DATA PROCESSING

IN SHORT:

  • We collect and process personal data only in compliance with applicable laws.
    • We send DM mails only in the case of specific consent.
    • We may send system messages even without such consent. We store the data in the safest possible way.
    • We disclose personal data to third parties only in the case of consent.
    • Anybody can request information on the data stored about them or to delete such data any time by contacting us.

INTRODUCTION
Königin – Trade Kft. (address: H-5900 Orosháza, Kisszik utca 2., tax number 24262303-2-04, (hereinafter: Service Provider or Controller) submits to the following information. Section 20(1) of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Act CXII of 2011) sets out that prior to the start of data processing the data subject (i.e. the website user, hereinafter: user) shall be informed whether such data processing is consent-based or mandatory.

Prior to starting the processing operations, the data subject shall be clearly and elaborately informed of all aspects regarding the processing of their personal data such as the purpose, legal basis and duration of data processing and the person entitled to carry out data processing and control.

The data subject shall also be informed that, as laid down in Section 6(1) of Act CXII of 2011, personal data may be processed also if obtaining the data subject’s consent is impossible or would involve disproportionate costs, and the processing of personal data is necessary

  • for compliance with a legal obligation pertaining to the controller, or
    • for the enforcement of the legitimate interests of the controller or a third party, provided that such enforcement is proportionate with the restriction of the right to the protection of personal data.

The information shall also cover the data subject’s rights and legal remedies with regard to data processing.

If the provision of personal information to the data subject proves impossible or would involve disproportionate costs (as in this case on a website), the obligation of information may be satisfied by the public disclosure of the following:

  1. a) fact of data collection,
    b) data subjects concerned,
    c) purpose of data collection,
    d) duration of data processing,
    e) possible controllers with right of access to data,
    f) description of the data subject’s rights and legal remedies with regard to data processing, and
    g) the relevant registration number, where the processing operation must be entered in a data protection register.

Based on the above content rule, this data processing information regulates the processing operations of the konigin-trade.com  website. The information is available here: en.konigin-trade.com/data-handling/ Any amendment to this information shall enter into force upon its publication at the above hyperlink.

DEFINITIONS (Section 3)
(1) data subject/user means any specified natural person identified or – directly or indirectly – identifiable on the basis of personal data;

(2) personal data means any data attributable to the data subject – in particular, the data subject’s name or identifier and one or more factors specific to their physical, physiological, mental, economic, cultural or social identity – and any conclusion that may be drawn from such data with regard to the data subject;

(3) controller means the natural or legal person or other entity without legal personality which, alone or jointly with others, determines the purposes of data processing, makes and executes decisions concerning data processing (including the means used) or have them executed by an authorised data processor;

(4) data handling means, regardless of the procedure applied, any operation or set of operations which is performed on the personal data such as collection, recording, registration, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, restriction, erasure or destruction, as well as operations aimed at preventing any further use of the data, taking photos, making audio or video recordings and registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

(5) data processing means the execution of technical tasks relating to data handling, regardless of the place of execution and the method and means used for executing the operations, as long as such technical tasks are performed on the personal data;

(6) processor means the natural or legal person or other entity without legal personality which – under a contract signed with the controller, including contracts to be signed by law – processes personal data;

(7) personal data breach means any unauthorised handling or processing of personal data including, in particular, unauthorised access, alteration, transmission, disclosure, erasure or destruction as well as accidental loss and damage.

REQUEST FOR OFFERS, ADVANCE PAYMENT
(1) Pursuant to Section 20(1) of Act CXII of 2011, in the case of each website order placement and successful receipt the following shall be specified for the data processing efforts associated with payment:

  1. a) fact of data collection,
    b) data subjects concerned,
    c) purpose of data collection,
    d) duration of data processing,
    e) possible controllers with right of access to data,
    f) description of the data subject’s rights with regard to data processing.

(2) Fact of data collection, type of data and purpose of data processing:

Personal data Purpose of data processing
First name and last name Required for contact purposes.
E-mail address Communication, identification.
Phone number Communication.
Billing name and address Issuance of proper invoices, identification of their content
Shipping name and address Aid for home delivery.
Date of order placement Execution of technical operation.
IP address of order placement Execution of technical operation.

No personal data is required to be included in the e-mail address.

(3) Data subjects concerned: All data subjects handling orders on the website.

(4) Duration of data processing and timeframe for data erasure: Until the case is completed. However, in the case of successful order placement and payment the personal data of accounting documents shall be retained for 8 years under Section 169(2) of Act C of 2000 on accounting.

The accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for at least 8 years in legible form and shall retrievable by means of the code of reference indicated in the accounting records.

(5) Possible controllers with right of access to data: Personal data may be handled by the controller in compliance with the above principles.

(6) Information on the data subject’s rights with regard to data processing: The data subjects may request the erasure or amendment of personal data as follows:

– by sending a letter to H-5900 Orosháza, Kisszik utca 2.,
– by sending an e-mail to bolt@konigin-trade.com,
– by calling +36 68 410 666.

(7) Legal basis of data processing: the User’s consent, Section 5(1) of Act CXII of 2011, and Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society (hereinafter: Act CVIII of 2001):

For the purpose of providing the service, the service provider may process personal data considered technically indispensable for providing the service. Should all other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society services at all times with a view to ensuring that personal data be processed only if it is absolutely indispensable for providing the services or achieving any other objectives stipulated in this Act but, even in this case, only to the extent necessary and for the duration required.

MESSAGES AND CONTACTS
(1) Pursuant to Section 20(1) of Act CXII of 2011, the following shall be specified for the data processing efforts associated with sending messages and establishing contacts through the website:

  1. a) fact of data collection,
    b) data subjects concerned,
    c) purpose of data collection,
    d) duration of data processing,
    e) possible controllers with right of access to data,
    f) description of the data subject’s rights with regard to data processing.

(2) Fact of data collection, type of data and purpose of data processing:

Personal data Purpose of data processing
Name, e-mail address. Communication, identification.
Date of message Execution of technical operation.
IP address of message Execution of technical operation.

(4) Duration of data processing and timeframe for data erasure: Until the case is completed and reply is given.

(5) Possible controllers with right of access to data: Personal data may be handled by the controller in compliance with the above principles.

(6) Information on the data subject’s rights with regard to data processing: The data subjects may request the erasure or amendment of personal data as follows:

– by sending a letter to H-5900 Orosháza, Kisszik utca 2.,
– by sending an e-mail to bolt@konigin-trade.com,
– by calling +36 68 410 666.

(7) Legal basis of data processing: the User’s consent and Section 5(1) of Act CXII of 2011.

HOSTING SERVICE PROVIDER
(1) Activity carried out by the processor: Hosting service

(2) Name and contact details of processor:

Full Hosting: fullhosting.hu
E-mail: info@fullhosting.hu
Phone: +36 30 579 7707

(3) Fact of data collection and type of data: All personal data provided by the data subjects.

(4) Data subjects concerned: All data subjects using the website.

(5) Purpose of data processing: Ensuring the proper functioning of and access to the website.

(6) Duration of data processing and timeframe for data erasure: Promptly upon the deletion of registration.

(7) Legal basis of data processing: the User’s consent, Section 5(1) of Act CXII of 2011, and Section 13/A(3) of Act CVIII of 2001:

HANDLING COOKIES
(1) Pursuant to Section 20(1) of Act CXII of 2011, the following shall be specified for the data processing efforts associated with handling cookies on the website:

  1. a) fact of data collection,
    b) data subjects concerned,
    c) purpose of data collection,
    d) duration of data processing,
    e) possible controllers with right of access to data,
    f) description of the data subject’s rights with regard to data processing.

(2) Fact of data collection and type of data: Unique identifier, times and dates

(3) Data subjects concerned: All data subjects visiting the website.

(4) Purpose of data processing: Identification of users and follow-up of visitors.

(5) Duration of data processing and timeframe for data erasure: When using session cookies, the duration of data processing ends when the website visit is terminated.

(6) Possible controllers with right of access to data: By using cookies, the controller is not involved in the processing of personal data.

(7) In general, the data subjects are able to remove the cookies under Privacy settings in the browser Tools/Settings menu.

(8) Legal basis of data processing: The data subject’s consent is not required when the sole purpose of using cookies is to carry out the transmission of a communication over an electronic communications network, or when it is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

USE OF GOOGLE ANALYTICS
(1) This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies” which are text files stored on the User’s computer to help analyse the use of the website visited by the User.

(2) In general, the information generated by the cookie about the User’s use of the website will be transmitted to a Google server in the USA and stored there. In case of activation of the IP anonymisation on the website, Google will truncate the User’s IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area.

(3) Only in exceptional cases, the full IP address is sent to and shortened by Google servers in the USA. On behalf of this website’s operator, Google will use this information for the purpose of evaluating the User’s use of the website, compiling reports on website activities for the website operator and providing other services relating to website activity and internet usage.

(4) Google will never associate the IP address forwarded by the User’s browser under Google Analytics with any other data held by Google. The User may refuse the use of cookies by selecting the appropriate settings on their browser; however, we wish to point out that if the User does this, they may not be able to use the full functionality of this website. Furthermore, the User can prevent Google’s collection and processing of the User’s website usage data (including the IP address) obtained through cookies by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout?hl=hu

USE OF GOOGLE ADWORDS CONVERSION TRACKING
(1) The controller uses the online ad programme “Google AdWords”, and within its framework it uses Google’s conversion tracking service. Google conversion tracking is the analysing service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

(2) When the User reaches a website via a Google ad, a cookie necessary for conversion tracking is stored on their computer. The validity of these cookies is limited; furthermore, they do not contain any personal data, and thus Users cannot be identified by them.

(3) When the User browses certain pages of the website, and the cookie has not expired, both Google and the controller may see that the User has clicked on the ad.

(4) A different cookie is assigned to each Google AdWords client and therefore it cannot be tracked via the websites of AdWords clients.

(5) The purpose of information obtained with the use of conversion tracking cookies is to prepare conversion statistics for the AdWords clients who opt for the conversion tracking service. This is how clients receive information on the number of users clicking on their ad and forwarded to the website where a conversion tracking tag is installed. However, the clients cannot receive any information which may be suitable for identifying any of the users.

(6) If you do not wish to participate in conversion tracking, you may refuse it by blocking the option to install cookies in your browser. After that you will not be included in the statistics related to conversion tracking.

(7) For further information and Google’s Privacy Policy please visit the following website: www.google.de/policies/privacy/

NEWSLETTERS AND DM ACTIVITIES
(1) Pursuant to Section 6 of Act XLVIII of 2008 on the essential conditions of and certain limitations to business advertising activity, the User may grant their prior and express consent so that the Service Provider contacts them with promotions and other messages by using the contact details given by the User for such purpose.

(2) Taking account of the provisions laid down here, the Client can consent to the Service Provider’s processing of their personal data necessary for sending advertising messages.

(3) The Service Provider will not send unsolicited advertising messages and the User may, at any time, free of charge and without justification, unsubscribe from receiving such messages. In this case the Service Provider will delete all personal data of the User necessary for sending the advertising messages and refrain from contacting the User again with promotions. The User can unsubscribe from promotions by clicking on the link in the message.

(4) Pursuant to Section 20(1) of Act CXII of 2011, the following shall be specified for the data processing efforts associated with sending newsletters:

  1. a) fact of data collection,
    b) data subjects concerned,
    c) purpose of data collection,
    d) duration of data processing,
    e) possible controllers with right of access to data,
    f) description of the data subject’s rights with regard to data processing.

(5) Fact of data collection and type of data: Name, e-mail address, time and date.

(6) Data subjects concerned: All data subjects signing up to newsletters.

(7) Purpose of data processing: Sending advertisements to the data subjects in electronic messages and providing information on the Service Provider’s or its partners’ updates, products, sales promotions, new functions, etc.

(8) Duration of data processing and timeframe for data erasure: Data processing lasts until the data subject has withdrawn their consent and unsubscribed.

(9) Possible controllers with right of access to data: Employees of the controller may process personal data in accordance with the above principles.

(10) Information on the data subject’s rights with regard to data processing: Data subjects may unsubscribe from newsletters at any time and free of charge.

(11) Processor retained for data processing:

MailChimp
The Rocket Science Group, LLC
675 Ponce de Leon Ave NE
Suite 5000
Atlanta, GA 30308 USA

(12) Legal basis of data processing: the User’s consent, Section 5(1) of Act CXII of 2011, and Section 6 of Act XLVIII of 2008 on the essential conditions of and certain limitations to business advertising activity:

The advertiser, the advertising service provider and the advertising publisher will, to the extent specified in the consent, keep the personal data records of the persons who have given their consent. Personal data (relating to the advertising addressee) kept in such records shall be processed in accordance with and until the withdrawal of the consent, and may be disclosed to third parties only with the prior consent of the person concerned.

SOCIAL NETWORKING WEBSITES
(1) Pursuant to Section 20(1) of Act CXII of 2011, the following shall be specified for the data processing efforts associated with social networking websites:

  1. a) fact of data collection,
    b) data subjects concerned,
    c) purpose of data collection,
    d) duration of data processing,
    e) possible controllers with right of access to data,
    f) description of the data subject’s rights with regard to data processing.

(2) Fact of data collection and type of data: Name of the person registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc. and the public profile picture of the user.

(3) Data subjects concerned: All data subjects who have registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc. and have put a “like” for the website.

(4) Purpose of data processing: Sharing, liking and promoting the website or certain website contents, products or discounts on social networking websites.

(5) Duration of data processing, timeframe for data erasure, possible controllers with right of access to data and the data subject’s rights with regard to data processing: Data subjects may refer to the relevant social networking website for information on the source, processing, legal basis and transfer method of data. As data processing is carried out on the social networking websites, the regulations of the relevant social networking website shall govern the duration and manner of data processing as well as the options to erase or modify data.

(6) Legal basis of data processing: the data subject’s voluntary consent to the processing of their personal data on social networking websites.

OTHER DATA PROCESSING
(1) Should any question or problem arise while using our data processing services, the data subjects are encouraged to contact the controller via any means (phone, e-mail, social networking websites, etc.) shown on the website.

(2) All e-mails and messages received or data supplied via phone, Facebook, etc. shall be erased, together with the inquirer’s name, e-mail address and other personal data supplied on a voluntary basis, by the controller within not more than 2 years after the data supply.

(3) As to any data processing not listed here, information will be given at the time of the actual data registration.

(4) In the case of special requests from the authorities or from other bodies authorised by law, the Service Provider shall provide information, disclose and transfer data or make documents available.

(5) In such circumstances the Service Provider shall give personal data to the requesting entity – once it has specified the exact purpose and the data concerned – only to the extent considered indispensable for achieving the purpose of the request in question.

DATA SECURITY (SECTION 7)
(1) The controller shall plan and implement the data processing operations with a view to safeguard the privacy of data subjects.

(2) The controller shall ensure data security, take the technical and organisational measures and establish the procedural rules that are required for complying with Act CXII of 2011 and implementing other applicable privacy and confidentiality rules.

(3) The controller shall take proper measures to protect the data, particularly against

  • unauthorised access,
    • alteration,
    • transmission,
    • disclosure,
    • erasure or destruction,
    • accidental loss or damage,
    • inaccessibility due to technological changes.

(4) The controller shall use adequate technical solutions to avoid that the data stored in the records can be directly combined and attributable to the data subjects.

(5) In order to prevent any unauthorised access, alteration, disclosure or use of the data, the controller shall make sure to carry out the following:

  • establish and operate an adequate IT and technical environment,
    • select and supervise the employees involved in service provision with special care,
    • issue detailed rules of procedures for operation, risk management and service provision.

(6) In view of the above, the service provider will ensure that the data processed by it shall be

  • available for the authorised entity,
    • authentic and verified,
    • verifiably unchanged.

(7) The IT system of the controller and its hosting service provider shall protect, among others, against

  • IT frauds,
    • espionage,
    • computer viruses,
    • spams,
    • hacking
    • and other attacks.

THE RIGHTS OF DATA SUBJECTS
(1) The data subject may request from the Service Provider information on the processing of their personal data, rectification of their personal data and erasure or blocking of their personal data, except for mandatory data processing.

(2) At the data subject’s request, the controller shall provide information on the data subject’s data handled by it or processed by it or by a processor on the controller’s behalf, as well as on the source of data, the purpose, legal basis and duration of data processing, the name, address and data processing activities of the processor, the circumstances, impacts and preventive measures of personal data breach and – if the data subject’s personal data is transferred – the legal basis and recipient of such data transfer.

(3) If assisted by an internal data protection officer, the controller shall instruct them to keep a record for the purpose of checking the actions taken with regard to any personal data breach and informing the data subject; such record shall include the relevant set of personal data, the number and set of data affected by the personal data breach, the date, circumstances, impacts and preventive measures of the personal data breach as well as any other details required under the legislation on data processing.

(4) The controller shall keep a data transfer record for the purpose of checking the legality of data transfers and informing the data subject; such record shall include the date, legal basis and recipient of the transfer of personal data processed by it, the set of personal data transferred as well as any other details required under the legislation on data processing.

(5) At the User’s request, the Service Provider shall provide information on the data processed by it as well as on the source of data, the purpose, legal basis and duration of data processing, the name, address and data processing activities of any processor, and – if the data subject’s personal data is transferred – the legal basis and addressee of such data transfer. The Service Provider shall provide clear information in writing within the shortest possible time but not later than within 25 days after the date of request. This information shall be provided free of charge.

(6) When the personal data is incorrect, and if the correct personal data is available for the controller, the Service Provider shall rectify the personal data.

(7) The Service Provider shall block and not erase the personal data when the User requests so or when it is clear from the available information that erasure would prejudice the User’s legitimate interests. The processing of any personal data blocked may continue only until the existence of the data processing purpose that excluded the erasure of the personal data.

(8) The Service Provider shall erase the personal data if its processing is illegal, it is requested by the User, the personal data processed is incomplete or incorrect – without any option for legal remedy –, the data processing purpose does not exist anymore, the statutory timeframe for data storage has expired, or the erasure is ordered by the Hungarian National Authority for Data Protection and Freedom of Information.

(9) The controller shall mark the personal data processed by it if its correctness or accuracy is contested by the data subject, but the relevant incorrectness or inaccuracy cannot be clearly established.

(10) Any act of correction, blocking, marking and erasure shall be notified to the data subject and all parties to whom the personal data was previously transferred for data processing. The notification may be omitted if it does not prejudice the data subject’s legitimate interests as to the purpose of data processing.

(11) If the controller fails to comply with the data subject’s request for correction, blocking or erasure, it shall give a written factual and legal justification for refusing the request for correction, blocking or erasure within 25 days after the receipt of the request. When it refuses a request for correction, blocking or erasure, the controller shall inform the data subjects about their options for judicial remedies and recourse to the authorities.

REMEDIES
(1) The User may object to the processing of their personal data

  1. a) when the processing or transfer of personal data is required only for complying with the Service Provider’s legal obligation or for enforcing the legitimate interests of the Service Provider, data recipient or third parties, unless the data processing is mandatory under law;
  2. b) when the use or transfer of personal data is carried out for the purposes of direct marketing, opinion polls or scientific research;
  3. c) in any other case specified by law.

(2) The Service Provider shall examine the objection within the shortest possible time but not later than within 15 days after the receipt of the request, adopt a decision if the request is justified and notify the decision to the data subject in writing. After it has established that the objection is justified, the Service Provider shall terminate the data processing – including any further data recording and transfer –, block the data and notify the objection and the resulting measures to all parties to whom the objected personal data was transferred previously and who are liable to act for the purpose of enforcing the right to object.

(3) If the User disagrees with the Service Provider’s decision, it may appeal against it before court within 30 days after the notification of the relevant decision. The court will handle the issue with urgency.

(4) Appeals against any infringement of the controller may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C
Postal address: H-1530 Budapest, POB 5
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu

JUDICIAL ENFORCEMENT
(1) The controller shall prove that the data processing complies with the applicable legislative provisions. The data recipient shall prove the legality of the data transfer.

(2) The court action shall fall within the jurisdiction of the tribunal. At the data subject’s choice, the court action may be launched before the tribunal competent in the place of domicile or residence of the data subject.

(3) Entities without legal capacity may also be parties to the court action. The Authority may intervene in the court action to help the data subject win the case.

(4) If the request is accepted, the court shall order the controller to provide information, correct, block or erase the data, cancel the decision adopted via automatic data processing, take note of the data subject’s right to object and issue the data requested by the data recipient.

(5) If the court refuses the data recipient’s request, the controller shall erase the data subject’s personal data within 3 days after the promulgation of the judgement. The controller shall erase the data even if the data recipient fails to initiate court action within a specific timeframe.

(6) The court may order the publication of the judgement – together with the controller’s identification data – if it is justified by the interests of data protection and the protected rights of a large number of data subjects.

COMPENSATION AND DAMAGES IN TORT
(1) If, by unlawfully processing the data subject’s data or breaching the requirements of data security, the controller infringes the data subject’s privacy, the data subject may claim damages in tort from the controller.

(2) As far as the data subject is concerned, the controller shall be held liable for any damages caused by the processor and the controller shall pay the damages in tort payable to the data subject for the processor’s infringement of privacy. The controller will not be held liable for the damages caused and for the payment of damages in tort if it can prove that the damage or the infringement of the data subject’s privacy was caused by a force majeure event outside the scope of data processing.

(3) No compensation or damages in tort shall be payable to the extent that the damage or privacy infringement was caused as a result of the data subject’s deliberate conduct or gross negligence.

CONCLUSION
This information material is based on the following legislation:
– Act CXII of 2011 on informational self-determination and freedom of information (Act CXII of 2011)
– Act CVIII of 2001 on certain issues of electronic commerce services and information society services (in particular, Section 13/A)
– Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;
– Act XLVIII of 2008 on the essential conditions of and certain limitations to business advertising activity (in particular, Section 6)
– Act XC of 2005 on the freedom of electronic information
– Act c of 2003 on electronic communications (in particular, Section 155)
– Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
– Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of prior notification