Privacy and Data Protection Policy of Pólószabó Hungary Limited Liability Company
Our company reserves the right to modify present policy at all times, given that clients and partners are previously informed about potential modifications in a timely manner.
Our company is committed to protect all personal data from out clients and partners and we find it extremely important to respect the informational self-determination of clients. Protecting the information concerning our clients is a priority and we do everything in our power to make you feel safe when using our website. This policy details the rules and their extent concerning your personal data and rights and our responsibilities as data controllers.
The key terms of data processing are defined in details by the Act CXII of 2011 and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The most important key terms for present policy are the following:
Personal data: any information concerning an identified or identifiable natural person (“User”); a natural person is identifiable if they can be identified directly or indirectly based on one or more factors concerning physical, physiological, genetic, intellectual, economical, cultural or social identity of the natural person or based on identifiers as in name, identification number, localisation information or online identification.
Data processing: any process or the sum of processes in connection with personal data, including data collection, recording, organisation, segmentation, storage, transformation, modification, query, inspection, usage, communication, forwarding, distribution or making the data accessible by any other means, coordination or interconnection, restriction, deletion or destruction.
Data controller: a natural or legal person, public authority, agency or any authority determining individually or in cooperation the aims and tools of processing personal data; in case the aims and tools of data processing is determined by EU law or the laws of the member state, the specific aspect of assigning the data controller can be determined by EU law or the laws of the member state as well.
Data processor: a natural or legal person, public authority, agency or any other authority that processes personal data in the name of the data controller.
Recipient: a natural or legal person, public authority, agency or any other authority towards whom personal data is communicated to
User’s consent: the unambiguous expression of the user’s will in a voluntary and exact manner, based on appropriate information, with which the user agrees to the processing of their personal data by way of declaration or any action unambiguously expressing the confirmation.
User: a natural person who registers for the services offered by the company and accordingly provides any personal data
Webshop/website: the webshop operated on the company’s website (www.ourstory.hu)
Information of the data controller
Name: Pólószabó Hungary Kft.
Address: 1031 Budapest, Varsa utca 14. 2/4
Representative: Szabó Bence László manager
Tax number: 25516289-2-41
VAT number: HU25516289
Company registration number: 01-09-279644
Data protection registry number: NAIH-108801
Aim of data processing
The aim of data processing is providing the services accessible on the website. The scope of said data necessary to be provided in order to provide said services is detailed under the section Services.
Data is processed in case of the following events:
- Registering and signing in
- General data processing connected to online orders
- Signing up for/receiving newsletters
- Handling complaints
- Prize competitions
Manner and legal basis of data processing
The data processing of the company’s activities is based on voluntary consent and statutory authorisation. In case of data processing based on voluntary consent, the users can withdraw said consent at any point of the data processing.
In certain cases, the processing, storing and forwarding of a certain scope of the provided data is facilitated by law. In these cases clients are informed separately.
We would like to bring the attention of anyone providing data to the company that in case they do not provide their own personal data, they are obligated to get the user’s consent. The user guarantees that the permission from the natural person was lawfully obtained regarding the processing of the personal data of said natural person provided while using the services (i.e. publishing content generated by the user etc.). As for all the user content uploaded and shared via the services, all responsibility lies with the user.
When providing their email address and any information during registration (i.e. email address, password etc.) the user agrees to be the only one using the services from the provided email address and information.
All responsibility concerning the usage of the provided email address and/or any data when signing in lies with the user who registered the given email address and provided the data.
The principles of data processing align with the regulations on data protection in force, namely with the following:
Act CXII of 2011 on information self-determination and freedom of information
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing 95/46/EC (General Data Protection Regulation)
Act V of 2013 on the Civil Code
Act C of 2000 on Accounting
Act LIII of 2017 on stopping and preventing money laundering and terrorist financing
Act CCXXXVII of 2013 on Credit institutions and Financial Enterprises
Data processing is based on the voluntary declaration of users according to adequate information, which declaration includes the explicit consent of users about the use fo their personal data and the personal data generated abut them while using the website. The user is entitled to withdraw said consent at any point in case of data processing based on the user’s consent, which does not concern the legality of data processing prior to the withdrawal.
Forwarding data to data processors defined in present policy can be done without the separate consent of the user. Forwarding data to a third party or authority, unless the regulation commands otherwise, can only be done upon the authority’s decision or the explicit and preliminary consent of the user.
Data controllers handle personal data according to the principles of good faith, fairness and transparency and the regulations of present policy.
The personal data necessary for using the services are only used by data controllers based on the consent of the user concerned and exclusively for said purpose.
Data controllers only process personal data for purposes defined in present policy and the relevant regulations. The scope of the personal data processed is in proportion with the purpose of data processing and may not go further.
In all cases when the data controller wishes to use the personal data for a purpose different from the aim of the original data collection, they inform the user and get preliminary and explicit consent and provide the possibility to prohibit the use of data.
Data controllers do not monitor the provided personal data. The responsibility for the conformity of the provided personal data exclusively lies with the person providing it. Personal data of persons under 16 can only be processed with the consent of the person of legal age practicing parental control. The data controller is not entitled to monitor the person’s entitlement and the content of their declaration, meaning that the user or their legal guardian guarantee that the consent meets the regulations. In the absence of a declaration of consent, the data controller do not collect personal data about users under 16, except for the IP address used when using the services, as it is recorded automatically due to the nature of internet services.
Except for external service providers, data controllers do not forward personal data processed by them to third parties, except for the data processors defined in present policy and in certain cases referred to in this policy.
An exception from the regulation defined in present section is the use of statistically aggregated data which does not include any data suitable for the identification of the user concerned and consequently cannot be considered as data processing or data forwarding.
In certain cases (official juridical or police request, legal procedure about copyright, property or other infringement or on the basis of reasonable suspicion the damage of the data controllers’ interest, the undermining of the insurance of services etc., data controllers can make the available personal data from the user concerned accessible for a third party.
The system of the data controllers can collect data on the activity of users which cannot be connected to any other data provided during registration or data created when using other websites and services.
Data controllers are obligated to inform the user or anyone previously forwarding personal data for the purpose of data processing in case of modifying, limiting or deleting the personal data processed by them. This communication might be dispensable in case it does not infringe the legitimate interest of the concerned in regards to the purpose of the data processing.
Having regard to the GDPR, data processors are not obliged to assign a data protection officer.
Scope of processed personal data
When the user visits the website, the system of the company automatically records the user’s IP address. The IP address of the user when entering the website is recorded in connection with providing the service and with regards to the data collector’s legitimate interest and to legitimately providing the service (i.e. illegal usage or filtering illegal content) without the separate consent og the user.
Data does not have to be provided for using, browsing or editing the website.
In case the user purchases a product on the website, the company processes the following data in order to meet the contractual obligations: date of purchase, quantity of product(s) purchased, price of product purchased, automatically generated identification number.
Based on the explicit and voluntary consent of the user and by using cookies, the company processes the user’s personal qualities, preferences and interests in an automated manner.
In case the user requests the delivery of the purchased product, the company processes the following data in order to deliver accurately and prepare an invoice: name, postal code, city, street, house number, billing name, billing address, purchase price, product quantity, phone number.
The company choses and operates information technology tools to process data during providing the service to ensure:
- That the processed data is available everyone who entitled to access it (availability)
- The authenticity and the authentication of the processed data (authenticity)
- That the integrity of the processed data can be verified (integrity)
- That the processed data is protected from illegal access (confidentiality)
The company protects the data with the appropriate measures from illegal access, modification, forwarding, publication, deletion or accidental destruction.
The company protects the safety of the data processing with technical and organisational measures that provide an appropriate level of protection against risks arising in connection with data processing.
During data processing, the company maintains:
- Confidentiality: it protects the information so only those who are eligible can access it
- Integrity: it protects the punctuality and intactness of the information and the method of processing
- Availability: it ensures that the requested information and the necessary tools are available whenever legitimately requested
Information on certain individual data processing procedures
Registration and signing in
The party concerned is the user voluntarily registering at the website or connecting their Facebook account with it. Registration is not obligatory for using the website, however if the user registers, the previously edited product can be saved and the user can later return to it, without having to restart the editing process or to provide their personal data again to the company.
Upon registration the following data is recorded: name, email address, password, country of residence. Providing this information is mandatory and the aim of processing this data is providing the service, enabling users to edit on the website in a more convenient manner, display personalised content and advertisements, prepare statistics, identify the user when signing in again and making the ordering process more convenient.
The data provided by users while using the service can be used by the data controller to create user groups and display targeted content and/pr advertisements for the user groups on the website.
In case the user orders a product after registration, after the consent of the user the system records the delivery and billing information, namely the name, delivery address (country, postal code, city, street/public area, house number, floor, door) and the billing name and address (country, postal code, city, street/public area), house number, floor, door).
The legal basis of the data processing is point A) of paragraph (1) of Article 6 of the GDPR and point A) of paragraph 5. § (1) of the INFOTV in accordance with paragraph 13/A. § (4) of the EKTV and paragraph 6. § (5) of the GRT.
Duration of data processing: until the user withdraws their consent. The user can end their registered status at any point, free of charge. If the user unsubscribes, their personal data connected to the registered status is being deleted without undue delay.
Signing in with Facebook: in case the user decides to connect their Facebook account with the website (facilitating the purchase of a product), the company can process the following personal data of the user besides the above-mentioned data: Facebook profile name, Facebook profile URL, Facebook profile ID, Facebook profile picture, Facebook email address, address displayed on Facebook, gender displayed on Facebook, birthday, introduction and website URL.
In this case, the personal data (IP address, user name, email address) is forwarded to the external service provider. These external service providers collect, handle and forward the personal data according to their own data protection principles.
The external service providers collaborating with the company to facilitate the registration and signing in and to provide advertisements:
-Facebook Inc: 1601 S. California ave, Palo Alto, CA 94304 USA. (https://www.facebook.xom/policies/cookies)
-Google Inc: 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. (https://policies.google.com)
With the help of Facebook Pixel, a report is made on the website about the conversions, target audiences can be assembled and the company receives detailed analytical data about the website usage. This enables the social network to map out the user habits and display targeted and personalised offers and advertisements for them via Facebook.
General data processing in connection with online orders
The concerned party in this case is the user using the website and the webshop of the company and ordering a product from the webshop with or without registration.
The aim of the data processing: purchasing via the webshop, ordering, preparing an accounting document, completing the order, documenting the purchase and the payment, completing accounting obligations, delivering the product.
The personal data provided with the purpose of making a purchase on the website is only processed with the aim of creating and completing a contract between the company and the user.
The legal basis of the data processing is paragraph 13/A § (1) -(3) of the EKTV and point B) of paragraph (1) of Article 6 of the GDPR.
The user needs to provide their personal data in order to purchase the chosen product. Without the personal data, the company is not able to process the order and the contract with the user cannot be drawn up.
Scope of processed data: Order number, date, time, name, address, phone number, email address, the edited, individual product, its quantity, price, colour, chose payment, billing and delivery method and information, IP address of last sign-in, time of last sign-in.
Duration of the data processing: the company only stores the personal data of the user until the completion of the contract, except if a regulation further requires the storage of the user data with the purpose of providing data to authorities (i.e. tax authorities). The storage of data for a determined time for example is prescribed by the Accounting Act (according to paragraph 169. § (2) of the Accounting Act, the accounting documents directly or indirectly confirming the bookkeeping accounting have to be stored for 8 years) or legal disputes in connection with the completion of the contract.
The legal basis of storing the user’s personal data according to legal obligation and forwarding it to authorities is point C) of paragraph (1) of Article 6 of the GDPR and point B) of paragraph 5. § (1) of the INFOTV, with attention to the content of paragraph 13/A § (1) of the EKTV.
Data processing in connection with delivery
If the user enters into a contract with the company, and does not choose to pick up the product in person but to have it delivered, the company forwards the following data to the logistics service providers so they can deliver the product ordered by the user.
The party concerned: the user to whom the company delivers the ordered product to the address provided.
The scope of data processed: name, address, email address, phone number, package number, package value, chose payment and delivery method, sum of COD, billing name and address, any further information provided in connection with availability at the given address and any additional information that might have been provided to the company in the comment section (different name on doorbell etc.)
Aim of the data processing: completing the orders, documenting the purchase and the payment, completing accounting obligations.
The legal basis of the data processing is point B) of paragraph (1) of Article 6 of the GDPR, with attention to paragraphs 13/A § (1) -(3) of the EKTV.
Duration of data processing: based on paragraph 169. § (2) of the Accounting Act it is 8 years.
Recipients of the data transfer: in case of delivery the above data is forwarded to the courier service/company.
The legal basis of the data transfer are paragraphs 13/A § (1) -(3) of the EKTV and paragraph 6. § (5) of the INFOTV, with attention to point B) of paragraph (1) of article 6 of the GDPR.
Logistics service providers: they only store the data until the ordered products are delivered, except if a regulation obligates the logistics service provider to further store the user data with the purpose of providing data to the authorities (i.e. tax authorities).
The contracted courier service at the time of present policy entering into force is GLS.
Data processors applied in connection with electronic billing
The personal data and ordering information provided upon registration or ordering is forwarded by the company to FCM-ADÓBOX Kft. for preparing electronic invoices and storing said invoices.
They handle the personal data according to their own data protection and data processing guidelines.
The parties concerned are those users who purchase a product and those users who request an electronic invoice of their order.
Scope of data processed: name, email address, billing name, billing address, order ID, price and quantity of products ordered.
Aim of the data processing: completing the billing obligation of creating an invoice in connection with completing the contract.
Legal basis of the data processing: paragraphs 13/A § (1) -(3) of the EKTV, paragraph 6. § (5) of the INFOTV, with attention to points B) and C) o paragraph (1) of article 6 of the GDPR
Duration of data processing: based on paragraph 169. § (2) of the Accounting Act it is 8 years.
Subscription to and sending out the newsletter
Subscription to the newsletter is possible when registering. In case the user subscribes to the newsletter, the personal data provided for this purpose is only used for delivering the newsletter to the use’s email address, given that the user perviously gave consent to the data processing.
The newsletter contains direct marketing elements and advertisements.
Scope of data processed: email address, name, consent to receive direct marketing content, date of consent, theme from previous purchases, method of receipt used, analytical data in connection with sending and delivering messages (i.e. date and time of sending and opening the message, clicking on the link in the message).
Aim of the data processing: sending out newsletters to interested users with economical advertisements, displaying marketing messages, providing up-to-date information about the news ands discounts in connection with the products and services offered y the company, direct marketing-related contacts, communication.
The company only processes the data provided by the user when subscribing to the newsletter.
The legal basis of the data processing is point A) of paragraph (1) of article 6 of the GDPR and point A) of paragraph 5. § (1) of the INFOTV, in accordance with paragraph 13/A. § (4) of the EKTV and paragraph 6. § (5) of the GRT.
Duration of the data processing: the personal data provided by the user when subscribing to the newsletter is only stored until the user unsubscribes from the newsletter or requests to be taken off the newsletter list via email or post.
In case of unsubscribing, the company will not contact the user with newsletters or offers anymore. The user can unsubscribe from the newsletter at any point and can withdraw their consent. If the user unsubscribes, their personal data is being delated without undue delay.
The company does not collaborate with external providers for operating the newsletter system.
The party concerned is the user who files a complaint to the company in connection with a service provided by the company.
Scope of processed data: order ID, name of purchaser, address, email address, phone number, name of product, price of product, date of purchase and filing of complaint, description of complaint, purchaser’s classification as a consumer, demand of the purchaser on how to handle complaint.
Aim of the data processing: handling complaints regarding services offered by the company.
Legal basis of the data processing: point (A) of paragraph 5. § (1) of the INFOTV with attention to paragraphs A 6. § (5) and (6) in accordance with paragraph 13/A. § (1) of the EKTV and paragraph 17/A. § of the FGYTV.
Duration of the data processing: based on paragraph 17/A. § (7) of the FGYTV it is 5 years from the date of preparing the minutes.
Prize competitions (drawing, voting)
The rules of data processing is determined by the company individually for each prize competition, campaign organised with a third party or any other data processing events according to the characteristics of the given event.
In order to provide personalised services, the company places a small data package (aka. cookie) on the user’s computer. The aim of the cookie is to optimise the operation of the site and improve the user experience. The user can delete the cookie from their computer and set their browser to ban all cookies. By blocking the cookies, the user agrees to using the site with non-optimal operation.
The website uses information packages (cookies) on the user’s device by the web server in case the user gives consent when starting browsing the site. These information packages collect data, remember the visitor’s individual settings, prevent data loss and therefore are applied for instance when using online shopping bags and in general make the use of the website easier for the visitors.
In case the web browser used by the user sends back a previously saved information package, the operating service provider has the possibility to connect the most recent visit of the user with previous visits.
Absolutely necessary session cookies
The aim of these cookies is to ensure a seamless and complete browsing experience for users when visiting www.ourstory.hu and let them use its features and the services available there. The validity of these cookies lasts until the end of the session (browsing), once the browser is closed, these cookies are automatically deleted from the computer or any other device used fog browsing.
Links redirecting to other websites
The website can contain links redirecting to other web pages. The company does not hold responsibility for the cookies/tracking technologies for other websites.
Cookies placed by third party (Analytics)
The site www.ourstory.hu uses the cookies of Google Analytics as a third party on their website. With the statistic service of Google Analytics, www.ourstory.hu collects information on how users use websites. The data is used with the aim of improving the website and the user experience.
These cookies also remain on the visitor’s computer or other device used for browsing until they expire or the user deletes them.
The company also uses the service provided by Google called Google Conversion as a client of Adwords. Google Adwords displays the pages of the website on Google’s advertising space. When the visitor enters the website by clicking on a Google ad, Google Adwords places a cookie (conversion cookie) on the device of the user. This cookie expires after 30 days.The company does not use the cookie to identify users. Until the cookie is valid, external service providers such as Google uses these cookies to have data on if the user previously visited the website of the advertiser and based on this it displays ads for the user on websites of external service providers, including Google. Every Adwords client gets a different cookie. The cookies therefore cannot be tracked via the websites of the Adwords clients. Based on the information collected by the conversion cookie, they prepare conversion statistics for the Adwords clients requesting conversion tracking. Adwords clients can see how many users clicked on their own ad and were redirected to a given page with the help of the conversion identifier. The user can block Google’s cookies on the page where Google ads can be turned off (by blocking cookies from googleadservices.com).
By using Google Search Console, the company can follow and maintain the website’s presence among Google search results.
The company uses Google Tag Manager which offers a great opportunity to use scripts and tags (marketing and analytical tags) on websites. This includes for instance: Google Analytics tracking code, Analytics events, Facebook pixel code, Adwords conversion code or any code used in email marketing which for example displays a pop-up. Moreover, cookies can be set and read with the help of the Tag Manager as well.
User rights and practicing the rights
Right to information
The user can request information on the use of their personal data and can ask for the correction of their personal data or, except for the mandatory data processing, request the deletion, withdrawal of the data and can practice the right to carry data or object it in a manner described at the data recording or in a recorded letter or via email sent to firstname.lastname@example.org. If the information is requested via letter, the company only regards it as authentic and legal if the user can be clearly identified based on the request sent in. Requests sent via email can only be regarded authentic if they were sent from the registered email address of the user.
User’s right to access
The user has the right to receive feedback from the data controller about whether their data is being processed and in case it is being processed, they have the right to access personal data and the following information:
- the aim of data processing
- the categories of the personal data processed
- recipients or categories of recipients who received or will receive the personal data, specifically third world recipients and international organisations
- if applicable, the planned duration of storing the personal data, if not applicable, the aspects of defining the duration
- the user’s right to request the data controller to correct, delete or limit the use of their personal data and to object the use of their personal data
- the right to submit a complaint to a surveillance authority
- if the data was not collected about the user, all the available information on its sources
- the automated decision making mentioned in paragraph (1) and (4) of article 22 of the GDPR, including profile creation and in these cases at least the applied logic and understandable information on what significance the data processing has and what consequences it might have regarding the user (Article 15 of the GDPR)
The data controller provides the information within one months of submitting the request.
Right to rectification
The company corrects the personal data if it is incorrect and correct personal data is available.
The user has the right to request the modification of their incorrect personal data without undue delay. Taking the aim of the data processing into consideration, the user has the right to request the completion of incomplete personal data, among others, via a complementary declaration (Article 16 of the GDPR, Right to rectification)
Right to deletion
The user has the right to request the data controller to delete their personal data without undue delay and the data controller must delete their personal data without undue delay in case any of the following reasons justify it.
- there is no need to keep the personal data it was originally collected or processed for
- the user withdraws their consent providing the basis of data processing and there is no other legal basis for the data processing
- the user objects the data processing and there is no priority legal reason for the data processing or the user objects the data processing
- the personal data was processed illegally
- the personal data has to be deleted according to the legal obligation of EU or member state law
- the personal data have been collected in relation to the offer of information society services (Article 17 of the GDPR)
Deletion of the data cannot be initiated if the data processing is necessary:
- for the freedom of speech and practicing the right to information
- for fulfilling obligations according to EU or member state law on controlling personal data that apply for the data controller or completing a task for public interest or in the framework of exercising of official powers as a public authority
- in connection with public health, for archiving, scientific or historical research or for statistical purposes, according to public interest
- for the proposal, validation or protection of legal claims
Following the deletion of public data upon demand, the previous deleted data cannot be restored.
The company will make all reasonable technical steps in order to inform data controllers and data processors about the user requesting the deletion of their personal data.
Right to restriction data processing
If the data processing falls under a restriction, the personal data besides storage can only be processed with the consent of the user or for the proposal, validation or protection of legal claims of their or of any other natural or legal person or for the important public interest of the European Union or a member state.
The user can request the company to limit the processing of their personal data if the user debates the accuracy of the processed data. In this case the duration of the restriction is the time period while the data controller reviews the accuracy of the personal data. The company marks the personal data processed by them if the user debates the accuracy or correctness of the data but the inaccuracy of the debated personal data cannot be clearly assessed.
The user can request the company to limit the processing of their personal data if the data processing is illegal but the user is against the deletion of their personal data and requests the restriction instead.
Moreover, the user can also request the company to limit the processing of their personal data if the purpose of the data processing is completed but the user requests the company to process their data for the proposal, validation or protection of legal claims.
If the data processing is necessary for the validation of the legitimate interest of the data controller or a third party and the user objected this, upon demand the duration of the restriction is the time period while it is being assessed whether the legitimate reasons of the data controller prevail over the legitimate reasons of the user (Article 18 of the GDPR).
Right to data portability
If the data processing was completed with the consent of the user or the data processing is necessary for the completion of a contract where the user is one of the participating parties or the data processing is necessary to complete steps requested by the user prior to the creation of the contract or in connection with the processing of special data defined by law, the user can request the data controller to hand over and/or forward their personal data processed by the data controller in an automated manner to another data controller in an automated manner and in a segmented, widely used and machine readable format if it is technically feasible (Article 20 of the GDPR).
Right to objection
The user can object their data being processed if the data processing is only necessary for meeting a legal obligation only concerning the data processors or for validating legal claims by the data controller or a third party or if the aim of the data processing is direct marketing, public survey or scientific research or if the data processing is completed as part of performing a task carried out in the public interest.
The data controllers examine the legality of the user’s objection and if the objection is assessed as valid, the data processing is terminated and the personal data is blocked. Moreover, every party concerned in addition to all parties the data was perviously forwarded to is informed about the objection and the measures taken.
Automated decision making in individual cases including profiling
The user can request not to be included in automated data processing including profiling that would legally affect them or similarly significantly affect them in any other way.
Above right cannot be applied if the data processing is
- necessary for the creation or completion of the contract between the user and the data controller
- enabled by EU or member state law concerning the data processor that also establishes the measures to be taken for the freedom and protection of the user’s legitimate interest
- based on the explicit consent of the user (Article 22 of the GDPR).
Right to withdrawing
The user has the right to withdraw their consent at any time.
Right to turning to court
In case the user’s rights have been violated, the user can file a complaint against the data controller at court and receive priority treatment of the case.
Public proceedings in connection with data protection
Complaints can be filed to the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: 1530 Budapest Pf.:5
Fax: 0613911410 8
This policy enters into force on 25 April 2018.
is not life,
but I think
it can be a way
back to life.