processing and the criteria for determining this duration, the legal basis of the processing, the scope of the personal data processed, the rights of Users in relation to the processing and the means and means of exercising them, the recipients of the personal data processed, including third country recipients and international organisations, in the event of the transfer or intended transfer of the personal data processed, the source of the personal data collected and any other relevant facts relating to the circumstances of the processing; and,
- help prevent unauthorised access to, alteration of, and unauthorised disclosure or use of the User’s personal data.
4. A DECLARATION BY THE USER
The User, by giving his/her consent during the registration on the Website, confirms that he/she has fully read and understood this Privacy Policy, that he/she accepts the provisions contained in this Privacy Policy as binding upon him/her and that he/she freely, intelligently and expressly consents to the processing of his/her personal data by the Controller for the purposes of the processing specified in this Privacy Policy, i.e. for all purposes specified in this Privacy Policy, in accordance with the provisions of this Privacy Policy.
When registering on the Website or in the software developed by the Data Controller, the User consents to the Data Controller processing his/her personal and other data voluntarily provided by him/her for the purposes set out in Section 5, and at the same time consents to the use of his/her name and address data (contact details) for the purposes of ongoing contact and repeated contact.
The User declares that the data provided during registration are true and correct and do not violate the personal or other rights of third parties or any other rights or feelings protected by law.
5. DATA PROCESSING PURPOSES
Processing of Users’ personal data
- to use, provide, maintain and protect the services provided by the Data Controller through the Website (hereinafter “Services”);
- to improve services and develop new services;
- to protect the Data Controller and the User;
- to support the activities of the Data Controller in connection with the Services, including in particular the display of content uploaded to the Website, the preparation and execution of activities launched or initiated on the Website, and the activities of the Data Controller; and
- for use for promotional purposes related to the above (offering products/services, direct marketing and telemarketing/telesales activities)
will take place.
6. SCOPE OF PERSONAL DATA PROCESSED
The provisions relating to the processing and protection of Users’ personal data apply only to natural persons, given that personal data can only be understood in relation to natural persons.
The Data Controller only records personal data that the User voluntarily provides. By providing personal data, the User consents to the inclusion of his/her personal data in the database of the Data Controller in accordance with this Privacy Policy.
6.1. Personal data processed for the purpose of identifying users and other activities
The Data Controller processes the following personal data of Users for identification purposes:
- User’s natural person identification data: surname and first name;
- User’s e-mail address provided during registration;
- The postal address provided by the User;
- User’s direct telephone and fax number;
- Personal information (occupation, position) voluntarily provided by the User.
On the Website, the Data Controller may also request other personal data of Users for certain activities (for example, for sweepstakes, promotions, the User’s address or other personal data), by providing them, Users also give their explicit and voluntary consent to the processing of the personal data provided, and the Data Controller will process the personal data provided only until the purpose and activity purpose specified in point 5 is achieved. These processing operations are also governed by this Privacy Policy.
6.2. Data processed in order to use the services
- The IP address of the user’s computer;
- Data about the User’s activity on the Website (tracking the number of banner clicks, login location and duration, server data, cookies).
These data are automatically logged by the Controller’s system. Such information is not personally identifiable, the Data Controller does not associate the data in the log file with any other personal data, and uses the data for trend analysis, site usage statistics, administration of the Services, analysis and satisfaction of User needs, which contribute to the improvement of the quality of the Services.
Registration forms: on these pages, the Data Controller may request the personal data necessary for contacting you (name, telephone number, e-mail address, depending on the type of registration), which you also provide voluntarily.
Direct marketing: when registering on the Website or entering into a contract with the Data Controller, the User voluntarily and expressly consents to the Data Controller processing the User’s personal data for direct marketing purposes. The consent is voluntary and may be withdrawn at any time during the User’s legal relationship, without giving any reason, on the Website or by contacting one of the contact details indicated in the first paragraph of this Privacy Policy. The Data Controller may periodically send information materials to Users in connection with certain of its Services, informing them of news related to the Services. Users who do not wish to receive such mailings may withdraw their consent to receive such information services at any time in the future by sending a letter by post or e-mail informing them of this intention to the postal or e-mail address indicated in the first paragraph of this Privacy Policy.
Sending promotional offers, direct marketing: the Data Controller may send to the Users, at certain intervals, informative circulars about its new services, special offers, to which the User gives his/her voluntary and explicit consent when registering on the Website or in the software developed by the Data Controller or subscribing to the newsletter, in accordance with this Privacy Policy. For this purpose, the Data Controller processes the e-mail address, name and postal address of the Users. If the User no longer wishes to receive such promotional mailings, he/she may object to the sending of such promotional mailings or withdraw his/her consent to the processing by contacting the Data Controller at one of the contact details indicated in the first paragraph of this Privacy Policy.
7. LEGAL BASIS AND METHOD OF PROCESSING
The Data Controller shall process the User’s personal data solely for the purposes set out in this Privacy Policy and shall ensure that at all stages of processing the data are processed in accordance with the purposes for which they are processed. The User declares that, in any case, the granting of his/her consent to the processing and the subsequent provision of data is based on his/her voluntary, informed and explicit consent pursuant to Article 6(1)(a) of the Regulation. The Controller processes the User’s personal data on the basis of the above-mentioned legal provision (legal basis for processing).
In the event that the User enters into a contract with the Data Controller or submits a request to the Data Controller to enter into a contract, the legal basis for processing the data referred to in Article 6(1)(b) of the Regulation is the legal interest of the Data Controller in the performance of the contract, insofar as it is necessary for the performance of the contract, until the termination of the contract.
This Privacy Policy applies to data collected and processed both electronically and manually.
8. DURATION OF DATA PROCESSING
If the processing is based on the User’s consent as detailed in Chapter 7 of this Privacy Policy, the duration of the processing shall last until the purpose of the processing is achieved, but no later than the withdrawal of the User’s consent to the processing.
If the data processing is based on a contractual relationship with the User, as detailed in Chapter 7 of this Privacy Policy, the duration of the data processing shall be until the termination of the contractual relationship.
The Data Controller shall take all necessary technical (technical) and organizational measures to delete the User’s personal data as soon as possible, but not more than 30 days after the termination of the contractual relationship with the User, subject to the provisions of this Privacy Policy, point 11 (c).
9. DATA SECURITY
In particular, the Data Controller shall, in accordance with its obligations under Articles 4(4a), 25/A and 25/I to 25/K of the Infotv. and Articles 32 to 34 of the Regulation, do everything in its power to ensure the security of the User’s data, and shall take the necessary technical and organisational measures and establish the procedural rules and take the measures necessary to enforce the Infotv., the Regulation and other data protection and confidentiality rules.
The Services also include cloud-based applications. Cloud applications are typically international or cross-border in nature and serve e.g. data storage purposes, where the data storage is not on the Data Controller’s computer/company’s data centre, but on a server centre located anywhere in the world. The main advantage of cloud applications is that they provide a highly secure, flexible and scalable IT storage and processing capacity, essentially independent of geographical location. The Data Controller shall take the utmost care in the selection of its cloud service partners and shall take all measures generally expected and required by the applicable data protection legislation to contract with them in a manner that is in the interest of the Users’ data security, transparent to their data management principles and regularly monitored for data security. The User expressly consents to the transfer of data necessary for the use of cloud applications by accepting this Privacy Policy.
Links: the Controller’s Website may contain references or links to sites maintained by other service providers (including login and share buttons and logos), where the Controller has no control over the personal data processing practices and where the Controller does not share/transmit data. Users are reminded that clicking on such links may lead them to the sites of other service providers. In such cases, we recommend that you read the privacy policy applicable to the use of these sites. This Privacy Policy applies only to the Website operated by the Data Controller. If the User modifies or deletes any of his/her data on an external website, this will not affect the processing by the Data Controller, such modifications must also be made on the Website.
10. RECIPIENTS OF DATA TRANSFERS
Personal data will be transferred by the Data Controller in the cases and to the recipients specified below:
- hosting providers,
- accountant.
The Service Provider may transfer personal data to a data controller in a state that is not an EEA member state (hereinafter referred to as “third country”) or to a data processor processing data in a third country if the data subject (User) has expressly consented thereto or the transfer is necessary for the purpose of the processing and the processing is subject to the provisions of the Infotv. 5 of the Data Protection Act are fulfilled, and an adequate level of protection of personal data is ensured in the third country during the processing of the data transferred.
An adequate level of protection of personal data is ensured where a binding legal act of the European Union so provides or, in the absence of such an act or in the event of suspension of its application, where the third country and Hungary have concluded an agreement to enforce the rights of data subjects under the applicable law, to provide for judicial remedies and to ensure the processing of personal data, or, in the absence of such an act or in the event of suspension of its application, the controller has examined all the circumstances surrounding the transfer of personal data prior to the international transfer and has determined that an adequate level of protection of personal data is ensured.
Transfers to an EEA State shall be considered as if they were transfers within the territory of Hungary.
11. RIGHTS OF USERS
The User may request information about the processing of his/her personal data and whether the processing of his/her personal data is ongoing, and may obtain, upon request, a copy of the personal data processed in relation to him/her during the ongoing processing, as well as access, rectification, integration, erasure (termination of processing) or restriction of processing of personal data concerning him/her, and may object to the processing of such personal data. The User may exercise his/her rights in relation to the processing of personal data by sending a notification to the e-mail address indicated in the first paragraph of this Privacy Policy. The User may request information, a copy, access, transfer, rectification, integration, restriction of processing or erasure (termination of processing) by post or e-mail to the postal or e-mail address indicated in the first paragraph of this Privacy Policy.
The Data Controller shall, in the event of a User’s request as detailed in points (b) to (f) of this Section 11 below and in Section 12 of this Privacy Policy, inform the User of the action taken on the request within twenty-five days of receipt of the request, at the e-mail address provided by the User during registration, unless the User specifies a different means of communication in his/her request. The Data Controller may extend this time limit for a further period of up to two months, taking into account the complexity and number of requests. The Data Controller shall inform the User of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay.
If the Data Controller fails to take action on the User’s request, it shall inform the User without delay, but no later than within one month of receipt of the request, of the reasons for the failure to take action and of the User’s right to lodge a complaint with the National Authority for Data Protection and Freedom of Information or to exercise his/her right to judicial remedy.
The Data Controller shall comply with the request free of charge, unless the request is manifestly unfounded or excessive, in particular because of its repetitive nature, in which case the Data Controller may charge a reasonable fee to compensate for the costs incurred in connection with the unfounded or repetitive request or may legitimately refrain from acting on the request.
(a) Information, access
The Data Controller has informed the User about the processing of his/her personal data pursuant to Article 16 of the Data Protection Act and Article 15(1) of the Regulation under the first paragraph of this Privacy Policy and under points 5, 6, 7, 8, 10, 11 and 12 of this Privacy Policy, and the User may also request separate information from the Data Controller. The Controller shall, upon request, inform the User whether his personal data are processed by the Controller or by a processor acting on behalf of or under the instructions of the Controller. If the data are processed by the Controller or by a processor acting on behalf of or under the authority of the Controller, the Controller shall provide the User with the personal data processed by the Controller or by a processor acting on behalf of or under the authority of the Controller and, within the limits and subject to the conditions of the User’s request, shall communicate to the User
- the name and contact details of the Controller and, where a processing operation is carried out by a processor, the processor,
- the source of the personal data processed,
- the purpose and legal basis of the processing,
- the scope of the personal data processed,
- the recipients of the transfers, including recipients in third countries and international organisations, where personal data are transferred or intended to be transferred,
- the duration of the retention of the personal data processed and the criteria for determining that duration,
- a description of the rights of the User under the Infotv. and how to enforce them,
- where profiling is used, the fact that it is used, and
- the circumstances in which a data breach may have occurred in connection with the processing of the User’s personal data, the effects of such a data breach and the measures taken to manage and prevent it,
- any other material facts relating to the circumstances of the processing,
and inform the User of its activities related to data management.
The request for information on data processing should be sent by post or e-mail to the postal or e-mail address indicated in the first paragraph of this Privacy Policy, to which the User will receive a written reply within twenty-five (25) days.
(b) Correction
The Data Controller shall promptly correct the personal data if the User so requests, if the personal data is inaccurate, incorrect or incomplete and the accurate, correct or complete personal data is available to the Data Controller or is provided by the User to the Data Controller. If it is compatible with the purposes of the processing, the User shall also have the right to request the completion of the incomplete personal data by means of additional personal data provided by the User or by means of a declaration by the User to the personal data processed.
In accordance with the above provisions of this Article 11 (b), if the personal data processed by the Controller or by a processor acting on behalf of or under the instructions of the Controller are inaccurate, incorrect or incomplete, the Controller shall, in particular at the User’s request, immediately correct or rectify them or, if compatible with the purposes of the processing, supplement them with additional personal data provided by the User or with a declaration by the User on the personal data processed. The Data Controller shall be exempted from the obligation set out in the previous sentence if accurate, correct or complete personal data are not available to it and are not provided by the User, or if the accuracy of the personal data provided by the User cannot be established beyond reasonable doubt.
(c) Deletion
The Data Controller shall delete personal data if the User withdraws his consent to the processing or requests the deletion of his personal data, unless the processing is necessary and proportionate for the protection of the vital interests of the User or of another person, or for the prevention or elimination of an imminent threat to the life, physical integrity or property of a person.
The Controller shall promptly delete the User’s personal data without the User’s request if.
- the processing is unlawful, in particular if the processing is contrary to the principles set out in Article 4 of the Data Protection Act; or the purpose of the processing has ceased or the further processing of the data is no longer necessary for the purpose of the processing; or the period of processing specified by law, international treaty or binding legal act of the European Union has expired; or the legal basis for the processing has ceased and there is no other legal basis for the processing of the data;
- the erasure of the data has been ordered by law, an EU act, the Authority or a court;
- the time period specified in the second subparagraph (bullett point) of point 11(d) below of this Privacy Policy has expired.
The Data Controller may refuse a request for erasure in the following cases:
- further processing is necessary for the exercise of the right to freedom of expression and information; or
- the further processing of the data is necessary for compliance with an obligation under Union or Member State law that requires the processing of personal data that is applicable to the controller; or
- further processing is necessary for the establishment, exercise or defence of legal claims.
The User shall notify the Data Controller by post or e-mail of any request for the deletion of his/her personal data at the postal or e-mail address indicated in the first paragraph of this Privacy Policy. Based on the User’s voluntary decision and request, the Data Controller shall delete the data requested by the User without undue delay, but no later than within twenty-five (25) days from the receipt of the User’s request for deletion. By withdrawing consent to the processing of personal data or by requesting the deletion of data, the User also waives the right to participate in all activities related to the registration. In any case, the cancellation is free of charge.
(d) Restriction of processing
The Controller shall restrict processing if.
- the User contests the accuracy, correctness or completeness of the personal data processed by the Controller or by a processor acting on behalf of or under the instructions of the Controller, and the accuracy, correctness or completeness of the personal data processed cannot be established beyond reasonable doubt; for the period necessary to resolve the doubt; or
- the data should be erased because of unlawful processing, but there are reasonable grounds to believe, on the basis of a written declaration by the User or information available to the Controller, that the erasure of the data would harm the legitimate interests of the User; for the duration of the legitimate interest not to erase the data; or
- the data should be erased because of unlawful processing, but the data need to be kept as evidence in the course of investigations or proceedings, in particular criminal proceedings, carried out by or with the participation of the Controller or another public authority, as provided for by law, until the end of such investigations or proceedings.
During the period of the restriction of processing, the Data Controller or the data processor acting on its behalf or under its instructions may carry out processing operations other than storage of the personal data subject to the restriction solely for the purpose of pursuing the legitimate interests of the User or as provided for by law, international treaties or binding legal acts of the European Union. The Data Controller shall notify the User of the restriction. The Data Controller shall notify the User in advance of the lifting of the restriction on processing, where the restriction was necessary to verify the accuracy, correctness or completeness of the data.
In the event of the lifting of the restriction on processing set out in the first subparagraph (bullett point) of this point (d) above, the Controller shall inform the User in advance of the lifting of the restriction on processing.
(e) Objection
The User may object to the processing of his/her personal data at any time. If the User objects to the processing, his/her personal data may no longer be processed, unless the Controller proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the User or are related to the establishment, exercise or defence of legal claims. If the User objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.
The User may also object to the processing of data for direct marketing purposes separately from the communication of data for other purposes.
(f) Right to data portability
Within the scope of the User’s right to data portability, the User may request the Data Controller to provide a copy of the personal data processed by the Data Controller in a structured, commonly used, machine-readable format, and may request the Data Controller to transfer the personal data provided to him/her directly to another data controller.
12. RIGHTS OF REDRESS
(a) Public enforcement
The User
- may initiate an investigation by the National Authority for Data Protection and Freedom of Information to examine the lawfulness of the Controller’s action, if the Controller has not informed the User of the facts related to the processing prior to the commencement of the processing or has not informed the User in accordance with the provisions of the Data Protection Act, or if the User restricts the exercise of his/her rights set out in Section 11 of these Data Processing Rules or rejects his/her request to exercise such rights, or
- may request the National Authority for Data Protection and Freedom of Information to initiate proceedings before a data protection authority if it considers that, in the processing of its personal data, the Controller or a processor appointed or instructed by the Controller is in breach of the provisions on the processing of personal data laid down by law or by a binding legal act of the European Union.
(b) Judicial enforcement
The User may take legal action against the Controller or the processor in connection with processing operations within the scope of the controller’s activities, if the User considers that the Controller or the processor, acting on behalf of or under the instructions of the Controller, is processing his or her personal data in breach of the provisions on the processing of personal data laid down by law or by a binding legal act of the European Union.
The Data Controller or the data processor appointed by the Data Controller shall demonstrate that the processing complies with the requirements for the processing of personal data laid down by law or by a legally binding act of the European Union.
The User may, at his/her option, bring the action before the competent court of his/her place of residence or domicile. A person who does not otherwise have legal capacity may also be a party to the action.
If the Data Controller or a processor mandated by or acting on behalf of the Data Controller infringes the provisions on the processing of personal data laid down by law or by a binding legal act of the European Union and causes damage to another person, the Data Controller shall compensate the damage.
If the Data Controller or a processor appointed by or acting on the instructions of the Data Controller violates the provisions on the processing of personal data laid down by law or by a binding legal act of the European Union and thereby infringes the personality rights of another person, the person whose personality rights have been infringed may claim damages from the Data Controller or a processor appointed by or acting on the instructions of the Data Controller.
The detailed method of enforcement and the detailed legal provisions on the obligations of the Data Controller are set out in the Infotv.
The rights of incapacitated Users, including the consent to the processing of personal data, shall be exercised by their legal representative or guardian, who shall fulfil their obligations.The consent of a minor User over the age of 16 shall not require the consent or subsequent consent of his/her legal representative.
13. FINAL PROVISIONS
The Data Controller’s internal data protection and data security policy, which sets out all the technical specifications and organisational measures to ensure the protection of the data processed for the purposes of direct marketing activities covered by this Privacy Policy, is an integral annex to this Privacy Policy No.
This Privacy Policy contains the consolidated text of the Data Controller’s Privacy Policy, which entered into force on 25 May 2018, as amended in the meantime.
Budapest, 26. 03. 2019.