Data management policy

Accepted by Pihepets Kft. (headquarters: 1089 Budapest, Orczy út 12, tax number: 25481819-2-02, tel.: 0612109283, e-mail address: info@brizlo.eu) (hereinafter: Data Controller).

1./ General provisions

 The subject of this data protection policy is https://brizlo.hu/ operated by the Data Controller. CXII of 2011 on the right to informational self-determination and freedom of information in connection with the operation of a web store (hereinafter: website) operating on an internet site (hereinafter: webshop) in the possession of the Data Controller. Act (hereinafter: Infotv.) based on Regulation No. 2016/679 (GDPR) of the European Parliament and Council (EU) and other relevant legislation in force.

These Regulations establish the data protection and data management principles applied by the Data Controller, through which the Data Controller ensures that the privacy rights of natural persons who come into contact with the online store during the services provided are not violated.

The Data Controller reserves the right to unilaterally modify its data protection policy and the content of these Regulations in the event of a change in the services it provides, as well as in accordance with the legal provisions in force at all times. The Data Controller will publish a notice on the website at the same time as the change of any changes to these regulations.

2./ Scope of those affected by data management

Natural people (hereinafter: data subjects) who purchase the Data Controller's products through the online store (hereinafter: product sales) or register specifically for the newsletter service on the website.

 3./ Purpose of data management

The Data Controller records and manages the voluntarily provided personal data of the data subjects for the following purposes related to the sale of products: entering into a contract related to the sale of products in the online store, fulfilling a contract, terminating a contract, sending newsletters, and providing information for advertising purposes.

4./ Legal basis for data management and the source of the data

The legal basis for data processing is primarily the prior, voluntary consent given by the data subjects in possession of appropriate information regarding data processing, as well as the conclusion of a contract related to the sale of products, the performance of a contract, and the termination of a contract.

The source of the data is data voluntarily provided by the data subjects.

By providing personal data on the website or subscribing to newsletters and advertising information, the data subject expressly consents to the Data Controller processing the personal data voluntarily provided in accordance with the provisions of this policy.

If the data subject provides their data for the purpose of product sales, then their data will be processed for the purpose of entering into a contract, fulfilling a contract, or terminating a contract related to product sales. The data subject acknowledges that with the purchase he accepts the processing of his data with one consent - for several data management purposes according to the above .

If the data subject subscribes to information for the purpose of sending newsletters and advertising, then his data will be processed for the purpose of sending newsletters and information for advertising purposes. The data subject acknowledges that by signing up, he accepts the processing of his data for multiple data management purposes in accordance with the above.

5./ The data concerning the data subjects, the duration of the data management

The data management covers the following data of the data subjects:

In the case of product sales:

  • name,
  • residential address, billing address,
  • Date of birth,
  • identity card number, or passport number, or driver's license number
  • e-mail address.

When subscribing to newsletter advertising information:

  • name,
  • e-mail address.

In the case of product sales, the transfer of the above data to the Data Controller is a prerequisite for the conclusion and performance of the contract related to the product sales.

In the case of subscribing to newsletter advertising information, the provision of the above data is a prerequisite for the sending of the given electronic information.

In the event of failure to provide data, the data subject cannot conclude a contract related to the product sales or receive the given information.

Data processing begins by filling out the registration interface (providing data for product sales or subscribing to newsletter advertising information).

In the case of product sales, the Data Controller processes the data for six years.

In the case of subscribing to newsletter advertising information, the Data Controller processes the data until withdrawal, but for a maximum of ten years.

Upon expiry of the data processing period, the Data Controller permanently deletes the personal data of the data subjects in an irretrievable manner.

The data subject may withdraw his/her consent to data processing at any time, without giving reasons, verbally, in writing or by electronic means. In this case, the Data Controller will irreversibly and permanently delete all data, except in the case of product sales, data whose longer retention is required by civil, tax or other legislation.

6./ Type of transmitted data

The Data Controller may not use personal data for purposes other than those specified. Personal data may only be transferred to third parties with the prior and informed consent of the data subjects, except in the case of a transfer required by law.

7./ Obligations of the Data Controller's fulfillment assistants during data management

The personal data that the Data Controller has come to know may only be disclosed to the Data Controller’s assistants who assist in the implementation of the data processing purposes specified in this policy, who are subject to a confidentiality obligation with respect to all data they have come to know based on their employment contract, agency contract, other work contract, legal provisions relating to their employment, or the instructions of the Data Controller.

Compliance with the data processing policy is binding on the Data Controller and all of its assistants – including former assistants – (hereinafter referred to as “assistant”) when processing the personal data of the data subjects.

Neither during the existence of their legal relationship nor after its termination, the assistant may disclose or communicate to another person or make accessible to another person any personal data related to the data subjects that they have come to know during their legal relationship.

The fulfillment assistant may disclose personal data obtained during the legal relationship to another fulfillment assistant if this is necessary for the performance of the work. The fulfillment assistant may disclose personal data obtained during the legal relationship to another third party only with the permission of the Data Controller. The fulfillment assistant may transmit personal data obtained during the legal relationship only with the permission of the Data Controller, regardless of the means used or the manner in which the transmission takes place.

The fulfillment assistant is obliged to immediately report to the Data Controller if he becomes aware of a violation of this policy.

8./ Technical processing of data management:

The Data Controller stores the personal data of the data subjects exclusively electronically, on servers in Hungary, and the personal data are not transferred to any Data Controller or data processor located in Hungary or in a third country.

The Data Controller ensures the security of personal data by means of appropriate technical and organizational measures. The Data Controller provides the IT equipment used for the management and storage of personal data with appropriate protection (password, firewall) and ensures that only authorized persons have access to these equipment. The Data Controller also ensures that personal data are not damaged, destroyed or become known in the event of force majeure.

9./ The rights of the persons concerned in relation to data management

The data subject may request from the Data Controller:

  • Information on the processing of his/her personal data: at the request of the data subject, the Data Controller shall provide information on the data processed by the data subject, its source, the purpose, legal basis, duration of the data processing, and – in the case of the transfer of the data subject’s personal data – the legal basis and recipient of the data transfer within a maximum of 30 days from the receipt of the request. Refusal to provide information is possible only in cases regulated by law. The information is free of charge if the person requesting information has not yet submitted a request for information to the Data Controller regarding the same data scope in the current year. In other cases, the Data Controller may determine a cost reimbursement.
  • Correction of personal data: if the personal data does not correspond to reality and personal data corresponding to reality is available to the Data Controller, the personal data shall be corrected within its own competence, otherwise at the request of the data subject.
  • Completion of his/her personal data: if the personal data needs to be completed and the personal data to be completed is available to the Data Controller, the personal data will be corrected within its own competence, otherwise at the request of the data subject.
  • Deletion of his/her personal data: the Data Controller will delete the personal data if its processing is unlawful; the data subject requests it; the purpose of the data processing has ceased to exist or the data storage period has expired, or it has been ordered by a court or authority.
  • Blocking of his/her personal data: instead of deleting, the Data Controller will block the personal data if the data subject requests it or if, based on the information at its disposal, it can be assumed that the deletion would violate the legitimate interests of the data subject. Personal data blocked in this way may only be processed as long as the purpose of the data processing that precluded the deletion of the personal data exists.
  • The portability of his/her personal data: receives the personal data provided to the Data Controller in a segmented, widely used, machine-readable format from the relevant Data Controller, and is also entitled to forward this data to another Data Controller.

    In addition to the above, the data subject may object to the processing of his or her personal data if the processing or transmission of the personal data is necessary exclusively for the fulfillment of a legal obligation applicable to the Data Controller or for the exercise of the legitimate interests of the Data Controller, the data recipient or a third party.

    The Data Controller shall examine the objection within the shortest possible time, but no later than 15 days from the submission of the request, shall make a decision on its merits, and shall inform the requester of its decision in writing.

    The details of the above rights are contained in Sections 14-19 and 21 of the Infotv.

    The data subject is entitled to initiate proceedings before the National Data Protection and Freedom of Information Authority regarding the data processing that he or she considers unlawful.

    The data subject may apply to court in cases specified in the Infotv (Section 23 of the Infotv). The adjudication of the lawsuit falls within the jurisdiction of the court. The lawsuit may also be initiated – at the choice of the person concerned – before the court of the person concerned's place of residence or residence.

    10./ Data protection incident

    A data breach is defined as:

    a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed.

    In particular, the following may be considered an incident: theft or loss of a “company” laptop or mobile phone, unauthorized access to customer databases, hacking of an online store’s IT system, and access to data.

    In the event of a data breach, the Data Controller – through its CEO – shall immediately take the necessary steps and reports to eliminate the data breach and mitigate the resulting damage.

    If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject about the data breach without undue delay. The information provided to the data subject shall describe in a clear and comprehensible manner the nature of the data breach and shall include the most important information and measures.

    The data subject shall not be required to be informed as referred to in the previous point if any of the following conditions are met:

    a) the Data Controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the data breach, in particular measures such as the use of encryption which render the data unintelligible to persons not authorised to access the personal data;

    b) the Data Controller has taken additional measures following the data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in the previous points is unlikely to materialise;

    c) the information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly published information or a similar measure shall be taken which ensures that the data subjects are informed in an equally effective manner.

     11./ Special rules regarding information for the purpose of sending newsletters and advertising

    The Data Controller sends messages containing information to the data subjects – about its products, services, news.

    The data subject acknowledges that subscribing to the newsletter service also constitutes consent pursuant to Section 6 (1)-(2) of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities, based on which the Data Controller is entitled to forward advertising and marketing inquiries directly to the data subject’s provided e-mail address. By subscribing to the newsletter service, the data subject expressly consents to the Data Controller sending him/her news, newsletters, advertisements, and promotional offers related to the services provided by it.

    If the data subject does not wish to receive messages that qualify as advertising in the future, he/she may cancel this by using the option offered in the newsletter sent by the Data Controller, and may expressly prohibit the sending of advertising inquiries in person or by post or e-mail addressed to the Data Controller.

    12./ Final provisions

    When visiting the website, the Consumer's IP address may be registered, however, the IT solutions used during the operation of the website do not allow the Data Controller to access the Consumer's personal data, this data is used exclusively for the development of the website and the improvement of the services available through it (for the preparation of statistics and analyses).

    During the first visit, the website may install a so-called "cookie" on the hard drive or memory of the Consumer's computer or phone in order to make the content of the page and browsing and navigation faster and easier when visiting the website again. If the "cookie" is refused, some elements of the page may not be displayed.

    We do not exchange cookies with websites operated by third parties and do not allow them to be placed on our website.

    The operation of Google Analytics is permitted in connection with our website. This provides us with information about how visitors to the website use the page. The website's visitor habits are compiled by Google Analytics based on anonymized users. We do not allow Google to use the data you provide (whether for its own purposes or to share it with anyone).

    The Data Controller reserves the right to make changes and improvements to the website at any time without notice, or to partially or completely eliminate the website or the information provided on it. The Data Controller does not guarantee the continuity and error-free access to the website, and the Data Controller is not responsible for any damage that may occur due to a malfunction.

    The Data Controller is obliged to compensate for any damage caused to others by the unlawful processing of the data of the data subject or by violating the requirements of data security, unless the damage resulted from the intentional or grossly negligent conduct of the injured party.

    In matters not regulated in these regulations, Act V of 2013 on the Civil Code, Act CXII of 2011 Act on the right to information self-determination and freedom of information, Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and other relevant legal provisions shall apply.

    The CEO is responsible for the activities of the Data Controller and compliance with this data management policy.

    This data management policy is valid from the date of withdrawal.

    Budapest, 2021.06.01.