Privacy policy

Privacy Policy

INTRODUCTION

The Service Provider, as the data controller, is subject to the following regulations:

In accordance with the General Data Protection Regulation (EU) 2016/679 (April 27, 2016) of the EUROPEAN PARLIAMENT AND THE COUNCIL, regarding the protection of individuals with regard to the processing of personal data and the free movement of such data, and the repeal of Directive 95/46/EC, the following information is provided.

This privacy policy regulates the data processing of the following website: www.artandurn.com

Amendments to the policy will enter into force upon publication on the above address.

As the data controller does not fulfill the obligation to designate a data protection officer based on the following points, no data protection officer has been designated:

1. a) If the data processing is carried out by public authorities or other bodies performing public tasks (except for courts acting in their judicial capacity);
2. b) If the main activities of the data controller or data processor involve large-scale, regular, and systematic monitoring of data subjects;
3. c) If the main activities of the data controller or data processor involve the processing of special categories of personal data or large-scale processing of data related to criminal liability or criminal offenses.

DEFINITIONS

1. “personal data”: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person;
2. “data processing”: Any operation or set of operations performed on personal data or on data sets, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
3. “data controller”: The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the data controller or the criteria for its designation may be specified by Union or Member State law;
4. “data processor”: A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller;
5. “recipient”: A natural or legal person, public authority, agency, or any other body to whom personal data are disclosed, whether a third party or not. Public authorities that may access personal data under specific investigation tasks in accordance with Union or Member State law are not considered recipients; the processing of such data by public authorities must comply with applicable data protection rules as per the purposes of processing;
6. “data subject’s consent”: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them;
7. “data protection incident”: A security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

PRINCIPLES OF PERSONAL DATA PROCESSING

Personal data:

1. a) shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
2. b) shall be collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes; processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the original purposes (“purpose limitation”);
3. c) shall be adequate, relevant, and limited to what is necessary for the purposes for which they are processed (“data minimization”);
4. d) shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. e) shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures in accordance with this Regulation to safeguard the rights and freedoms of data subjects (“storage limitation”);
6. f) shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The data controller is responsible for compliance with the above and must be able to demonstrate compliance (“accountability”).

The data controller declares that data processing is carried out in accordance with the principles outlined in this section.

DATA PROCESSING ACTIVITIES

REGISTRATION

1. The fact of data collection, the scope of processed data, and the purposes of data processing:

It is not necessary for the email address to contain personal data.

2. Scope of the data subjects: All individuals registered on the website.
3. Duration of data processing, deadline for data deletion: The data processing lasts until the data subject requests deletion. Personal data are immediately deleted upon the deletion of registration. The data controller will inform the data subject of the deletion of any personal data provided by the data subject, in accordance with Article 19 of the GDPR, electronically. If the deletion request extends to the email address provided by the data subject, the data controller will delete the email address after the notification.
4. The persons authorized to access the data and the recipients of the personal data: The personal data may be processed by the data controller’s customer service staff according to the information contained in this notice.
5. Rights of the data subjects regarding data processing:

• The data subject may request access to, rectification, deletion, or restriction of the processing of their personal data, and
• The data subject has the right to data portability, as well as the right to withdraw consent at any time.

6. The data subject can initiate the access to, deletion, modification, or restriction of the processing of personal data, and data portability in the following ways:

• By email at info@artandurn.com

7. Legal basis for data processing: the data subject’s consent, Article 6(1)(b).
8. We inform you that

• Data processing is necessary for taking steps at the request of the data subject prior to entering into a contract.
• You are required to provide personal data in order to register.
• Failure to provide the data will result in our inability to create the user account.

DATA MANAGEMENT RELATED TO OPERATING THE ONLINE STORE

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

It is not necessary for the email address to contain personal data.

2. Data subjects: All users who registered or made a purchase on the webshop website.
3. The duration of data processing, the deadline for data deletion: It lasts until the data subject’s deletion request. The data controller will inform the data subject electronically about the deletion of any personal data provided by the data subject, based on Article 19 of the GDPR. If the deletion request includes the provided email address, the data controller will delete it after informing the data subject. Except for accounting documents, as the Accounting Act (2000, C. Act, Section 169, paragraph 2) requires these data to be kept for 8 years. Accounting documents supporting accounting directly and indirectly (including general ledger accounts, analytical and detailed records) must be kept in a readable form for at least 8 years and be retrievable with references to accounting notes.
4. The identity of potential data controllers who may access the data, the recipients of the personal data: Personal data may be processed by the customer service and warehouse staff of the data controller, respecting the principles outlined above.
5. Rights of data subjects related to data processing:

• The data subject may request access to their personal data, correction, deletion, or restriction of processing from the data controller, and
• The data subject has the right to data portability and to withdraw their consent at any time.

6. Access to personal data, deletion, modification, restriction of processing, data portability, or objection can be initiated by the data subject in the following ways:

• By email at info@artandurn.com.

7. The legal basis for data processing:

7.1. GDPR Article 6 (1) b),

7.2. Section 13/A (3) of Act CVIII of 2001 on Electronic Commerce and Information Society Services:

The service provider may process personal data that is technically necessary for the provision of the service. In case of identical conditions, the service provider must choose and operate the tools used for providing the information society service in a way that personal data is only processed if absolutely necessary for providing the service and fulfilling other goals defined by this law. However, it should be done only to the necessary extent and duration.

7.3. In case of issuing invoices in compliance with accounting regulations, Article 6 (1) c).

7.4. Enforcing claims arising from the contract under the Civil Code, Section 6:21. of Act V of 2013: 5 years.

6:22. [Statute of Limitations]

(1) Unless otherwise provided by this Act, claims become time-barred after five years.

(2) The statute of limitations begins when the claim becomes due.

(3) An agreement altering the limitation period must be made in writing.

(4) An agreement excluding the statute of limitations is void.

8. We inform you that:

• Data processing is necessary for contract performance and providing an offer.
• You are required to provide personal data in order for us to fulfill your order.
• Failure to provide data means that we cannot process your order.

REQUESTING A CALLBACK

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

2. Data subjects: All individuals requesting a callback on the website.
3. The duration of data processing, the deadline for data deletion: It lasts until the data subject’s deletion request.

The data controller will inform the data subject electronically, based on Article 19 of the GDPR, about the deletion of any personal data provided by the data subject. If the deletion request includes the provided email address, the data controller will delete it after informing the data subject.

4. The identity of potential data controllers who may access the data, the recipients of the personal data: The customer service staff of the data controller may process personal data based on the provisions of this notice.
5. Rights of data subjects related to data processing:

• The data subject may request access to their personal data, correction, deletion, or restriction of processing from the data controller, and
• The data subject may object to the processing of their personal data, and
• The data subject has the right to data portability and to withdraw their consent at any time.

6. Access to personal data, deletion, modification, restriction of processing, data portability, or objection can be initiated by the data subject in the following ways:

• By email at info@artandurn.com.

7. The legal basis for data processing: GDPR Article 6 (1) f).
8. We inform you that:

• Data processing is necessary for the legitimate interests of the data controller.
• You are required to provide personal data if you would like us to call you back.
• Failure to provide data means that we cannot call you back.

CONTACT US (CAN’T FIND WHAT YOU’RE LOOKING FOR?)

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

In the case of the email address, it is not necessary for it to contain personal data.

2. Scope of data subjects: All data subjects who send a message via the contact form.
3. Duration of data processing, deadline for data deletion: It lasts until the data subject’s deletion request is fulfilled.
4. Persons authorized to access the data and recipients of the personal data: The personal data can be processed by the data controller’s customer service employees.
5. Overview of the data subjects’ rights related to data processing:

• The data subject may request access to their personal data, correction, deletion, or restriction of processing, and
• The data subject has the right to data portability and the right to withdraw consent at any time.

6. Access to personal data, deletion, modification, restriction of processing, or data portability can be initiated by the data subject through the following means:

• By email at info@artandurn.com.

7. Legal basis for data processing: The data subject’s consent, Article 6(1)(a) and (b) of the GDPR.
8. We inform you that
• This data processing is based on your consent and is necessary for providing offers.
• You are required to provide your personal data in order to contact us.
• Failure to provide the data will result in the inability to contact the Service Provider.

CUSTOMER RELATIONSHIP

1. Fact of data collection, scope of processed data, and purpose of data processing:

2. Scope of data subjects: All data subjects who contact the data controller by phone/email/in person or are in a contractual relationship.
3. Duration of data processing, deadline for data deletion: The data processing lasts until the termination of the relationship between the data controller and the data subject, or for claims, 5 years after the contract ends.
4. Persons authorized to access the data and recipients of the personal data: The personal data can be processed by the data controller’s customer service employees, respecting the principles mentioned above.
5. Overview of the data subjects’ rights related to data processing:
• The data subject may request access to their personal data, correction, deletion, or restriction of processing, and
• The data subject has the right to data portability and the right to withdraw consent at any time.
6. Access to personal data, deletion, modification, restriction of processing, or data portability can be initiated by the data subject through the following means:
• By email at info@artandurn.com.
7. Legal basis for data processing:

7.1. Article 6(1)(b) and (c) of the GDPR.

7.2. For claims arising from the contract, based on Article 6:21 of Act V of 2013 on the Civil Code, 5 years.

6:22. § [Limitation Period]

(1) Unless otherwise provided by this Act, claims expire after five years.

(2) The limitation period begins when the claim becomes due.

(3) Any agreement aimed at changing the limitation period must be made in writing.

(4) An agreement excluding limitation is void.

8. We inform you that
• The data processing is necessary for the performance of the contract and providing offers.
• You are required to provide your personal data in order for us to fulfill your order/other request.
• Failure to provide the data will result in the inability to process your order/request.

PROCESSED DATA BY DATA PROCESSORS

Delivery

1. Activity performed by the data processor: Delivery of products, transportation
2. Name and contact details of the data processor:

Name: Magyar Posta Zrt. – MPL – Courier Service

Headquarters: 1138 Budapest, Dunavirág utca 2-6.

Contact: ugyfelszolgalat@posta.hu, 06-40-31-32-33

Web: www.posta.hu

Name: GLS General Logistics Systems Hungary Package Logistics Ltd.

Headquarters: 2351 Alsónémedi GLS Europe Street 2.

Contact: info@gls-hungary.com

Web: gls-group.eu/HU/hu/home

Name: Express One Hungary Ltd.

Headquarters: 1239 Budapest, Európa Street 12.

Contact: ugyfelszolgalat@expressone.hu

Web: https://expressone.hu

3. Fact of data processing, scope of processed personal data: Delivery name, delivery address, phone number, email address.
4. Scope of data subjects: All data subjects requesting home delivery.
5. Purpose of data processing: Delivery of the ordered product.
6. Duration of data processing, deadline for data deletion: Until the delivery is completed.
7. Legal basis for data processing: Article 6(1)(b) of the GDPR. The legal basis is the fulfillment of the delivery request by the data subject.
8. Rights of the data subject:
9. You have the right to be informed about the data processing conditions,
10. You are entitled to receive feedback from the data controller regarding whether your personal data is being processed and to access all information regarding data processing.
11. You are entitled to receive your personal data in a structured, commonly used, machine-readable format.
12. You are entitled to request the correction of inaccurate personal data without undue delay.

Hosting provider

Activity provided by the data processor: Hosting service

1. Name and contact details of the data processor:

Name: Rackforest Kft.

Address: 1116 Budapest, Sáfrány utca 6.

Contact: info@rackforest.hu

3. The fact of data processing, the scope of the data processed: All personal data provided by the data subject.
4. Scope of the data subjects: All individuals using the website.
5. Purpose of data processing: To make the website available and ensure its proper operation.
6. Duration of data processing, deadline for deletion: The data processing lasts until the termination of the agreement between the data controller and the hosting service provider or until the data subject submits a deletion request to the hosting service provider.
7. Legal basis for data processing: GDPR, Article 6(1)(f), and Section 13/A(3) of Act CVIII of 2001 on electronic commerce services and certain issues related to information society services.
8. Rights of the data subject:
9. You have the right to be informed about the circumstances of data processing,
10. You have the right to receive feedback from the data controller regarding whether your personal data is being processed and to access all information related to the data processing.
11. You have the right to receive your personal data in a structured, commonly used, machine-readable format.
12. You have the right to request the data controller to rectify inaccurate personal data without undue delay.
13. You have the right to object to the processing of your personal data.

Telecommunication provider

1. Activity provided by the data processor: Telephone exchange service
2. Name and contact details of the data processor:

Name: VNM Zrt.

Address: 1118 Budapest, Rétköz utca 7. (5th floor)

Contact: info@voipnetwork.hu

3. The fact of data processing, the scope of the data processed: First name and last name, the voice of the data subject, the reason for the call, phone number, email address, other personal data.
4. Scope of the data subjects: All individuals contacting the data processor via telephone.
5. Purpose of data processing: To make the website available and ensure its proper operation.
6. Duration of data processing, deadline for deletion: The data processing lasts until the termination of the agreement between the data controller and the telephone exchange provider or until the data subject submits a deletion request to the telephone exchange provider.
7. Legal basis for data processing: GDPR, Article 6(1)(f), and Section 13/A(3) of Act CVIII of 2001 on electronic commerce services and certain issues related to information society services.
8. Rights of the data subject:
9. You have the right to be informed about the circumstances of data processing,
10. You have the right to receive feedback from the data controller regarding whether your personal data is being processed and to access all information related to the data processing.
11. You have the right to receive your personal data in a structured, commonly used, machine-readable format.
12. You have the right to request the data controller to rectify inaccurate personal data without undue delay.
13. You have the right to object to the processing of your personal data.

3. The fact of data processing, the scope of the data processed: All personal data provided by the data subject.
4. Scope of the data subjects: All individuals who use the website’s services or register/order on the website.
5. Purpose of data processing: To operate the website (development, monitoring, bug fixes)
6. Duration of data processing, deadline for deletion: The data processing lasts until the termination of the agreement between the Service Provider and the website operator or until the data subject submits a deletion request to the website operator.
7. Legal basis for data processing: GDPR, Article 6(1)(f), and Section 13/A(3) of Act CVIII of 2001 on electronic commerce services and certain issues related to information society services.
8. Rights of the data subject:
9. You have the right to be informed about the circumstances of data processing,
10. You have the right to receive feedback from the data controller regarding whether your personal data is being processed and to access all information related to the data processing.
11. You have the right to receive your personal data in a structured, commonly used, machine-readable format.
12. You have the right to request the data controller to rectify inaccurate personal data without undue delay.
13. You have the right to object to the processing of your personal data.

8. Rights of the data subject:
9. You have the right to be informed about the circumstances of data processing,
10. You have the right to receive feedback from the data controller regarding whether your personal data is being processed and to access all information related to the data processing.
11. You have the right to receive your personal data in a structured, commonly used, machine-readable format.
12. You have the right to request the data controller to rectify inaccurate personal data without undue delay.

1. You have the right to be informed about the circumstances of data processing,
2. You have the right to receive feedback from the data controller regarding whether your personal data is being processed and to access all information related to the data processing.
3. You have the right to receive your personal data in a structured, commonly used, machine-readable format.
4. You have the right to request the data controller to rectify inaccurate personal data without undue delay.

Electronic mail services

1. Activity provided by the data processor: Order processing, servicing, customer communication
2. Name and contact details of the data processor:

Name: Google LLC

Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contact: www.google.com/contact/

3. The fact of data processing, the scope of the data processed: Name, billing name, billing address, email address, phone number, message content.
4. Scope of the data subjects: All individuals contacting the data controller via email.
5. Purpose of data processing: Email communication with customers.
6. Duration of data processing, deadline for deletion: Data processing lasts until the termination of the relationship between the data controller and the data subject or for 5 years following the contract in the case of claims.
7. Legal basis for data processing: GDPR, Article 6(1)(c) and (f).
8. Rights of the data subject:
9. You have the right to be informed about the circumstances of data processing,
10. You have the right to receive feedback from the data controller regarding whether your personal data is being processed and to access all information related to the data processing.
11. You have the right to receive your personal data in a structured, commonly used, machine-readable format.
12. You have the right to request the data controller to rectify inaccurate personal data without undue delay.

Online marketing services

1. Activity provided by the data processor: Online marketing
2. Name and contact details of the data processor:

Name: Facebook Inc.

Headquarters: 1 Hacker Way, Menlo Park California, CA 94025 USA

Website: www.facebook.com

Customer service: +1 (650) 543-480

Name: Amazon

Headquarters: 1 Burlington Rd, Dublin 4, Ireland

Website: www.amazon.com

Name: Pinterest-Europe Ltd

Headquarters: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland

Website: https://pinterest.com/

Name: TIKTOK INFORMATION TECHNOLOGIES UK LIMITED

Headquarters: One London Wall, 6th Floor, London, England, EC2Y 5EB

Web: https://www.tiktok.com/

3. The fact of data processing, the scope of processed data: Name, email address, visitor data
4. The group of data subjects: All individuals who use the website and subscribe to the newsletter.
5. The purpose of data processing: Promotion and advertising of products available on the website, increasing website traffic.
6. The duration of data processing, the deadline for data deletion: Until the termination of the agreement between the Service Provider and the data processor recorded in this point, or until the subject’s request for deletion directed to the data processor.
7. The legal basis for data processing: The User’s consent, Article 5(1) of the Info Act, Article 6(1)(a) of the GDPR, and Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce and Information Society Services.
8. The rights of data subjects:
9. You can inquire about the circumstances of data processing,
10. You are entitled to receive feedback from the data controller whether your personal data is being processed and to access all information related to the data processing.
11. You are entitled to receive your personal data in a structured, commonly used, machine-readable format.
12. You are entitled to request the data controller to rectify inaccurate personal data without undue delay.

COOKIE MANAGEMENT

1. Typical cookies for webshops include the so-called “password-protected session cookies,” “shopping cart cookies,” “security cookies,” “necessary cookies,” “functional cookies,” and “cookies responsible for managing website statistics,” for which prior consent from the data subjects is not required.
2. The fact of data processing, the scope of processed data: Unique identification number, dates, times
3. The group of data subjects: All individuals visiting the website.
4. The purpose of data processing: User identification, managing the “shopping cart,” and tracking visitors.
5. The duration of data processing, the deadline for data deletion:

6. The possible data processors authorized to access the data: The data controller does not process personal data via cookies.
7. The rights of data subjects regarding data processing: Data subjects have the option to delete cookies via the Tools/Settings menu of their browser, typically under the Privacy section settings.
8. The legal basis for data processing: No consent is required from the data subject if the sole purpose of cookie usage is to facilitate communication via the electronic communications network or if the provider needs it for the provision of the requested service under the Information Society Services Act.

USE OF GOOGLE ADWORDS CONVERSION TRACKING

1. The data controller uses the online advertising program “Google AdWords” and also utilizes Google’s conversion tracking service within it. Google conversion tracking is an analytical service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
2. When a user reaches a website via a Google advertisement, a cookie necessary for conversion tracking is placed on their computer. These cookies are valid for a limited time and do not contain any personal data, meaning the user cannot be identified by them.
3. When the user browses certain pages on the website, and the cookie has not expired, both Google and the data controller can see that the user clicked on the advertisement.
4. Each Google AdWords client receives a different cookie, so they cannot track users across AdWords clients’ websites.
5. The information collected via the conversion tracking cookies is used to create conversion statistics for AdWords clients who have chosen to use conversion tracking. Clients receive statistics on how many users clicked on their advertisement and proceeded to a page with a conversion tracking tag. However, they do not have access to information that would identify any user.
6. If you do not wish to participate in conversion tracking, you can opt out by disabling cookies in your browser. After that, you will not be included in the conversion tracking statistics.
7. More information and Google’s privacy policy can be found here: www.google.de/policies/privacy/

 In certain circumstances, AdRoll may transfer information to other countries within the European Economic Area. AdRoll will take necessary steps to ensure an adequate level of data protection. For example, if AdRoll sends your data to the United States, additional measures will be taken, such as entering into EU-compatible data transfer agreements with the data importer.

By adjusting your browser settings, you can disable targeted advertising by AdRoll or third-party cookies placed on behalf of AdRoll. You can also prevent the collection of your browsing data by disabling AdRoll cookies. To do so:

• Click on the blue icon typically displayed in the corner of AdRoll advertisements, or
• Click here: https://app.adroll.com/optout/safari

If you delete cookies on your device, you will need to disable them again the next time you use the device. If you use multiple browsers or devices, you must apply the “opt-out” function on each browser and device.

The use of AdRoll is subject to Article 6(1)(a) of the General Data Protection Regulation, provided that the necessary consent has been obtained, and also to Article 6(1)(f) of the General Data Protection Regulation, as in this case, KütyüBazár has a legitimate interest in the data processing. We only process your data as long as it is necessary for the purpose for which we collected it.

For more privacy information related to AdRoll, visit the following website: https://www.adroll.com/de-DE/about/privacy.

USE OF GOOGLE ANALYTICS

1. This website uses Google Analytics, a web analytics service of Google Inc. (“Google”). Google Analytics uses so-called “cookies,” text files that are stored on your computer to help analyze how you use the website.
2. The information generated by the cookies about your use of the website is usually transmitted to a Google server in the USA and stored there. By activating IP anonymization on the website, Google will shorten your IP address within the European Union member states or other countries party to the Agreement on the European Economic Area.
3. In exceptional cases, the full IP address will be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate how you use the website, compile reports on website activity, and provide other services related to website and internet usage.
4. Google Analytics does not associate the IP address transmitted by your browser with any other data held by Google. You can prevent the storage of cookies by adjusting your browser settings, but please note that in this case, not all features of this website may be fully functional. You can also prevent Google from collecting and processing the data generated by the cookies related to your website usage (including your IP address) by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu

FACEBOOK PIXEL

 The Facebook pixel is a code that helps create reports on conversions, set up target audiences, and provides the website owner with detailed analytics on visitors’ website usage. With the Facebook remarketing pixel tracking code, personalized offers and advertisements can be displayed to website visitors on Facebook. The Facebook remarketing list is not suitable for identifying individuals. More information about the Facebook Pixel can be found here: https://www.facebook.com/business/help/651294705016616

NEWSLETTER, DM ACTIVITY

1. According to Section 6 of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities, the User may consent in advance and explicitly to be contacted by the Service Provider with advertising offers and other messages using the contact information provided during registration.
2. Additionally, the Client may consent to the Service Provider processing their personal data necessary for sending advertising offers, considering the provisions of this notice.
3. The Service Provider does not send unsolicited advertising messages, and the User can unsubscribe from receiving offers at any time, free of charge, without restrictions or justification. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from the advertisements by clicking the link in the message.
4. Details of the data collection, the scope of the data processed, and the purpose of the data processing:

Personal data Purpose of data processing Name, email address Identification, enabling subscription to the newsletter Subscription date Technical operation IP address at the time of subscription Technical operation

5. Data subjects: All data subjects subscribing to the newsletter.
6. The purpose of data processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to the data subject, providing information about current offers, products, promotions, new features, etc.
7. The duration of data processing and the deadline for data deletion: Data processing lasts until the withdrawal of consent, i.e., until the unsubscribe request is made.
8. The possible data controllers who may access the data and the recipients of the personal data: Personal data may be processed by the Service Provider’s customer service and marketing staff, respecting the above principles.
9. Information about the data subjects’ rights related to data processing:
• The data subject may request access to their personal data from the data controller, request rectification, deletion, or restriction of processing, and
• may object to the processing of their personal data, and
• the data subject has the right to data portability, as well as the right to withdraw consent at any time.
10. The data subject may initiate access to their personal data, deletion, modification, restriction of processing, data portability, or objection as follows:
• via email at info@artandurn.com,
11. The data subject may unsubscribe from the newsletter at any time, free of charge.
12. The legal basis for data processing: The data subject’s consent, Article 6(1)(a) and (f), and Section 6(5) of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities:

The advertiser, advertising service provider, or the publisher of the advertisement – within the scope defined in the consent – maintains a record of the personal data of individuals who have provided consent. The data recorded in this register, related to the recipient of the advertisement, may only be processed in accordance with the consent given, until its withdrawal, and may only be shared with third parties with the prior consent of the data subject.

13. Please note that
• data processing is based on your consent and the service provider’s legitimate interest.
• you are required to provide personal data if you want to receive our newsletter.
• failure to provide the data will result in us being unable to send you a newsletter.

COMPLAINT HANDLING

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

2. Data subjects: All individuals who make a purchase and file a quality complaint on the website.
3. The duration of data processing, the deadline for data deletion: The complaint records, transcripts, and copies of responses must be kept for 5 years according to Section 17/A(7) of Act CLV of 1997 on Consumer Protection.
4. The possible data controllers who may access the data and the recipients of the personal data: Personal data may be processed by the Service Provider’s customer service staff, respecting the above principles.
5. Information about the data subjects’ rights related to data processing:
• The data subject may request access to their personal data from the data controller, request rectification, deletion, or restriction of processing, and
• the data subject has the right to data portability, as well as the right to withdraw consent at any time.
6. The data subject may initiate access to their personal data, deletion, modification, restriction of processing, or data portability as follows:
• via email at info@artandurn.com,
7. The legal basis for data processing: The data subject’s consent, Article 6(1)(c) and Section 17/A(7) of Act CLV of 1997 on Consumer Protection
8. Please note that
• providing personal data is based on a legal obligation.
• processing personal data is a prerequisite for concluding the contract.
• you are required to provide personal data so we can process your complaint.
• failure to provide the data will result in us being unable to handle your complaint.

PHONE CALL RECORDING

1. The fact of data collection, the scope of data processed: First and last name, the data subject’s voice, the purpose of the call, phone number, email address, and other personal data.
2. Data subjects: All individuals who contact the data controller via phone.
3. The purpose of data collection: The Service Provider processes the personal data of Users to document phone calls, ensure customer satisfaction, and efficiently investigate complaints.
4. The duration of data processing, the deadline for data deletion: Data processing lasts until the legal relationship between the data controller and the data subject ends or for 5 years after the contract in case of claims.
5. The possible data controllers who may access the data and the recipients of the personal data: Personal data may be processed by the Service Provider’s authorized staff, respecting the above principles.
6. Use of personal data: Recordings may only be listened to in person, primarily to investigate any complaints from the data subject and clarify disputed issues.
7. Information about the data subjects’ rights related to data processing:
• The data subject may request access to their personal data from the data controller, request rectification, deletion, or restriction of processing, and
• may object to the processing of such personal data, and
• the data subject has the right to data portability, as well as the right to withdraw consent at any time.
8. You can initiate access to, deletion, modification, or restriction of the processing of personal data, data portability, and objection to data processing in the following ways:
• via email at info@artandurn.com
9. The legal basis for data processing:

9.1. Article 6(1)(c) and (f) of the GDPR.

9.2. In case of enforcing claims arising from a contract, according to Section 6:21 of Act V of 2013 on the Civil Code, the period is 5 years.

6:22. § [Prescription]

(1) If this Act does not provide otherwise, claims expire after five years.

(2) The limitation period starts when the claim becomes due.

(3) Any agreement to alter the limitation period must be made in writing.

(4) An agreement excluding the limitation period is void.

10. Other information regarding phone call recordings:

– At the beginning of the conversation, the Service Provider informs the customer about who the data controller is, that the recording is being made, and where the data processing notice for the recording can be read in detail.

– The Service Provider ensures that upon request, the customer can listen to the recording and receive a copy, in line with the data protection commissioner’s statement number 213/H/2009.

– The Service Provider provides the option for contact without recording via email.

SOCIAL MEDIA PLATFORMS

1. The fact of data collection, the scope of processed data: registered names on social media platforms such as Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, and the user’s public profile picture.
2. The group of data subjects: All those who are registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc., and “liked” the website.
3. The purpose of data collection: Sharing or “liking” certain content, products, or promotions of the website on social media platforms to promote the website.
4. The duration of data processing, the deadline for data deletion, and the persons entitled to access the data, along with the rights of the data subjects related to data processing: The data subject can find information about the data source, its processing, transfer, and legal basis on the given social media platform. The data processing occurs on the social media platforms, so the rules of the respective social media platform apply regarding the duration, manner, and deletion or modification options of data.
5. The legal basis for data processing: The voluntary consent of the data subject to the processing of their personal data on social media platforms.

CUSTOMER CONTACTS AND OTHER DATA PROCESSINGS

1. If the data subject has any questions or issues during the use of our services, they can contact the data controller through the provided methods on the website (phone, email, social media, etc.).
2. The data controller deletes the emails, messages, and data provided through phone, Facebook, etc., along with the name and email address of the inquirer and any other voluntarily provided personal data, no later than 5 years after the data communication.
3. For data processing not listed in this notice, the data subject will be informed when the data is collected.
4. In case of exceptional authority requests or when permitted by law, the Service Provider is obligated to provide information, disclose data, or make documents available.
5. In these cases, the Service Provider will only release the personal data to the requesting authority to the extent and for the purpose necessary to fulfill the request, provided that the request specifies the exact purpose and scope of data.

RIGHTS OF THE DATA SUBJECT

1. The right of access: You are entitled to receive feedback from the data controller regarding whether your personal data is being processed and, if so, to access your personal data and the information listed in the regulation.
2. The right to rectification: You are entitled to request the correction of inaccurate personal data about you without undue delay. Taking into account the purpose of data processing, you are entitled to request the completion of incomplete personal data, including through supplementary statements.
3. The right to erasure: You are entitled to request the deletion of personal data concerning you without undue delay, and the data controller is obliged to delete personal data about you without undue delay under certain conditions.
4. The right to be forgotten: If the data controller has made your personal data public, and it must be deleted, the controller will take reasonable steps, considering available technology and the cost of implementation, to notify other data controllers who process the data that you have requested the deletion of the links to or copies of the personal data concerned.
5. The right to restriction of processing: You are entitled to request the restriction of processing your personal data if any of the following conditions are met:
• You dispute the accuracy of your personal data, in which case the restriction applies for the time necessary for the data controller to verify the accuracy of the personal data;
• The processing is unlawful, and you oppose the deletion of data and instead request the restriction of its use;
• The data controller no longer needs the personal data for processing, but you need it for the establishment, exercise, or defense of legal claims;
• You have objected to the processing of data; in this case, the restriction applies for the period during which it is determined whether the data controller’s legitimate grounds override your legitimate interests.
6. The right to data portability: You are entitled to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you are entitled to transmit this data to another data controller without hindrance.
7. The right to object: In case of processing based on legitimate interest or public authority, you are entitled to object to the processing of your personal data at any time for reasons related to your situation, including profiling.
8. Objection to direct marketing: If the personal data is processed for direct marketing purposes, you are entitled to object at any time to the processing of your personal data for such purposes, including profiling to the extent it is related to direct marketing. If you object to the processing of personal data for direct marketing, then the personal data shall no longer be processed for this purpose.
9. Automated decision-making in individual cases, including profiling: You are entitled not to be subject to a decision based solely on automated processing of your personal data, including profiling, that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is:
• Necessary for the performance or conclusion of a contract between you and the data controller;
• Authorized by applicable EU or member state law, which provides adequate safeguards for your rights and freedoms, and legitimate interests;
• Based on your explicit consent.

TIMEFRAME FOR ACTION

The data controller will inform you about the actions taken in response to the above requests without undue delay, but at the latest within one month from the receipt of the request.

If necessary, this can be extended by 2 months. The data controller will inform you about the extension, specifying the reasons for the delay, within one month of receiving the request.

If the data controller does not take action on your request, they will inform you about the reasons for the lack of action without undue delay, but at the latest within one month from the receipt of the request, and inform you that you can lodge a complaint with a supervisory authority and exercise your judicial remedy rights.

DATA SECURITY

The data controller and processor will implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk, considering the current state of the art, implementation costs, nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of individuals. These measures may include:

1. a) pseudonymization and encryption of personal data;
2. b) ensuring the confidentiality, integrity, availability, and resilience of systems and services used for the processing of personal data;
3. c) ability to restore access to personal data in a timely manner in the event of a physical or technical incident;
4. d) regular testing, assessment, and evaluation procedures to measure the effectiveness of the technical and organizational measures to ensure data security.

NOTIFICATION OF A DATA BREACH

If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller will inform the data subject without undue delay. The notification will clearly describe the nature of the data breach and include the contact details of the data protection officer or other contact person for further information; the likely consequences of the data breach; and the measures taken or planned by the data controller to address the breach, including where applicable, measures to mitigate any adverse effects.

The data subject need not be informed if any of the following conditions are met:

• The data controller has implemented appropriate technical and organizational protective measures, and those measures were applied to the data concerned by the breach, especially measures such as encryption that render the personal data unintelligible to unauthorized persons;
• The data controller has taken further actions following the breach that ensure that the high risk to the rights and freedoms of data subjects is unlikely to materialize;
• Informing the data subject would involve disproportionate effort. In such cases, the data controller shall provide information through publicly available communications or take similar measures ensuring effective communication with the data subjects. If the data controller has not notified the data subject about the data breach, the supervisory authority, after assessing whether the breach is likely to result in a high risk, may mandate the data subject notification.

REPORTING A DATA PROTECTION INCIDENT TO THE AUTHORITIES

The data controller shall notify the competent supervisory authority without undue delay, and if possible, no later than 72 hours after becoming aware of the data protection incident, in accordance with Article 55, unless the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, reasons justifying the delay must be attached.

COMPLAINT OPTIONS

A complaint may be filed against the data controller’s possible violation with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet Fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

CLOSING REMARKS

In preparing this notice, we have taken into account the following legal provisions:

• The protection of natural persons in respect of the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46/EC (General Data Protection Regulation) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016)
• Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.)
• Act CVIII of 2001 on certain issues of electronic commerce services and information society services (mainly Section 13/A)
• Act XLVII of 2008 on the prohibition of unfair commercial practices towards consumers
• Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities (particularly Section 6) – Act XC of 2005 on electronic freedom of information
• Act C of 2003 on electronic communications (specifically Section 155) – Opinion No. 16/2011 on the EASA/IAB recommendation regarding the best practice of behavioral online advertising
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information
• Regulation (EU) 2016/679 of the European Parliament and the Council (April 27, 2016) on the protection of natural persons in respect of the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46/EC

Privacy Policy

General Terms and Conditions