Data Protection Notice
for online shopping
For purchasing through http://www.mebiotic.com you are requested to submit personal data which we process on the legal base of:
(Hungarian) Act CXII of 2011 on the Right of Informational Self-Determination and on the Freedom of Information (hereinafter referred to as the Info Act);
(EU) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (or: General Data Protection Regulation, hereinafter referred to as GDPR);
(Hungarian) Act CVIII of 2001 on certain issues of electronic commerce activities and information society services (hereinafter referred to as E-comm Act);
(Hungarian) Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity (hereinafter referred to as Adv Act);
(Hungarian) Act C of 2000 on accounting (hereinafter referred to as Acc Act);
(Hungarian) Act CXXVII of 2007 on Value Added Tax (hereinafter referred to as VAT Act);
(Hungarian) Act V of 2013 on the Civil Code (hereinafter referred to as Civil Code);
(Hungarian) Act CLV of 1997 on Consumer Protection (hereinafter referred to as CP Act) and
(Hungarian) Act CLIX of 2012 on Postal Services (hereinafter referred to as Post Act)
According to the acts referred we hereby inform you of our practises of processing personal data and of your rights related thereto.
1. IDENTITY OF DATA cONTROLLER
Laszlo Borocz phone: +447435644444
e-Mail: email@example.com (hereinafter: ‘Data Controller’)
Data Controller defines the scope of data required for online shopping at mebiotic.com. Moreover Data Controller determines the type, duration and purposes of data procession according to section 3-4.
2. PROviding personal data is based on your voluntary consent
You are not obliged or to provide any information but ordering products from the webshop is conditioned to the provision of certain personal data.
3. Scope of managed data, purpose and duration of data management
User can order product on Data Controller’s website after registration and login.
Registration and login can be completed with a user account generated via the website.
|Managed data||Purpose of data management||Duration of data management||Legal basis of data management|
necessary: e-mail; phone-number; name
necessary: surname; first name; phone-number; address: country; postal code; city; street; street number
|online supply of goods;
documentation of purchasing and payments; fulfilment of accounting obligation; identifying users as customers, interaction with customers; completion of service or product orders; invoicing; providing opportunity for online payment; filtering potential misuses and impositions in the course of online payments.
|until fulfilment of the contract;
until the withdrawal of consent by the customer, in the absence of that: Data Controller deletes all data in 5 years after the purchase according to section 6:22. of the Civil Code of Hungary.
Should Data Controller be obliged to retain the data in accordance with the Act on Accounting, data will be deleted 8 years after the termination of the user account, regardless of the data subject’s consent.
Data subject’s consent to data processing can be withdrawn any time by an email sent to firstname.lastname@example.org .
|for online purchase: data subject’s consent, according to Info Act 5.1.(a) and GDPR 6.1.(a) furthermore completion of contract according to GDPR 6.1.(b)
for documentation of purchase and payment, fulfilment of accounting obligation, invoicing and recieving the payment: fulfilment of legal obligation, according to GDPR 6.1.(c); Acc Act 169.2. and VAT Act 169.
for identification of users as customers; interaction with customers and completion of service or product orders: data subject’s consent according to Info Act 5.1 and GDPR 6.1.(a) furthermore completion of contract according to GDPR 6.1.(b)
for filtering potential misuses and impositions in the course of online payments: legitimate interests, according to GDPR 6.1.(f)
|Personal data according to complaints
a) customer’s name and address;
b) place, date, time and way of submitting the complaint;
c) detailed description of the complaint, a list of documents and other supporting evidences provided by the customer;
d) Data Controller’s statement on the status of complaint – in the event prompt investigation is possible;
e) Signature of the customer and the person drawing up the report (except for complaint has been submitted via email or phone);
f) place and date of drawing up the report;
g) a unique complaint identification number.
|Investigation and documentation of complaints provided by email (email@example.com) or telephone customer service and/or investigating records in complaints book in order that Data Controller may have a good overview on requests and comments according to his activity
Entire communication is archived so information are available in their original form in the event of follow-up questions or dispute and data controller is enabled to contact customer according to the issue.
|Data Controller is obliged to retain the report of complaint and a copy of his reply to the complaint for 5 years, and present them to the supervisory authorities when requested.
Should Data Controller be obliged to retain the data in accordance with the Act on Accounting, data will be deleted 8 years after the complaint, regardless of the data subject’s consent.
|for manageing complaints: data subject’s consent, according to Info Act 5.1.(a) and GDPR 6.1.(a) furthermore completion of contract according to GDPR 6.1.(b) and fulfilment of legal obligation, according to GDPR 6.1.(c) and CP Act 17/A|
4. PEOPLE WITH ACCESS TO THE DATA
Personal data provided by users are available to Data Controller’s employees. Furthermore the Data Controller may transfer data for the purposes of case management and data processing to Data Controller’s System Administrator and Data Processors named in this notice.
5. transferring data
5.1. In accordance with online purchase as a purpose of data procession, data collected according to purchases and payments via the internet will be transferred through the network of Metro Bank UK, with the purpose of financial implementation, transaction-security and the traceability of transactions. Scope of transferred data: surname, first name, delivery address, billing address, phone-number, e-mail address, payment transaction data.
5.2 In the event of delivery name, address and the value of order will be transferred to the following service providers:
a) DPD LOCAL, UK 01212750500
b) PARCEL FORCE WORLDWIDE EXPRESS, UK 03448004466
c) UPS , UK 0345787787
d) TNT , UK 0800100600
5.3. Except for the foregoing, your data will not be transferred for third persons without your prior informed consent or without it being required by legislation.
5.4 In the course of or according to data processing detailed in this notice your data shall not be transferred to third countries or to international organisations.
6 data security measures
Data Controller is obliged to ensure security and confidentiality of data. Moreover he shall implement appropriate technical and organisational measures and develope the procedural rules that ensure that the collected, stored and processed data will be protected. Furthermore he shall protect them from erasure, unauthorised or fraudulent use and unauthorised or fraudulent changes. Moreover Data Controller shall draw the attention of the third persons that recieve transferred data that they are obliged to fulfil data security requirements.
Data Controller shall ensure that unauthorised persons shall not access, disclose, publish, transfer and/or modify or delete processed data.
Data Controller shall use his best efforts to protect data from any damage or destruction. Data Controller imposes the same obligations to his employees concerned into processing data and the data processers acting on his behalf.
7. communication of personal data breach to a data subject
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach in clear and plain language to the data subject without undue delay.
The communication to the data subject shall not be required if any of the following conditions are met:
(a) the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
8. Rights Of and legal remedies for data subjects
In addition to rights according to the use of records, data subjects can also excersise their following rights in connection with the data processing according to this notice:
Rights of information and access to of the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in previous paragraph shall not adversely affect the rights and freedoms of others
Rights described above can be exercised via the availabilities given in section 1 of this notice.
Right of rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’):
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
(c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data processing is related to direct marketing.
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services.
Erasure of data can not be obtained to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest;
(c) for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
(d) for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(e) for reasons of public interest in the area of public health when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
(f) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(g) for the establishment, exercise or defence of legal claims.
Right to restriction of processing:
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to processing pursuant to Data Controller’s compelling legitimate interests or public interest for the processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted as indicated above , such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing as indicated above, shall be informed by the controller before the restriction of processing is lifted.
Right to data portability:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
In exercising his or her right to data portability as indicated above, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right to data portability shall be without prejudice to the right to erasure (‘righ to be forgotten’) That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The exercise of the right to data portability shall not adversely affect the rights and freedoms of others.
Right to object :
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her if the data process was carried out in public interest or in the exercise of official authority vested in the controller, or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on provisions mentioned above. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Where personal data are processed for scientific or historical research purposes the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to withdrawal:
The data subject shall have the right to withdraw his or her consent at any time where processing is based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Procedure according to data subject’s request
The controller shall provide information on action taken on a request according to the exercise of the rights recognised in this notice without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Such information shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
9. Processing data
Data Controller entrust Data Processor named in this notice for processing data. Data Processor shall not make autonomuos decisions and can act solely in accordance with the contract and with the instructions of the Data Controller. Data Controller controls the entire activity of Data Processor. Data Processor is enabled to use or employ or appoint furhter data processors solely with the prior written consent of Data Controller.
|Data Processor||Scope of data processed
Ways he uses personal data (activities exercised for Data Controller)
|Duration of processing/storing data|
|Laszlo Borocz||Operating the website, general IT expert activity, technical support||Open ended service contract
Till termination of contract
|Laszlo Borocz||Accounting, bookkeeping, auditing and tax consulting services.||Till termination of contract Through validity period of legal obligation to reserve invoices|
10 Personal data in accordance with children and third persons
Processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where tthe child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
If the data subject is physically or legally incapable of giving consent, the consent of his or her legal representative, or a different legal base to provide personal data is needed. In this context data provider is obliged to consider if consent of a third person is needed in accordance with providing data subjects personal data. In the event personal contact can not be established between User and Data Controller, liability for convenience with this regulation lies on User. Regardless of this, Data Controller is always entitled to check the appropriate legal basis processing personal data. E. g. User acts on behalf of a third person (e. g. a Customer) Data Controller is entitled to check Users authorisation to provide data according to the transaction on issue.
Data Controller shall use his best efforts to erase all personal data that were provided by any unauthorized person. Data Controller guarantees that if noticed, the data in question shall not be transferred or used. Please inform us immediatelly via our availabilities detailed in section 13 if you learn that personal data of a child by him-/herself or your data by an unauthorized person has been provided to Data Controller.
Any question about your personal data stored in our system or processed by us can be sent to our email address: firstname.lastname@example.org Giving out information according to your personal data can be completed solely after credible identification
We hereby inform you that data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under GDPR.
Data protection officer: Laszlo Borocz, phone: +447435644444
a) any question or remark can be shared with Data Controller via the availabilities given in this notice;
b) data subjects may initiate investigation at the Hungarian National Authority for Data Protection and Freedom of Information (postal address: Pf 5. Budapest, 1530, phone: +36 1 391 1400, e-mail: email@example.com, homepage: www.naih.hu) by reference to effective or probable breach of personal data.; moreover
c) in the event of violation their rights data subjects may bring the matter before the Court of Justice. Case is given prority by the court. It is for Data Controller to prove that processing data was in conformity with the legislations. The case falls within the jurisdiction of the general court. Suit may be – when data subject decides so – initiated before the general court with territorial jurisdiction on his/her habitation or residence.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.