Information on data processing

Information on data processing

Julianna Edina Ilyés, self-employed (registered office: 2162 Őrbottyán, Harang utca 112., Hungary; tax number: 67681198-1-33, electronic contact information: ilyesjulianna@gmail.com; web page: http://ilyesjuli.hu (hereinafter: web page); telephone number: +36-70-566-1302; hereinafter: Data controller)  provides the following information on her data processing practices to the costumers to whom her services are supplied in accordance with the applicable laws[1] on the protection of personal data.

1. The description of data processing

The Data controller gives priority to the protection of personal data and always ensures fair and transparent processing by fulfilling its basic requirement to provide adequate information on the data processing. This information on data processing (hereinafter: “Information on data processing”) includes but is not limited to information on how the Data controller processes data during providing services, especially the source and scope of the processed data; the legal basis, the purpose and the duration of data processing; the rights and enforcement options related to personal data, and the possibility to choose between them; and the contact information where the data subject (hereinafter: “Data subject”) can ask questions about the Data controller’s data protection processes.

The Data controller provides services related to the production and distribution of hand-made jewellery. The Data controller’s data processing procedures are the following: registration on the web page; operation of a webshop on the web page and the fulfilment of orders regarding the Data controller’s products, including data processing procedures in connection with pursuing a claim arising in connection with it; sending newsletters and correspondence to the data subjects of the personal data processing; and the use of cookies on the web page; and handling the complaints of the Data subjects of processing of personal data and document retention as part of the Data controller’s legal obligations.

The Data controller provides summary tables of each data processing procedures to make the understanding of data processing easier.

2. The Data subject

The Data subjects of the processes in connection with the Data controller’s processing of personal data are those who:

• registered on the web page;
• ordered the Data controller’s product;
• are the addressees of the cookies used by the Data controller;
• are in correspondence with the Data controller;
• submitted complaint to the Data controller

(hereinafter together: Data subject).

3. The Data controller can obtain personal data from the following sources

The Data controller can obtain the personal data from the Data subject through

• registration on the web page;
• order of the product;
• accepting the use of cookies;
• a correspondence request;
• submitting a complaint.

4. The tables in Point 1 details the legal basis and the purpose of the data processing, the scope of data processed, and the duration of the data processing.

5. The Data processing
   • The Data controller transmits the Data subject’s data during the service to her contractual partners^[2] to be processed to help provide the service and in an extent that is necessary for the performance.
   • The following data processors are necessary to provide the services to process the Data subject’s data as the contractual partners of the Data controller: MEDIACENTER HUNGARY Informatikai, Szolgáltató és Üzemeltető Korlátolt Felelősségű Társaság (registered office: 6000 Kecskemét, Sosztakovics utca 3. 2. em. 6., Hungary) The purpose of data processing: information technology service, server service, data storage

DPD Hungária Futárpostai, Csomagküldő Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1158 Budapest, Késmárk utca 14. B. ép., Hungary) The purpose of data processing: delivery and shipment of the products ordered by the Data subject

The Rocket Science Group LLC d/b/a MailChimp (registered office: 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA) The purpose of data processing: data processing for advertising purposes – providing information technology services in connection with sending newsletters.KBOSS.hu Kft. (székhely: 1031 Budapest, Záhony utca 7., Hungary) The purpose of data processing: administration in connection with invoicing (through the www.szamlazz.hu web page)

6. Data transmission to a third country

The Rocket Science Group LLC d/b/a MailChimp. has certification according to the EU-US Privacy Shield Framework (https://www.privacyshield.gov/EU-US-Framework),therefore, personal data can be transmitted to it because they will receive adequate level of protection according to Article 45(1) of GDPR.

7. Data security and authorization to know the data
   • The Data controller deletes the personal data of the Data subject after the duration of the data processing.
   • The Data controller ensures the safety of the processed data and takes any measures to protect the privacy of the Data subject and to provide adequate protection to the personal data of the Data subject in accordance with the applicable laws (i.e. to prevent unauthorised access, alteration, transmission, disclosure, erasure or destruction; or accidental destruction and damage; and the unavailability as a result of the modification of the applied technology).
   • The Data controller processes the Data subject’s data in a computerised database automatically and manually as a part of the measures that are necessary to meet the data protection requirements; and ensured that the Data subject’s data is processed in a closed, password protected system that is saved to a hard drive; and this system is only used by those who are authorized to know the data to an extent that is essential to provide the service.
   • The computer systems have firewall and adequate virus protection.
   • The Data controller make the system’s technical inspection, and take measures, if any error is found or indicated.
   • The Data controller ensures that those who are entitled to access the data have received complete information on data protection rules. As a data security guarantee, the executive officers and the employees of the Data controller have confidentiality obligation and legal liability in relation to the data that are disclosed to them during the performance of his or her tasks.
   • The following data will be logged to generate the traffic data of the web page and to detect any possible error and attempted attack: the information that becomes available to the Data controller with the use of the visitors’ and the Data subject’s computer and the network ID (IP address).  The Data controller does not connect the network IDs to any other data that could identify the visitor of the web page or the Data subject. When the web page is visited, only the cookies and web bugs listed in this Information is downloaded.
   • On behalf of the Data controller, only the Data controller and at certain data processing activities the above-mentioned data processors are entitled to know the processed data (the Data controller is self-employed and has no employees).
   • The Data controller maintains records of the personal data of the Data subjects who gave their consent to receive newsletters containing discounts, promotions and offers.

8. The rights of the Data subject; remedies
   • The Data subject can exercise his or her rights determined in this point electronically by sending an e-mail to ilyesjulianna@gmail.com or by sending a mail to the registered office of the Data controller addressed to the Data controller.
   • The Data controller gives information electronically or in writing at the request of the Data subject [Article 15(1) of GDPR; the right to obtain confirmation]:

• the categories of the Data subject’s data being processed;
• the purposes of data processing;
• the categories of recipient to whom the personal data can be disclosed,
• the duration of data processing;
• the rights and remedies available to the Data subject.
  • At the request of the Data subject, the Data controller provides a copy of the personal data in a commonly used electronic format or in another format chosen by the Data subject [Article 15(3) of GDPR; the right of access, the right to obtain a copy].
  • The Data controller modifies and refines (rectify) the Data subject’s personal data according to the request of the Data subject and makes this option available on the user profile [Article 16 of GDPR; the right to rectification].
  • The Data subject can contact the Data controller to exercise the rights in connection with the access to data and the rectification of data.
  • The Data controller deletes the Data subject’s personal data at the request of the Data subject. The Data controller can reject the fulfilment of the request based on the reasons listed in Article 17(3) of GDPR. For example, the personal data are necessary for the exercise or defence of legal claims; or for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject; or for purposes in the public interest; or for exercising the right of freedom of expression and information. [Article 17 of GDPR; the right to erasure].
  • The Data subject is entitled to withdraw the consent to the registration on the web page; to receive newsletters; to the use of consent cookies; and to receive correspondence free of charge at any time without giving any reasons; or can submit a request to opt-out of receiving ads. In this case, the Data controller deletes all personal data of the Data subject without delay and will not send newsletters to Data subject in the future [the right to withdraw consent]. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • The Data subject has the right to request from the Data controller restriction (locking) of data processing:
• if the accuracy of the personal data is contested by the Data subject, for a period enabling the Data controller to verify the accuracy of the personal data;
• if the processing is unlawful and the Data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• if the Data controller no longer needs the personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims [Article 18 of GDPR; the right to restriction of processing].

The Data controller fulfils the Data subjects request of restriction of data processing by storing the personal data separately from any other personal data. For example, electronic data files are saved to an external data carrier or the personal data stored in paper format are placed in a separate folder. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Data subject will be informed before the restriction of processing is lifted.

• The Data subject has the right to receive his or her personal data in a structured, commonly used and machine-readable format and has the right to transmit the personal data to another Data controller. Furthermore, the Data controller ensures that the Data subject’ data are transmitted directly to the data controller chosen by the Data subject at the explicit request of the Data subject. [Article 20(1) and (2) of GDPR; the right to data portability].
• The Data controller notifies the Data subject of the measures within one month after the receipt of the Data subject’s request. If the request is rejected, the Data controller notifies the Data subject within one month after the receipt of the Data subject’s request of the reasons of the rejection, and the possibility to lodge a complaint at the Authority and to exercise the right to judicial remedy.
• The right can be exercised free of charge. In certain cases, the Data controller is entitled to charge a fee based on administrative costs or refuse to act on the request, if the Data subject requests a copy of his or her data, or the Data subject request is manifestly unfounded or excessive (because of its repetitive character).
• The Data controller reserves the right to request the provision of additional information necessary to confirm the identity of the Data subject where the Data controller has reasonable doubts concerning the identity of the natural person making the request. If the Data subject exercises the right to request a copy, it is especially such a case and it is justified that the Data controller verifies whether the request is from the authorized person.
• Before initiating the procedures determined in this point, the Data subject is entitled to make a complaint (which can be submitted electronically) to the Data controller in connection with the handling of his or her concerns of the data processing and with the restoration of lawfulness. The Data controller assesses the complaint within thirty days and makes a record of it and decides on its justification; and electronically notifies the Data subject of the decision in writing. If the Data controller finds that the Data subjects complaint is justified, the Data controller restores the lawfulness of the data processing or terminates the data processing (including any further data collection and data transmission). The Data controller can no longer process the personal data unless the Data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data subject or for the establishment, exercise or defence of legal claims. The Data controller notifies those who received the data determined in the complaint about the complaint and the measures that were taken based on it. The complaints procedure determined in this point can be used solely to handle concerns regarding data processing during the correspondence with the Data subject; and it is not applicable to statements made in order to exercise consumer rights (guarantee claims, warranty, withdrawal from contract, termination) in connection with the products of the Data controller.
• If the Data subject’s opinion is that the Data controller breached his or her right in connection with the protection of personal data or the Data controller’s processing is unlawful, the Data subject can initiate a procedure at the Authority. The contact information of the Authority: postal address: 1530 Budapest, Pf.: 5., Hungary; e-mail: ugyfelszolgalat@naih.hu; telephone number: +36-(1)-391-1400; web page: naih.hu.
• If the Data subject’s opinion is that the Data controller breached his or her right in connection with the protection of personal data, the Data subject is entitled to initiate court proceedings and to demand compensation for damages caused to the Data subject by the unlawful processing of his or her data or the breach of data security or demand aggravated damages in case of the breach of rights relating to personality. In case of a judicial remedy, the Data subject can initiate the proceedings before the regional court that is competent according to the place of residence or stay of the Data subject.

9. Cookies
18. • The computer of the Data subject stores cookies when he or she visits the web page. Cookies are small text files that are stored by the browser on the Data subject’s device to save certain information. Next time the Data subject uses the same device to visit the web page, the information stored in the cookies are either sent to the web page (“First-party cookie”) or to another web page to which the cookie belongs (“Third-party cookie”).
    • With the help of the stored and returned information, the web page recognizes that the Data subject has already accessed and visited the web page with the browser used on the device. The Data controller uses this information to optimize and display the web page in accordance with the preferences of the Data subject. In this case, only the cookie is identified on the Data subject’s device. Beyond this extent, the Data subject’s personal data will only be stored by the Data controller, if the Data subject gives explicit consent or if it is strictly necessary to the use of the services offered to or accessed by the Data subject.
    • The Data subject’s consent is the legal basis for the use of data processing cookies, i.e. the data processing in order to customize the services available on the web page to the preferences of the Data subject [Point (a) of Article 6(1) of GDPR].
    • The Data subject can give consent to the use of cookies by selecting the checkbox of the cookie in question on the web page. The Data controller gives the following information on the cookies that can be used without consent.
    • The web page uses the following type of cookies (their scope and function are detailed below):

• Strictly necessary cookies
• Function and Performance cookies
• Consent cookies

• The web page uses the following cookies:
• Strictly necessary cookies

• The strictly necessary cookies have functions that are necessary for the web page to be used in accordance with its intended use. These cookies are solely used by the Data controller therefore, they are First-party cookies. This means that all the information stored in the cookies are sent back to the web page.
• For example, the strictly necessary cookies are used to always keep the Data subject, as a registered user, signed-in when he or she visits different pages of the website, therefore, it is not necessary to provide his or her login information every time a new page is entered.
• The strictly necessary cookies can be used on the web page without the consent of the Data subject. Therefore, the strictly necessary cookies cannot be individually activated and deactivated. However, the Data subject can disable the cookies in his or her browser at any time.
• Legal basis: point (b) of Article 6(1) of GDPR.

• Function and Performance cookies

• The function cookies make it possible for the web page to store the submitted data (for example registered name or language choice) and offer optimized and customized functions based on these data. These cookies solely collect and store anonymous data, so they will be unable to follow the Data subject’s movement on other web pages.
• The performance cookies collect data on how the website is used so the Data controller can improve the website’s appeal, content and functions. These cookies help determine whether the subpages of the website are visited, or which subpages are visited more often, and which content is especially interesting to the users. The performance cookies are also used to:
• record especially the number of visits on a page; the number of access of the subpages; the time spent on the website; the order of the visited web pages; the search words that led the Data subject to the Data controller; the country, region and sometimes the city from which the Data subject logged in; and the ratio of mobile devices accessing the website;
• record the movement of the mouse, the mouse clicks and the scrolling in order to help the Data controller understand which part of the web page is interesting to the users.
• The Data controller uses these data to make statistics and does not use them attached to the name or user profile of the Data subject. As a result, the Data controller can determine the content of the website and optimize its offer based on the users’ preferences. If the IP address of the Data subject’s computer is transmitted due to technical issues, it is automatically anonymised and cannot be used to draw conclusions of the user.
• Legal basis: point (f) of Article 6(1) of GDPR.

• Consent cookies

• The Data controller needs the Data subjects explicit consent to use cookies that are not strictly necessary, function or performance cookies, such as advertisement/marketing cookies.
• The Data controller reserves the right to use the data that is obtained as a result of the anonymous analysis of the habits of the website’s visitors with the use of cookies in order to display ads of certain products of the website. This is in the Data subject’s interest because the Data controller displays ads or content that she thinks will be interesting to the Data subject based on his or her browsing habits. This way the Data subject will see fewer randomly displayed ads or content which do not fit his or her needs.
• The marketing cookies come from third-party advertising agencies (Third-party cookies) and they collect information on the websites visited by the Data subject in order to develop targeted ads for the target group of the Data subject.
• Legal basis: point (a) of Article 6(1) of GDPR.
• The Data subject can opt out of the cookies used for online advertising with the help of such tools that ensures the Data subject’s right to choose and that were created as part of self-regulation programs in various countries. For example, in the United States of America: https://www.aboutads.info/choices/ or in Europe: http://www.youronlinechoices.com/hu/. The cookie preferences can be set in different menu items depending on the toolbar of the browser (the Internet Explorer here, the Google Chrome here, the Mozilla Firefox here, the Safari here). You can set through these links which tracking functions you allow/prohibit on your computer. The Data subject can withdraw his or her consent to the future use of consent cookies individually at any time by modifying the cookie settings accordingly.
• Those Data subjects, who do not want the Google Analytics to make a report on their visit, can install a browser plug-in that blocks Google Analytics. This plug-in instructs the JavaScript scripts of Google Analytics (ga.js, analytics.js, and dc.js) not to send information on the visits to Google. Furthermore, those Data subject, who installed the blocking plug-in, will not be part of the content experiments. If the Data subject wants to block the web activities of the Analytics, he or she can visit the blocking web page of Google Analytics and can install the plug-in to the browser. For further information on the installation and uninstallation of the plug-in, review the Help menu of the browser in question.
  • Management and deletion of cookies

The Data subject can set his or her browser (the Explorer here, the Google Chrome here, the Mozilla Firefox here, the Safari here) to block the saving of cookies as a rule and/or to ask every time, if the Data subject allows the activation of cookies. The Data subject can delete those cookies at any time that are activated again. The Data subject can find more details on the operation of this in the Help menu item of the browser.  If the use of cookies is deactivated generally, it can limit certain functions of the website.

• Google Analytics

• The website uses Google Analytics, the web analytical service of Google Inc. (“Google”). In this process, the Google Analytics uses a specific form of cookies which is stored on the Data subject’s computer and allows the analysis of the Data subject’s use of the website. The information generated by the cookie on the Data subject’s use of the website is usually transmitted to and stored on a Google server located in the USA.
• The Data subject can prevent the storage of cookies with the use of the right settings while browsing. Furthermore, there is a browser plug-in on the https://tools.google.com/dlpage/gaoptout?hl=en address, and by downloading and installing it, the Data subject can prevent that the Google record and manage the information generated by the cookie on the Data subject’s use of the website (including his or her IP address).
• The web page also uses Google Analytics to analyse visitor-flow through user ID independently from devices. The Data subject can deactivate the following of his or her use through different devices in “Personal information” under “My information” menu item in his or her Google account.
• Legal basis: point (f) of Article 6(1) of GDPR.

• The Data controller’s advertisements displayed by external service provider
• The Data controller’s advertisements can be displayed by external service providers (like Google) on different web pages. The Data controller and the external service providers (like Google) use proprietary cookies (for example the cookies of Google Analytics) and third-party cookies (for example the cookies of DoubleClick) together for navigation by the users based on the previous visits on the website; and optimization and display of ads.
• Legal basis: the consent of the data subject

• Social Plug-ins
• The Data controller uses the plug-ins (Social plug-ins/“plug-ins”) of social media networks on the web page, especially the Facebook’s “Share” or “Share with friends” The web page of Facebook, https://www.facebook.com/ is operated by Facebook Inc. (1601 S. California Ave, Palo Alto, CA 94304, USA) for which the Facebook Ireland Limited (Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland) is liable in Europe. The plug-ins are usually marked with the logo of Facebook.
• We use the plug-ins of “Google+” (provider: Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA) and “Twitter” (provider: Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA) besides the Facebook plug-ins.
• By clicking on the right button (for example “Forward”, “Share” or “Share with friends”), the Data subject accepts that his or her browser connects to the servers of the social media network and transmits the usage data to the appropriate provider of the social media network, and vica versa. The Data controller has no control over the type and scope of data collected by the social media networks afterwards. The social media network provider stores the data collected in connection with the Data subject as a user profile, and uses them for advertising, market research and/or the demand-oriented design of the website. This assessment is done in particular for the design of the advertising activity based on demand (in case of users that are not logged in as well), and in order to enable the social media network to inform its other users of the Data subject’s activities on our website. The Data subject is entitled to object the creation of such user profiles; in order to exercise this right, he or she must contact the provider of the plug-in in question. With the use of plug-ins, the Data controller enables the Data subject to contact social media networks and other users, so the Data controller can develop its supply and make it more appealing to the Data subject, as user.
• The data are transmitted regardless of the fact whether the Data subject has an account at the provider of the plug-in and is logged in or not. If the Data subject is logged into his or her account at the provider of the plug-in, the data collected by the Data controller are directly attached to that account at the provider of the plug-in. If the Data subject clicks on the “Activation” button and is connected to the web page, the provider of the plug-in will also store the information in his or her user profile and publicly share it with the Data subject’s friends. The Data controller suggests to the Data subject to log out regularly after the use of the social media network, especially before activating the button, to avoid being attached to his or her profile at the provider of the plug-in.
• For more information on the purpose and scope of data collection and the data processing of the provider of the plug-in, the Data subject can review the privacy notice of these service providers below which detail his or her rights related to this matter and the settings providing protection to his or her data.

1. a) Facebook Inc. (1601 S California Ave, Palo Alto, California 94304, USA); http://www.facebook.com/policy.php Further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications, and http://www.facebook.com/about/privacy/your-info#everyoneinfo The Facebook participates in the EU-U.S. Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
2. b) Google Inc. (1600 Amphitheater Parkway, Mountainview, California 94043, USA); https://www.google.com/policies/privacy/partners/?hl=de. The Google participates in the EU-U.S. Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
3. c) Twitter, Inc. (1355 Market St, Suite 900, San Francisco, California 94103, USA); https://twitter.com/privacy. The Twitter participates in the EU-U.S. Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.

9. Other conditions
   • If the Data controller modifies the Information on data processing, a notification will be displayed of this on the web page, and the modified information is forwarded to the e-mail address submitted by the Data subject so he or she can review it.
   • The Data controller provides information on any data processing not listed in this Information on data processing when the data is collected. The Data controller can be contacted to provide information, disclose or transmit data or to make documents available by court, public prosecutor’s office, other investigating authority, administrative offences authority, administrative authority, the Hungarian National Authority for Data Protection and Freedom of Information and other authorities according to applicable laws. Provided that the authorities indicate the exact purpose and scope of the data, the Data controller solely discloses personal data to the authorities to the extent that is absolutely necessary for the fulfilment of the request.
   • If the Data controller wants to process personal data for a purpose other than the purposes of the data collecting, she notifies the Data subject of this other purpose and any other relevant additional information before processing.
   • If the Data controller discloses the data to another recipient as well, she notifies the Data subject of this fact no later than the first disclosure of these data.

[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR); The text of GDPR is available here in every official language of the European Union

[2]The Data controller is entitled to decide unilaterally to use another Data processor at any time during the service.