Privacy Policy

 

 

    Name and contact details of the data controller:

 

Name:                 E-SMOG Transform Kft. (hereinafter: the Controller)

Registered seat:     Prohászka Ottokár STREET 11. 1. floor. 4, Székesfehérvár (city) 8000 (ZIP code), Hungary 

Company Registry Number:    07-09-031737

Tax Number:             28987132-1-07

 

Contact details of the Controller:

• postal address:     Prohászka Ottokár Street 11. 1. floor. 4, Székesfehérvár (city) 8000 (ZIP code), Hungary

• telephone:             +36-70 / 365-00-14

• e-mail address:       info@esteni.eu

 

 (In the General Terms of Use, the Controller is mentioned as Service Provider).  

    Definitions

 

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Data Subject: identified or identifiable natural person whom the personal Data concerns.

If your personal Data is processed by us, you ar also a Data Subject!

 

Client:  

any person who enters into a contract with the Controller by accepting the GTC through the Webshop is considered a Client. Clients are allways considered as Data Subjects as well.

 

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.

Webshop:

 is the collective name of the Websites operated by the Controller (i.e.: esteni.hu, esteni.com, esteni.eu).

 

Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

 

Filing System: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

 

Recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

 

Third party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

 

Pseudonymisation: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

 

Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

 

Data Protection Law: The GDPR and every other kind of legal regulations, either on the level of European Union or Austrian law.

 

Supervisory Authority: means an independent public authority which is established by a Member State of the European Union pursuant to Article 51 of the GDPR.

 

Supervisory Authority Concerned: means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority.

 

Special Categories of Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

 

Data Concerning Health: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

 

Enterprise: means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

 

Representative: means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 of GDPR, represents the controller or processor with regard to their respective obligations under the GDPR.

 

Main Establishment means:  

(a)    as regards a controller with establishments in more than one Member State of the European Union, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; 

(b)    as regards a processor with establishments in more than one Member State of the European Union, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under the GDPR.

 

Cross-border Processing means either:  

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or  

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

GTC:

General terms and conditions of the Controller.

 

    Principles and legal basis of data Processing

 

3.1.    Principles relating to Processing of Personal Data

 

Our company acts in accordance with the following principles when Processing Personal Data:

 

Lawfulness, fairness and transparency

Personal Data is Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.  

 

Purpose limitation

Personal Data is collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes; further Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1) of the GDPR, not be considered to be incompatible with the initial purposes.

 

Data minimisation

The Processed Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

 

Accuracy

The Processed Personal Data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which it is Processed, is erased or rectified without delay.

 

Storage limitation

The Processed Personal Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the Data Subject.

 

Integrity and confidentiality

The Processed Personal Data is processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures  

 

 

 

Accountability  

The Controller shall be responsible for, and be able to demonstrate compliance with the above mentioned priciples.

 

3.2.    Legal basis of Processing

 

Processing shall be lawful only if and to the extent that at least one of the following applies:  

(a)     the Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes; 

(b)     Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; 

(c)     Processing is necessary for compliance with a legal obligation to which the Controller is subject; 

(d)     Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; 

(e)     Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; 

(f)     Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child. 

 

    Data Processing by the Controller

 

The Controller, in this case our Company, may manage your Personal Data for the following purposes:

 

- In addition to the individual purposes, we also indicate the legal basis of the Processing, the scope of the processed data, and the duration of the Processing.

 

We anticipate that in the case of a legal person's contact person (regardless of the legal basis indicated below), we consider the legitimate interest of the Controller to be the basis of our Processing.

 

    Making contact with our company (the Controller)

 

Scope of Personal Data Processed
    

in case of a natural person: name, telephone number, e-mail address, postal address;

In case of a legal person, the contact name, telephone number and e-mail address of the natural person.

Legal basis of Processing
    

Your consent  

Purpose of Processing
    

The Personal Data is necessary for keeping contact with You (as Data Subject).

Source of the collected data
    

You.

Time period of Processing
    

After finishing the matters You requested, the processed Personal Data will be deleted, unless further data Processing, which is discussed below, takes place.

Consequences of the refusal to provide information
    

You cannot keep contact with our company (the Controller).

 

    Registration in the Webshop

 

Clients can purchase products with or without registration in the Webshop.

 

Scope of Personal Data Processed
    

Name, email address, password, delivery address, billing address, telephone number, date of registration, fact of acceptance of the GTC and this Privacy Policy.

Legal basis of Processing
    

Your consent (as a Client) to create the account. The collection of the billing address is a legal obligation, and the delivery address is required for the performance of the contract in case of an order (and your name is necessary for both previous reasons). Contact details are requested for the mutual legitimate interest of the Parties.

Purpose of Processing
    

The registering Client will be able to order another product later, without re-entering their data, and the data required for invoicing will also be collected.

Furthermore, Clients can display her/his personal experiences with the product only on registration on the relevant subpage of the Webshop.

Source of the collected data
    

You provide the Personal Data during the registration.

Time period of Processing
    

The above mentioned data will be used until your request to cancel your registration.

If you have already purchased a product in the Webshop until the date of the cancellation request, the name and address data required for delivery and invoicing will be deleted after the period prescribed by the tax and accounting legislation in force at the time (8 years after the order).

The contact details may be deleted at the Client's request prior to this, if the Client otherwise wishes to delete his / her registered account.

Consequences of the refusal to provide information
    

If the Client later wants to re-order a product from the Webshop, he must enter all his data again; or in the absence of registration, the Client cannot describe his personal experiences on the relevant subpage of the Webshop.

 

 

    Ordering a product without registration in the Webshop

 

Clients can purchase products without registration in the Webshop.

 

Scope of Personal Data Processed
    

Name, email address, delivery address, billing address, telephone number, number of the ordered product, date of registration, fact of acceptance of the GTC and this Privacy Policy.

Legal basis of Processing
    

The collection of the billing address is a legal obligation, and the delivery address is required for the performance of the contract in case of an order (and your name is necessary for both previous reasons). Contact details are requested for the mutual legitimate interest of the Parties.

Purpose of Processing
    

Firstly, to fulfill the order, secondly to allow invoicing, and thirdly to enable any contact that may be necessary in connection with the order.

Source of the collected data
    

You provide the Personal Data during the order/purchase process.

Time period of Processing
    

The name and address data required for delivery and invoicing will be deleted after the period prescribed by the tax and accounting legislation in force at the time (8 years after the order).

The contact details may be deleted at the Client's request prior to this, if the Client aks for it.

Consequences of the refusal to provide information
    

It is not possible to place an order in the Webshop without entering the data.

 

 

    Redirecting to the payment service provider's page

 

You will be redirected to the website of a credit card payment service provider or Paypal to pay the fee.

 

Scope of Personal Data Processed
    

Data sent by the Controller to the service provider enabling credit card payment:  

    name/client identification code, amount to be paid.

 

After the payment transaction, the Controller will be notified whether the payment has been completed successfully or what parameters were used to set the payment renewal. The service provider enabling credit card payment provides the Controller with the following data:

- amount and date of performance;

- if the payment was unsuccessful, this information.

Legal basis of Processing
    

Necessary to fulfill the order (it is a prerequisite).

Purpose of Processing
    

Payment processing.

Source of the collected data
    

You provide the details on the credit card payment service provider's page.

If You want to pay with Paypal, You need to register and provide data on Paypal’s website.

Time period of Processing
    

The data will be deleted after the period prescribed by the tax and accounting legislation in force at any time (at the time of issuing this Privacy Policy, the period is 8 years after the order).  

Consequences of the refusal to provide information
    

The Client must choose another type of payment method.

 

 

 

 

 

    Payments made via bank transfers

 

As a Client, you can also settle the purchase price of the already ordered product via a bank transfer in advance.

 

Scope of Personal Data Processed
    

The Client’s name, bank account number, account holding bank, amount and date of the transfer, and the notice.

Legal basis of Processing
    

Necessary to fulfill the order (it is a prerequisite).

Purpose of Processing
    

Payment processing.

Source of the collected data
    

You provide the details when You initiate the bank transfer.   

Time period of Processing
    

The data will be deleted after the period prescribed by the tax and accounting legislation in force at any time (at the time of issuing this Privacy Policy, the period is 8 years after the order).  

Consequences of the refusal to provide information
    

The Client must choose another type of payment method.

 

 

    Transfer of Personal Data to the delivery company

 

Scope of Personal Data Processed
    

Client’s name, delivery address and telephone number.

Legal basis of Processing
    

Necessary to fulfill the order.

Purpose of Processing
    

Arranging the delivery of the ordered product.

Source of the collected data
    

You provide the details either when ordering the product or during registration in the Webshop.

Time period of Processing
    

The data will be retained by the Controller for the period described above.

Consequences of the refusal to provide information
    

After ordering the product, it is conceptually excluded, as the product is handed over by an external supplier.

 

 

    Handling invoices

 

Scope of Personal Data Processed
    

Name, delivery address, billing address, e-mail adress, the amount of the ordered product; the purchase price and it’s due date and the payment method.  

Legal basis of Processing
    

Processing is necessary for compliance with a legal obligation (tax regulations) to which the Controller is subject.

Purpose of Processing
    

The Controller is intending to comply with the relevant legal regulations.

Email adress is necessary for sending the invoice.

Source of the collected data
    

You provide the details either when ordering the product or during registration in the Webshop.

Time period of Processing
    

The above data will be deleted after the expiry of the period specified by the tax and accounting legislation in force at any time (at the moment of the issuing of the present Privacy Policy, it is the end of the 8th year after the order).

Consequences of the refusal to provide information
    

Denial of data is conceptually excluded, as invoicing is always preceded by some other act by the data subject in which she provides this data.

 

 

    Keeping contact with the suppliers of the Controller

 

Scope of Personal Data Processed
    

Personal identification data (e.g. name of private entrepreneur, registration number for their identification, tax number), contact details (mailing address, email, telephone number), and in the case of a legal entity, the contact name of the individual and contact details as above; payment details (e.g. bank account number, name of the bank holding the account).

Legal basis of Processing
    

The legal basis is, on the one hand, that the data processing is necessary for the performance of the contract (e.g. payment) and, on the other hand, the fulfillment of a legal obligation, as the  Controller is obliged to preserve the contracts.

Purpose of Processing
    

Fulfillment of contractual obligations (salary, other obligations) and compliance with accounting legislation.

Source of the collected data
    

You (as a supplier partner, subcontractor) specify.

Time period of Processing
    

The above data will be deleted after the period prescribed by the accounting legislation in force at any time. (At the date of publication of this prospectus, this is 8 years after the termination of the contractual relationship / submission of an individual order.

If the contract is not concluded, the recorded data will be deleted by the Controller after the expiry of the offer.

Consequences of the refusal to provide information
    

The contract is not going to be concluded with the supplier or subcontractor.

 

 

    Keeping contact with the suppliers of the Controller

 

Some of the so-called “cookies” collect anonymized statistics, while others are suitable for assessing the personal profile of a website visitor. Clients are informed about the use of the "cookie" in such a way that a warning about the use of the "cookie" is placed on the Controller's website in a visible and clearly visible way, next to which there is a link that can be clicked. Cookies are placed on your computer using the website so that they are saved and stored by your internet browser. The most commonly used internet browsers accept and allow the download and use of cookies by default, but it is up to you to refuse or disable them by changing your browser settings, or to delete cookies that are already stored on your computer.

 

You can find detailed informations in our Cookie Policy avaliable at our website.

 

Scope of Personal Data Processed
    

Some of the cookies collect anonymized statistics, while others are suitable for assessing the personal profile of a website visitor. The information stored by cookies may include (but is not limited to) the type of computer device used to visit the website, information about the internet browser used by the visitor, the information provided by the visitor on the website; advertisements that the visitor viewed, time spent on each subpage, browsing data, exits, etc. Detailed information on this is provided in the cookie information

Legal basis of Processing
    

Your consent.

Purpose of Processing
    

Some cookies are necessary for the proper functioning of the Webshop, others collect anonymized statistics, and there are also cookies that collect data suitable for compiling a personal profile.

Source of the collected data
    

The data is collected according to your habits and transmitted to us by cookies.

Time period of Processing
    

Once downloaded, cookies will be automatically deleted after the period described in the separate cookie policy. It is also possible to delete them manually from the browser. Detailed information on this is provided in the cookie policy.

Consequences of the refusal to provide information
    

Incomplete use of the services provided by the Webshop.

 

    A subpage dedicated to the client experiences with the product

 

The Controller provides Clients with the opportunity to publish their experiences related to the ordered product on a voluntary basis on the dedicated subpage of the Webshop (hereinafter: Subpage).

The Controller wants to draw attention that the post published on the Subpage are visible to every visitor of the Subpage.

 

Scope of Personal Data Processed
    

Client’s name, username, and the experience described by him, as well as uploaded images and videos.

Legal basis of Processing
    

The Client's consent, as the use of the Subpage is on a voluntary basis.

Purpose of Processing
    

making possible to share experiences with the product.

Source of the collected data
    

You providing the data when you post on the Subpage, or upload an image or video.

Time period of Processing
    

Posts on the Subpage are available until the Client who uploads them requires deletion of the post.

Consequences of the refusal to provide information
    

The Client's experience will not be published on the Subpage.

 

    Newsletters

 

You can subscribe to our newsletter at our webpage.

Please note that the following cases do not qualify as a newsletter:

-     if the management of the e-mail address is primarily for the purpose of identifying the Data Subject,

-     or at the time of registration or - in the case of an order - at the time of payment, as well as during the fulfillment of the order and the use of the service,

-     in addition, in the event of a change in the General Terms of Use, our Company may send the information on the change to You in electronic form by e-mail.

 

Scope of Personal Data Processed
    

Name and e-mail adress.

Legal basis of Processing
    

Your consent.

 

Purpose of Processing
    

Making possible to notify You about the new possibilities showned at our Webshop.

Source of the collected data
    

You.

 

Time period of Processing
    

Until You withdraw Your consent.

In case You has made a contract with the Controller, than the cancelling of newsletter sending won’t mean that our Company (the Controller) stops to process Your name and email adress (because processing is compulsory according to the relevant tax regulation).

The Controller draws attention to the fact that unsubscribing from the newsletter cannot be considered in such a way that the Client also requests the termination of the registration of the Webshop. If you intend to do so, please indicate this separately in our system or on the contact details provided above

Consequences of the refusal to provide information
    

We won’t be able to send You newsletters.

 

 

    Complaint handling and warranty service  

 

Scope of Personal Data Processed
    

Client identification (e.g.name), telephone number and e-mail adress, the date of ordering the product, the date of the complaint, the complaint itself, or the warranty the client intends to require; and our Company’s response and the date of the response.

Legal basis of Processing
    

Processing is necessary for compliance with a legal obligation (Client rights) to which the Controller is subject.

Purpose of Processing
    

Complaint handling.

Source of the collected data
    

You provide the data in your complaint or application for warranty.

Time period of Processing
    

The above data will be deleted after the expiry of the period prescribed by the relevant legal regulations concenring Client rights in force at any time (at the issuing of the present privacy Policy, it is 5 years after the closure of the case).

Statistical data (which could not be connected to any Data Subject) can be processed even after the erasure of the complaint itself.

Consequences of the refusal to provide information
    

You cannot make a complaint or apply for warranty/guarantee with the Controller.

 

 

    Organizing a possible sweepstake

 

The Controller reserves the right to organize a sweepstake.

 

Scope of Personal Data Processed
    

Personal identification data (e.g. name, birth name, place of birth, time, address, etc.),

contact details (mailing address, email, phone number).

Legal basis of Processing
    

Your consent by completing the entry form for a sweepstake.

Purpose of Processing
    

The purpose of the Processing is, on the one hand, to enable the drawings of the sweepstakes and, on the other hand, to keep in touch so that our company can deliver the prize to the winner.

Source of the collected data
    

You provide the data when entering into the sweepstake.

Time period of Processing
    

The Processing lasts until the end of the prize draw, within 5 (Five) working days after the end of the prize draw the data processed in this way (except for the winner) will be deleted. The data of the winner will be stored by our Company for the period of time in accordance with the current tax and accounting regulations, and then they will be deleted after the deadline.

Please note that if you have also made a separate contribution to marketing inquiries in the sweepstakes, the information provided in the marketing section will apply to the deletion of your data processed for marketing purposes.

Consequences of the refusal to provide information
    

You cannot participate in the sweepstakes.

 

 

    Satisfaction survey

 

Scope of Personal Data Processed
    

Identification data (eg name, etc.),

contact details (mailing address, email, telephone number).

Legal basis of Processing
    

Your consent by completing the satisfaction survey questionnaire.

Purpose of Processing
    

We may contact you with satisfaction survey questionnaires in order to continuously improve our services.

Source of the collected data
    

You provide the data by completing the satisfaction survey questionnaire.

Time period of Processing
    

Our company deletes the data within 1 year after the survey is included.

Our opinions may continue to use the opinions received in this way, as well as any related data, which cannot be traced back to the given Client and cannot be linked to the Client, for statistical purposes.

Consequences of the refusal to provide information
    

A possible consequence of refusing to provide information is that you will not be able to tell us what you think about our services.

 

 

    Operating a Facebook fan page

 

Scope of Personal Data Processed
    

As a Facebook user, the administrator of the Controller can see the list of fans and followers, and they can see their public profile by clicking on the individuals.

Legal basis of Processing
    

By clicking on the “like” or “Follow” button on our Facebook fan page, You consent to the publication of our Company's news and offers on Your own message board.

Purpose of Processing
    

Increasing the awareness of our Company and publishing our Company's advertising for marketing purposes.

Source of the collected data
    

The Personal Data becomes available to the Controller through your action (“like” or “follow” button and posting, etc.).

Time period of Processing
    

The connection between You and the Controller on the Facebook platform will be terminated if You withdraw your liking / following.

Consequences of the refusal to provide information
    

You will not receive automatic notification of new information posted on our Facebook fan page.

 

For information about Facebook's own privacy practices, see the Privacy Policy of Facebook which can be found at Facebook’s website; at the time of issuing this Privacy Policy, at https://www.facebook.com/privacy/explanation.  

Facebook may continue to manage data relating to your activities on our Facebook fan page after you and the Controller have ceased to be connected to the Facebook platform; Our company, ie the Controller, excludes its own responsibility for the said Processing of Facebook, as we have no influence on this.

 

    Operating an Instagram fan page

 

Scope of Personal Data Processed
    

As an Instagram user, the administrator of the Controller can see the list of fans and followers, and they can see their public profile by clicking on the individuals.

Legal basis of Processing
    

By clicking on the “Follow” button on our Instagram fan page, You consent to the publication of our Company's news and offers on Your own message board.

Purpose of Processing
    

Increasing the awareness of our Company and publishing our Company's advertising for marketing purposes.

Source of the collected data
    

The Personal Data becomes available to the Controller through your action (“like” or “follow” button and posting, etc.).

Time period of Processing
    

The connection between You and the Controller on the Instagram platform will be terminated if You withdraw your following.

Consequences of the refusal to provide information
    

You will not receive automatic notification of new information posted on our Instagram fan page.

 

Instagram is a brand owned by Facebook. For information about Facebook's own privacy practices, see the Privacy Policy of Facebook which can be found at Instagram’s website; at the time of issuing this Privacy Policy, at https://help.instagram.com/519522125107875?helpref=page_content.

Facebook/Instagram may continue to manage data relating to your activities on our Instagram fan page after you and the Controller have ceased to be connected to the Instagram platform; Our company, ie the Controller, excludes its own responsibility for the said Processing of Facebook/Instagram, as we have no influence on this.

 

    Operating a Twitter fan page

 

Scope of Personal Data Processed
    

As a Twitter user, the administrator of the Controller can see the list of fans and followers, and they can see their public profile by clicking on the individuals.

Legal basis of Processing
    

By clicking on the “like” or “Follow” button on our Twitter fan page, You consent to the publication of our Company's news and offers on Your own message board.

Purpose of Processing
    

Increasing the awareness of our Company and publishing our Company's advertising for marketing purposes.

Source of the collected data
    

The Personal Data becomes available to the Controller through your action (“like” or “follow” button and posting, etc.).

Time period of Processing
    

The connection between You and the Controller on the Twitter platform will be terminated if You withdraw your liking / following.

Consequences of the refusal to provide information
    

You will not receive automatic notification of new information posted on our Twitter fan page.

 

For information about Twitter's own privacy practices, see the Privacy Policy of Facebook which can be found at Twitter’s website, at the time of issuing this Privacy Policy, at https://twitter.com/en/privacy#update.  

Twitter may continue to manage data relating to your activities on our Twitter fan page after you and the Controller have ceased to be connected to the Twitter platform; Our company, ie the Controller, excludes its own responsibility for the said Processing of Twitter, as we have no influence on this.

 

    Operating a Youtube channel

 

Scope of Personal Data Processed
    

As a Youtube user, the administrator of the Controller can see the list of fans and followers, and they can see their public profile by clicking on the individuals.

Legal basis of Processing
    

By clicking on the “Follow” button on our Youtube channel, You consent to the publication of our Company's videos at Your own Youtube page.

Purpose of Processing
    

Increasing the awareness of our Company and publishing our Company's advertising for marketing purposes.

Source of the collected data
    

The Personal Data becomes available to the Controller through your action (“like” or “follow” button and posting, etc.).

Time period of Processing
    

The connection between You and the Controller on the Youtube platform will be terminated if You withdraw your following.

Consequences of the refusal to provide information
    

You will not receive automatic notification of new information posted on our Youtube channel.

 

Youtube is a brand associated with Google Inc. For information about Google Inc's / Youtube’s own privacy practices, see the Privacy Policy of Google Inc. which can be found at Google Inc’s website, at the time of issuing this Privacy Policy, at https://policies.google.com/privacy?hl=hu.

Google Inc. / Youtube may continue to manage data relating to your activities on our Youtube channel after you and the Controller have ceased to be connected to the Youtube platform; Our company, ie the Controller, excludes its own responsibility for the said Processing of Google Inc. / Youtube, as we have no influence on this.

 

 

    Processing methods and persons entitled to get to know your data

 

Processing methods may be the followings: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

The CEO of the Controller is entitled to get acquainted with the data in all cases; otherwise, the employee of the Controller who participates in the given work process (taking orders, invoicing or arranging delivery).

 

    Data Transfer

 

Data Transfer is the transfer or making available of Personal Data to a third party (see Definition of Recipient in the Definitions).

The Controller will transfer or make available Personal Data in accordance with the conditions and to the extent set forth in the Data Protection Law. Personal Data may be transferred if

    You gave your consent, or

-     it is necessary for the performance of the contract concluded or to be concluded with You, 

-     the Data Protection Law allows or prescribes it (eg transmission to state Authorities, etc.), or

-     narrowly, if the legitimate interest of the Controller (ie our Company) allows it (eg legal enforcement of a claim, etc).

 

Data Transfer outside of the European Union:

The Controller informs you that you will not transfer your Personal Data outside the European Union, however, in case of payment via Paypal, you will use a payment service provider registered in the USA; using Paypal is not obligatory, but based on Your consent: You can choose a different payment service provider located within the borders of the EU.

When you use our fan subpage of  any social networking site, you use a service provider registered in the United States; these service providers may run the risk of not fully complying with the GDPR (see Schrems II of the European Court of Justice), for which the Controller exclkudes it’s liability for their activity. The use of these services of the Controller is not obligatory for the provision of basic services.

 

    Processors

 

The Controller is entitled to use Processors and to transfer Personal Data to them. We would like to inform You that the transfer of Personal Data to the Processor and the use of it by the Processor does not require previous consent on the side of the Data Subject (You), according to the Data Protection Law. The Processor shall not make a substantive decision concerning processing, and shall process the Personal Data obtained only as a technical task in accordance with the provisions of the Controller, shall not process Data for its own purposes and is obliged to store and preserve Personal Data in accordance with the Controller's provisions. The range of Processors is subject to change, a list of which can be found in Annex 1.

 

 

    Data security  

 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:  

    the pseudonymisation and encryption of personal data;  

    the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;  

    the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;  

    a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.  

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Data security measures are regurarly evaluted by the Controller.

In order to ensure the security of Personal Data, the Controller ensures the security of Processing through internal regulatory, organizational, technical and educational measures.

The Controller uses the technology and procedure for information technology security, e.g.

    security access control, an entitlement management system that limits access to the employee to the extent necessary for the work to be performed,  

    computer ID, password, screen saver, logging, etc.  

    a filter program is used to protect against information technology risk (eg phishing, virus or spyware).  

 

Important notifications:

 

Please note that data transmission over the Internet is not considered to be a completely secure data transmission, therefore the Controller cannot take full responsibility for the data transmission via its Webshop.

 

Please do not share your e-mail adress and password used to log in to the User Interface with anyone.

 

 

    Rights of the Data Subjects (your rights)

 

The provisions stated below in Clause 9.1-9.3. concerns citizens of the European Union.

 

    General rules concerning your rights:

 

The Controller shall provide information on action taken on any request detailed below to You without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you.

Any communication and any actions taken according to the previous clauses shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.  

The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

If the Controller has reasonable doubts as to the identity of the person submitting the request, he / she may request the provision of additional information in order to establish the identity of the requester beyond a reasonable doubt.

 

 

 

 

 

 

    The list of Your rights:

 

Right of access

 

You have the right to obtain confirmation from the Controller as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:  

    the purposes of the processing;  

    the categories of personal data concerned;  

    the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;  

    where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;  

    the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;  

    the right to lodge a complaint with a supervisory authority;  

    where the personal data are not collected from the data subject, any available information as to their source;  

    information about automated decision-making, including profiling (the Controller does not use automated decision-making or profiling);

    Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards

The Controller shall provide a copy of the personal data undergoing processing – in case you requested it. For any further copies requested by you, the Controller may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless otherwise requested by you, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification  

 

You have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you.  

 

Right to erasure

 

You have the right to obtain from the Controller the erasure of personal data concerning you without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:  

    the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;  

    you withdraw your consent on which the processing is based and where there is no other legal ground for the processing;  

    you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing concerning direct marketing;  

    the personal data have been unlawfully processed;  

    the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;  

    the personal data have been collected in relation to the offer of information society services.

 

The Controller is entitled to further process the personal data to the extent that processing is necessary:  

    for exercising the right of freedom of expression and information;  

    for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;  

    for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;

    for the establishment, exercise or defence of legal claims.

 

Right to be forgotten

 

Where the Controller has made the personal data public and is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that you has requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.

 

Right to restriction of processing  

 

You have the right to obtain from the Controller restriction of processing where one of the following applies:  

    the accuracy of the personal data is contested by you, for a period enabling the Controller to verify the accuracy of the personal data;  

    the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;  

    the Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;  

    you have objected to processing pending the verification whether the legitimate grounds of the Controller override those of yours.  

Where processing has been restricted according to the above mentioned causes, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.  

You shall be informed by the Controller before the restriction of processing is lifted.

 

Right to data portability

 

You have the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:  

    the processing is based on consent and  

    the processing is carried out by automated means.  

In exercising your right to data portability, you shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.  

The exercise of this right shall be without prejudice to the right to erasure and shall not adversely affect the rights and freedoms of others.

 

 

 

Right to object

 

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on the legitimate interest of the Controller, including profiling. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims.  

 

Right to object concerning direct marketing–related processing

 

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

 

The withwdrawal of consent

 

If data processing is based on your consent, you are entitled to withdraw your consent any time.

We want to draw your attention that in case the processing has any other legal ground, the withdrawal does not lead to the cease of data processing.

The withdrawal of your consent does not affect the legality of the data processing before the withdrawal.

 

Automated individual decision-making, including profiling

 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you. This shall not apply if the decision:  

    is necessary for entering into, or performance of, a contract between you and the Controller;  

    is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or  

    is based on your explicit consent.  

In the cases referred to in the first and third places above, the Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.  

 

The Controller states that it does not use automated decision-making and profiling at the date of issuing this policy.

 

    Legal remedies

 

Right to an effective judicial remedy against the Controller

 

You have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing your personal data in non-compliance with the GDPR or other legal regulations concerning data protection.

Proceedings against the Controller shall be brought before the competent Austrian court. Alternatively, such proceedings may be brought before the courts of the Member State where the Data Subject has her or his habitual residence.

 

The competent court regarding the Controller:

Fővárosi Törvényszék

Address: Marko Street 27., Budapest (ZIP: 1055), Hungary

Postal address: Post-office box No. 16., Budapest (city), 1363 (ZIP code), Hungary

Phone: +36 1 354 6000

E-mail address: ft.elnokseg@birosag.hu  

 

Right to lodge a complaint with a Supervisory Authority

 

You have the right to lodge a complaint with a Supervisory Authority, if You consider that the processing of Personal Data relating to you infringes the GDPR or other legal regulations concerning data protection.

Supervisory Authority Concerned:

Proceedings against the Controller shall be brought before the competent Austrian Supervisory Authority. Alternatively, such proceedings may be brought before the Supervisory Authority of the Member State where the Data Subject has her or his habitual residence.

 

The competent supervisory authority in Hungary is the „Nemzeti Adatvédelmi és Információszabadság Hatóság”.

Seat: Hungary, 1055 (ZIP code) Budapest (city), Falk Miksa utca 9-11. (adress),  

Postal adress: Hungary, 1374 (ZIP code), Budapest (city), mailbox no.603.

Phone: +36-1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu  

Webpage: https://naih.hu  

 

We recommend you that before you turn the court or the supervisory authority, file a complaint directly at the Controller.

 

 

    Additional Terms for Californian citizens

 

If you live in the California state of the United States of America, these Additional Terms apply and override any inconsistent terms in the Privacy Policy:

 

9.4.1. The provisions in this Additional Terms are intended to fulfil the requirements of the California Consumer Privacy Act ("CCPA") and shall apply to Clients who are resident in California.

 

To the extent that any terms used in this Privacy Policy and paragraph 2 of the Additional Terms are defined in the CCPA, such definitions shall apply. The term "Personal Data" as used in this Privacy Policy and Additional Terms shall include "Personal Information" as such term is defined in the CCPA.

 

9.4.2. The categories of Personal Data collected by the Controller correspond to the following categories of Personal Information listed in the CCPA:

    identifiers and personal information categories referenced in applicable California law (first and last names, email address, home address, telephone number);

    protected classification characteristics under California or US federal law (age, country of residence).

 

9.4.3. The Controller will not process your Personal Data for purposes which are materially different, unrelated, or incompatible with the purposes set out in the Privacy Policy without providing you notice.

 

9.4.4. The Controller will not disclose and will not sell to third parties the categories of Personal Data listed in Privacy Policy above for a business purpose.

 

9.4.5. Additional rights under the CCPA

 

Users who are resident in California may have the following rights under the CCPA in addition to the rights set out in Section VII. of the Privacy Policy:

 

Access: Once the Controller receives and confirms your verifiable consumer request, the Controller will disclose the following to you:

    the categories of your Personal Data and the specific Personal Data that the Controller have collected;

    the categories of sources from which your Personal Data was collected;

    the Controller’s business or commercial purpose for collecting your Personal Data; and

    the categories of third parties with whom we share your Personal Data, and where such third parties received your Personal Data from the Controller for a business purpose, the categories of your Personal Data that the Controller disclosed to such third parties;

Under the CCPA, you are only entitled to exercise the Personal Data access right set out in this paragraph twice a year.

 

Deletion: Once the Controller receive and confirm your verifiable consumer request, the Controller will (and will direct our service providers to whom we have disclosed your Personal Data to) delete your Personal Data unless an exception under the CCPA applies.

 

To exercise any of the rights set out here, please contact the Controller via the availabilities provided in this Privacy Policy.

 

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Data. The Controller may need to request specific information from you to help us confirm that your request is a verifiable consumer request.

 

9.4.6.    The Controller will not discriminate against you for exercising any of your rights under the CCPA. Specifically, unless permitted by the CCPA, the Controller will not:

    deny you access to services provided on it’s website;

    charge you different prices or rates for the services provided via it’s website, or imposing penalties on you;

    provide you with a different level or quality of services than otherwise generally provided, or

    suggest that you will receive a different price or rate for or a different level or quality of, the services generally provided.

 

 

 

 

 

 

 

 

 

    Amendment of this Privacy Policy

 

The Controller reserves the right to unilaterally amend this Privacy Policy, of which it shall inform the Data Subject accordingly.

 

 

 

15th of December, 2021.

 

 

Appendix:

    List of Processors

Page Break

Appendix No.1.

List of Processors

 

1. / Web Hosting  

Name of data processor: Rackhost Zrt.

Activity of data processing: Web Hosting  

Registered seat: Tisza Lajos boulevard 41. (adress), Szeged (city) 6722 (ZIP code), Hungary.

Company registration number: 06-10-000489

Email: info@rackhost.hu

Phone: +36 1 445 1200

Fax: +36 1 445 1201

The privacy policy of Rackhost Zrt. Is available at this link: https://www.rackhost.hu/privacy-policy  

Scope of data processed: all Personal Data provided by the Data Subject.

Data Subjects: all person who use the Webshop.

The purpose of Processing: to make the Webshop available and to operate it properly.

Duration of the Processing, deadline for deleting the data: it is as described in the above-mentioned privacy policy.

 

2. / Invoices

Name of data processor: KBOSS.hu Kft. (Operator of Számlázz.hu)

Activity of data processing: providing a billing software  

Registered seat: Tisza Lajos boulevard 41. (adress), Szeged (city) 6722 (ZIP code), Hungary.

Company registration number: 01-09-303201

Email: info@szamlazz.hu  

The privacy policy of KBOSS.hu Kft. Is available at this link: https://www.szamlazz.hu/adatvedelem/  

Scope of data processed: all Personal Data provided by the Data Subject.

Data Subjects: all Client who place an order in the Webshop.

The purpose of Processing is to issue an invoice.

Duration of the Processing, deadline for deleting the data: it is based on Section 169 (2) of Act C of 2000 on Accounting, so the data required for invoicing must be kept for 8 years after the order.

 

3. / Accounting

Name of data processor: Jogszerviz Kft.  

Activity of data processing: accounting  

Registered seat: Futó Street 4753. (adress), Budapest (city) 1082 (ZIP code), Hungary.

Phone: 06-20/433-8280

E-mail: info@daskonyveles.hu  

Scope of data processed: all Personal Data in all accounting documents.

Data Subjects: the Controller's Clients and business partners, suppliers.

The purpose of Processing is to comply with relevant law regarding accounting.

Duration of the Processing, deadline for deleting the data: it is based on Section 169 (2) of Act C of 2000 on Accounting, so the data required for invoicing must be kept for 8 years after the order.

 

 

 

 

4. / Delivery of ordered products

Name of data processor: Webshippy Magyarország Korlátolt Felelősségű Társaság  

Activity of data processing: Delivery of ordered products

Registered seat: Ezred Street 2. B building 13. (adress), Budapest (city) 1044 (ZIP code), Hungary.

Email: info@webshippy.hu  

The privacy policy of Webshippy Magyarország Kft. is available at this link: https://webshippy.com/adatkezelesi-tajekoztato/  

Scope of data processed: name, delivery address, telephone number.

Data Subjects: all Client who place an order in the Webshop.

The purpose of Processing: fulfillment of the order.

Duration of the Processing, deadline for deleting the data: it is as described in the above-mentioned privacy policy.

 

5. / Sending newsletters

Name of data processor: Twilio Ireland Limited 

Activity of data processing: sending newsletters

Registered seat: Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland (our EEA headquarters), 

Webpage: https://www.twilio.com/

The privacy policy of Twilio is available at this link: https://www.twilio.com/legal/privacy

Scope of data processed: name and email address of the Data Subject.

Data Subjects: all persons subscribe to the newsletter.

The purpose of Processing: is to send automatized marketing emails.

Duration of the Processing, deadline for deleting the data: it is as described in the above-mentioned privacy policy.

 

6./ Online payment service providers


6./A PayPal (Europe) S.à r.l.

Registered seat: Közraktár u. 30-32. (adress), Budapest (city), 1093 (ZIP code), Hungary

Electronic availability: https://www.paypal.com/hu/smarthelp/contact-us  

Availability of the data prootection officer of Paypal: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxemburg and https://www.paypal.com/hu/smarthelp/contact-us?email=privacy.  

 
The privacy policy of Paypal is available at this link: https://www.paypal.com/hu/webapps/mpp/ua/privacy-full#14.

Scope of data forwarded: name /client identification code, amount of purchase. Paypal may gather other Personal Data from You, if You registered at the application, but those data are collected by them, and not sent by us.

Data Subjects: every client, who chooses to pay via Paypal.

The purpose of Processing: providing online payment service.

Duration of the Processing, deadline for deleting the data: it is as described in the above-mentioned privacy policy.

6./B Stripe

Stripe Deutschland GmbH

Registered Seat: Munich HRB 214074

 Bei Fragen oder Beschwerden bezüglich der vorliegenden Datenschutzerklärung nehmen Sie bitte Kontakt mit uns auf oder senden uns eine E-Mail, wie in unserem Privacy Center angegeben.

Electronic availability: https://stripe.com/en-de/contact

The privacy policy of Paypal is available at this link: https://stripe.com/en-de/privacy

Data Subjects: every client, who chooses to pay via Stripe.

The purpose of Processing: providing online payment service.

Duration of the Processing, deadline for deleting the data: it is as described in the above-mentioned privacy policy.
 

Other recipient:

Hungarian Tax Authority (NAV)

Scope of data processed: every data in bills. Fresh Start
2021 All Rights Reserved, E-SMOG Transform Kft., info@esteni.eu | Datenschutzerklärung (Englisch)
Powered By ClickFunnels.com