Politique de confidentialité

INTRODUCTION

Crematella, entrepreneur Daniel Kovács (hereinafter: Data Controller) considers it of utmost importance to respect the right of information self-determination of its partners, customers and visitors. The Data Controller handles personal data confidentially, in accordance with the applicable European Union and domestic legislation, as well as the relevant data protection (authority) practice, and takes all security and organizational measures that guarantee the security, confidentiality, integrity and availability of the data.

Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the hereinafter: GDPR), and CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: Infotv.) publishes the following information (hereinafter: Information) in order to protect the processed personal data.

The Notice is dated 01.01.2024. is effective from date until revocation in relation to the processing of the personal data of those involved in the activities carried out by the Data Controller.

The Data Controller reserves the right to unilaterally change this Notice at any time. If the Information is modified in such a way that it may affect the handling of the personal data of the data subjects, the Data Controller will inform the data subjects of this, primarily on its website or social media platforms, or in the case of data subjects who have subscribed to the newsletter, in the newsletter or, if a phone number is provided, in an SMS message.

This information provides detailed information about the data processors used by the Data Controller and their activities involving personal data.

THE DATA CONTROLLER

Company organized and existing under the laws of Hungary with registered address at Szárazhegy str. 23, 1171, Budapest, Hungary

VAT: 45758465

Tax Code - Register of enterprises of Budapest: 8438454496

Email Address: sales@crematella.com

As a result of the main activity of the Data Controller, it processes personal data in connection with requests for proposals (the first contact). Requests for offers are primarily possible through the Data Controller's website, as well as its headquarters, telephone and e-mail contacts, or the social media interfaces it operates. The Data Controller only manages the personal data necessary for the successful preparation of the offer. The Data Controller handles the personal data obtained in connection with the requests for proposals received, regardless of the channel of information, as follows:

Scope of processed personal data: surname and first name, title, e-mail address, telephone number, and other personal data provided by the contracting authority.

Categories of stakeholders: stakeholders intending to establish a business relationship with the Data Controller.

Source of processed personal data: the data subject.

Purpose of data management: preliminary consultation, request for an offer.

Legal basis for data management: prior consultation, in the case of a request for an offer, based on Article 6 (1) point b) of the GDPR between the Data Controller and the data subject, taking steps at the request of the data subject prior to the conclusion of the contract.

In the course of asserting a right or claim, as well as in the management of the contact data of legal entities, based on point f) of Article 6 (1) of the GDPR, it is the legitimate interest of the Data Controller.

Duration of data management: 2 years after the existence of the contractual or business relationship, or the quality of representative of the person concerned (general limitation period for legal enforcement). Upon expiry of the general limitation period available for legal enforcement or the longer retention period defined by law, personal data - including contact data - will be deleted immediately and irretrievably. An exception to this is the possible enforcement of rights or claims, court, prosecutor's office, investigative authority, violation authority, public administrative authority, the National Data Protection and Freedom of Information Authority, or other bodies authorized by law.

Access: Only those employees who have access to the administrator interface used by the Data Controller have access to the managed personal data.

Data transmission: in connection with the data management defined in this point, the Data Controller transmits data to its data processors (especially Shopify), through which some personal data may also be transmitted to third countries (thus, in particular, the United States of America). Those concerned can get detailed information about the individual data transmitted to individual data processors, the details of data processing and the application of the legal bases enabled by Chapter V of the GDPR in Annex No. 3 of this information.

Data management technique: the Data Controller manages the data subject's personal data manually (on paper) and electronically.

Profiling: the Data Controller does not make a decision based solely on automated data management in connection with the data subject, nor does it create a profile of the data subject based on the available personal data.

Data subject rights: in connection with data management, data subjects may exercise their rights to access, rectification, deletion, limitation of data management, data portability, and objection.

With the products ordered as a result of the Data Controller's online product sales activities, as well as the Ptk. XXIV. contained in chapter, so-called handles personal data when providing a warranty claim. The Data Controller only handles personal data necessary for the performance of the contract. The Data Controller handles the personal data obtained during the performance of the contract as follows:

Scope of processed personal data: The Data Controller processes the contracted natural person and individual entrepreneur for the purpose of fulfilling the contract

· surname and first name,

· title,

· birth surname and first name,

· place and time of birth,

· mother's name,

· your address,

· identity card number,

· driver's license (licence) number,

· tax number,

· individual entrepreneur registration number,

· the address of the registered office, site or residential address,

· the address of the property involved in the contract,

· your phone number,

· your e-mail address,

· your bank account number.

The Data Controller handles it as the contact person of the legal entity contracted with it for the purpose of fulfilling the contract and maintaining contact

· surname and first name,

· title,

· your workplace,

· your position, job title,

· the address of the registered office, site or residential address,

· the address of the property involved in the contract,

· your phone number,

· your e-mail address.

Categories of stakeholders: stakeholders who intend to establish a business relationship with the Data Controller or who already have a contractual relationship.

Source of processed personal data: the data subject.

Purpose of data management: contract fulfillment.

Legal basis for data management: fulfillment of the contract between the Data Controller and the data subject based on Article 6 (1) point b) of the GDPR within the framework of agreement and contract conclusion.

Duration of data management: 2 years after the existence of the contractual or business relationship, or the quality of representative of the person concerned (general limitation period for legal enforcement). Upon expiry of the general limitation period available for legal enforcement or the longer retention period defined by law, personal data - including contact data - will be deleted immediately and irretrievably. An exception to this is the possible legal or claim enforcement, court, prosecutor's office, investigative authority, violation authority, public administrative authority, the National Data Protection and Freedom of Information Authority, or the procedure of other bodies based on the authority of the law.

Access: Only those employees who have access to the administrator interface used by the Data Controller have access to the managed personal data.

Data transfer: personal data will not be forwarded to third parties, unless the contract between the data subject and the Data Controller stipulates otherwise, or the possible right - or claim enforcement, court, prosecutor's office, investigative authority, infringement authority, public administrative authority, the National Data Protection and Freedom of Information In the case of proceedings by other bodies based on the authority of an authority or legislation.

Data management technique: the Data Controller manages the data subject's personal data manually (on paper) and electronically.

Data subject rights: in connection with data management, data subjects may exercise their rights to access, rectification, deletion, limitation of data management, data portability, and objection.

The Data Controller processes personal data in connection with the transfer and receipt of data as part of its main activity as follows:

Scope of processed personal data: surname and first name, title, place of birth, time, mother's name, identity card number, driver's license (license) number, e-mail address, telephone number, vehicle registration number, additional vehicle data.

Categories of data subjects: data subjects with a contractual relationship with the Data Controller.

Source of processed personal data: the data subject.

The purpose of data management is to ensure the transfer and acceptance arising within the main activity of the Data Controller

Legal basis for data management: taking steps at the request of the data subject prior to the conclusion of the contract between the Data Manager and the data subject based on Article 6 (1) point b) of the GDPR in connection with the transfer arising within the main activity of the Data Controller, as well as the performance of the contract.

Duration of data management: 2 years after the existence of the contractual or business relationship, or the quality of representative of the person concerned (general limitation period for legal enforcement). Upon expiry of the general limitation period available for legal enforcement or the longer retention period defined by law, personal data - including contact data - will be deleted immediately and irretrievably. An exception to this is the possible legal or claim enforcement, court, prosecutor's office, investigative authority, violation authority, public administrative authority, the National Data Protection and Freedom of Information Authority, or the procedure of other bodies based on the authority of the law.

Access: only those employees who have access to the administrator interface used by the Data Controller can access the managed personal data on the part of the Data Controller.

Data management technique: the Data Controller manages the data subject's personal data manually (on paper) and electronically.

Data subject rights: in connection with data management, data subjects may exercise their rights to access, rectification, deletion, limitation of data management, data portability, and objection.

In the course of issuing invoices as part of its main activity, the Data Controller processes data as follows:

Scope of processed personal data: surname and first name, title, residential address

Categories of data subjects: data subjects with a contractual relationship with the Data Controller.

Source of processed personal data: the data subject.

Purpose of data management: issuing invoices arising within the main activity of the Data Controller.

Legal basis for data management: in connection with the issue of invoices arising within the main activity of the Data Controller, based on Article 6 (1) point c) of the GDPR, the Data Controller is required to comply with the tax and accounting legislation in force at all times - in particular VAT Act, Accounting Act. § 169 – fulfillment of specified legal obligations.

The duration of data management is 8 years from the date of issue of the invoice, as well as in the tax law and accounting legislation in force at all times - in particular VAT Act, Accounting Act. Section 169 – specified period of time.

At the end of the longer retention period specified by law, personal data - including contact data - will be deleted immediately and irretrievably. An exception to this is the possible legal or claim enforcement, court, prosecutor's office, investigative authority, violation authority, public administrative authority, the National Data Protection and Freedom of Information Authority, or the procedure of other bodies based on the authority of the law.

Access: employees dealing with invoicing and refunds on behalf of the Data Controller have access to the personal data processed in connection with the issued invoices.

Sending newsletters and SMS newsletters

Based on your prior, clear and express consent, the Data Controller sends newsletters to the data subject in the form of SMS and e-mail about its activities, most important news, services, discounts, and to promote its services.

The data subject can subscribe to the newsletter in electronic form on the website of the Data Controller crematella.com, as well as on social media platforms operated by the Data Controller, the condition of which is to read and accept this data management information.

The Data Manager does not assume responsibility in any form for errors or damages resulting from erroneously or falsely provided data, the subscriber bears the responsibility of all kinds resulting from this. The Data Controller is obliged to delete subscriptions provided with incorrect or false data immediately after becoming aware of them.

The Data Controller ensures that the data subject can unsubscribe from the newsletters free of charge at any time.

The Data Controller processes personal data as follows:

Scope of processed personal data: title, surname, first name, e-mail address, telephone number, residential address.

Categories of stakeholders: stakeholders who subscribe to the newsletter.

Source of processed personal data: the data subject.

Purpose of data management: newsletter sending.

Legal basis for data management: based on Article 6 (1) point a) of the GDPR, the consent of the data subject, which is given by ticking the checkbox to acknowledge the information contained in the data management information.

Duration of data processing: after the investigation of the declaration (opt-out) sent by the data subject or his representative to the Data Controller to delete his personal data - if his request is justified - the data subject's personal data will be deleted immediately and irretrievably. An exception to this is the possible legal or claim enforcement, court, prosecutor's office, investigative authority, violation authority, public administrative authority, the National Data Protection and Freedom of Information Authority, or the procedure of other bodies based on the authority of the law.

Access: only those employees who have access to the administrator interface used by the Data Controller can access the managed personal data on the part of the Data Controller.

DATA SECURITY

The Data Controller and the data processors are entitled to access the personal data of the data subject only to the extent necessary for the performance of their tasks.

The Data Controller transmits personal data in a uniform, pre-audited manner, in a secure form, while informing the data subject, avoiding redundant data transmission or data communication on different registration interfaces.

In order to ensure data security, the Data Controller assesses and records all data management activities carried out by it.

Based on the records of data management activities, the Data Controller takes into account the conditions under which each data management is carried out, as well as which risk factors during data management may cause harm and possible data protection incidents. Risks must be assessed on the basis of the actual data management activity. The purpose of the assessment is to define security rules and measures that, in line with the performance of the Data Controller's activities, effectively ensure the adequate protection of personal data.

Taking into account the nature, scope, circumstances and purposes of data management, as well as the varying probability and severity of the risk to the rights and freedoms of natural persons, the Data Controller implements appropriate technical and organizational measures in order to ensure and prove that the management of personal data is in accordance with the GDPR is happening. Including, but not limited to, where appropriate:

· pseudonymization and encryption of personal data;

· ensuring the continuous confidentiality, integrity, availability and resilience of the systems and services used to manage personal data;

· in the event of a physical or technical incident, the ability to restore access to personal data and the availability of data in a timely manner;

· a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures taken to guarantee the security of data management.

When determining the appropriate level of security, the risks arising from data management must be specifically taken into account, which in particular arise from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise managed.

The Data Controller implements appropriate technical and organizational measures to ensure that, by default, only such personal data is processed that is necessary for the given specific data management purpose. This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their accessibility. These are it measures must in particular ensure that personal data cannot become accessible to an indefinite number of persons by default without the intervention of the natural person.

In case of damage or destruction of personal data, attempts must be made to replace the damaged data from other available data sources to the extent possible. The fact of the replacement must be indicated on the replaced data.

The Data Controller protects its internal network with multi-level firewall protection. A hardware firewall (border protection device) is always located at the entry points of the used public networks. The Data Controller stores the data redundantly - i.e. in several places - to protect them from destruction, loss, damage, and unlawful destruction resulting from the failure of the IT device.

It protects your internal networks from external attacks with multi-level, active, complex protection against malicious codes (e.g. virus protection).

The Data Controller does everything with the utmost care that can be expected of him to ensure that his IT tools and software constantly comply with the technological solutions generally accepted in market operation.

RIGHTS OF THE DATA SUBJECT

It is important for the Data Controller that its data management meets the requirements of fairness, legality and transparency. The data subject at any time in connection with data management:

· you can request information regarding data management and request access to the data processed in relation to you,

· in case of inaccurate data, you can request correction or completion of incomplete data,

· you can request the deletion of data processed based on your consent,

· you can object to the processing of your data,

· you can request the restriction of data management.

Based on your request for information - if it is not subject to restrictions due to a legally defined interest - you can find out whether your personal data is being processed by the Data Controller, and you are entitled to receive information about the data processed in relation to you.

· for what purpose it is handled,

· what authorizes you to manage the data (legal basis),

· from when and for how long will you process their data (duration),

· what kind of data it manages and makes a copy of it available to the data subject,

· recipients of personal data and categories of recipients,

· on transmission to a third country or international organization,

· if they were not collected from the data subject, then about the source of the data,

· on the characteristics of automated decision-making, if the data controller uses it,

· on the rights of stakeholders related to data management,

· about your legal remedies.

The Data Controller will respond to requests for information and access within one month at the latest. Regarding the data subject, the Data Controller may charge a reasonable fee based on administrative costs for additional copies of the personal data processed about the data subject.

In the case of a request to correct (change) the data, the data subject must substantiate the reality of the data requested to be changed, and must also prove that the person entitled to change the data is indeed requesting the change. This is the only way the Data Controller can judge whether the new data is real and, if so, whether it can change the old one.

If it is not clear whether the processed data is correct or accurate, the Data Controller does not correct the data, but only marks it, i.e. indicates that it has been objected to by the data subject, but it may not be incorrect. After confirming the authenticity of the request, the data controller will correct inaccurate personal data without undue delay, and supplement the data affected by the request. The Data Controller will notify the data subject of the correction or marking.

In the case of a request to delete or block the data, the data subject may request the deletion of their data, which means that the Data Controller is obliged to delete the data concerning the data subject without undue delay if:

· personal data were handled illegally

· the personal data are no longer needed for the purpose for which they were processed,

· if the processing of the data was based on the data subject's consent and he revoked it, and another legal basis does not make the further processing of the data lawful,

· the law requiring the deletion of data establishes such an obligation for the Data Controller, and he has not yet complied with it.

You can request the restriction of data processing, which the data controller will comply with if one of the following is met:

· the data subject disputes the accuracy of the personal data, in this case the limitation applies to the period that allows the data controller to check the accuracy of the personal data,

· the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use,

· the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; or against the data management relating to it.

If the data is subject to restrictions, such personal data may only be processed with the consent of the data subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a member state. The Data Controller informs the data subject in advance of the lifting of the restrictions on data management.

If the data subject considers that the data management is GDPR or Infotv. provisions, or you consider the way the Data Controller handles your personal data to be harmful, then we recommend that you first contact the Data Controller with your complaint. Your complaint will always be investigated.

Some data processors used by the Data Controller are based in the United States of America or may transfer data there.

The Data Controller draws attention to the following risks in connection with the transfer of data to the United States of America.

Equivalent protection: The United States of America adopted the decision of the Court of Justice of the European Union on July 16, 2020, so-called Schrems II. according to its decision, at the time this information comes into force, it does not have a comprehensive data protection framework equivalent to that existing in the European Union (including in particular the Charter of Fundamental Rights and the GPDR). This may result in the privacy rights of the data subjects not being adequately protected.

National Security and Law Enforcement: Certain authorities in the United States of America have broad surveillance powers that can be used to access personal data without adequate legal safeguards.

Data security: The data processor operating in the United States of America may not have the same level of security measures as the Hungarian data controller, which increases the risk of data integrity violations.

As the legal basis for data management, the Data Controller applies point c) of Article 46 (2) of the GDPR - subject to the provisions of recital (104) - according to which the transfer of data is permitted in accordance with the investigation procedure adopted by the European Commission referred to in Article 93 (2) if general data protection clauses are used.

As a risk-reducing measure, in order to protect the personal data of the data subjects, the Data Controller only employs data processors that undertake and ensure the fulfillment of the data processing obligations contained in Article 28 of the GDPR, or with which it has entered into a data processing contract in which the data processor has assumed these obligations.

In this information, the Data Controller presents the data processing guarantees to the data subjects, which ensure the enforcement of the data processing commitments and the exercise of the rights of the data subjects contained in the GDPR.

Shopify

Name of data processor: Shopify International Ltd.,

Registered Office: Haddington Road, 2nd Floor 1-2 Victoria Buildings, Dublin 4, D04 XN32, Ireland

Identifier, registry number: IE560279

Activities performed: web server service, webshop operation

The essence of data transfer

Shopify is an e-commerce platform that allows its partners (thus the Data Controller) to create and operate their own online store. With its help, business owners can sell their products and they can sell their services on the Internet. It includes store creation, integration of payment systems, inventory management and customer support.

Through the Shopify interface, the Data Controller can collect data about customers, such as name, address, e-mail address, phone number and payment data, and with the help of cookies, it can access additional data for logging and analyzing time spent on the website and activity.

Data transmission guarantees

By using Shopify, the Data Controller applies Shopify's Terms of Service. Shopify's obligations for data processing can be found as attachments (Shopify Data Processing Addendum). These obligations ensure the fulfillment of the data controller's obligations contained in Article 28 of the GDPR, and they can also comply with the general data protection clauses created by the European Commission (Standard Contractual Clauses - second module: Data transmission from the data controller to the data processor)

Peculiarities of data transmission

Based on Shopify's Privacy Policy, we would like to draw your attention to the following special data management processes and requirements that affect the affected parties.

Automated risk and fraud scoring

Through automated decision-making, Shopify uses your customers' personal data to block certain transactions that appear to be fraudulent. Shopify's risk and fraud screening may use some of the data subjects' personal data for automated decision-making. Shopify generally does not engage in fully automated decision-making with respect to data subjects' personal data. The only exception is Shopify's risk and fraud filtering, where Shopify may automatically block a payment card number or IP address after a certain number of failed payment attempts. This has no significant legal impact on the data subjects, as the automatic blocking only lasts for a short time.

As part of providing the Services, Shopify transfers personal data to MaxMind, a fraud detection service that processes personal data to provide the Data Controller with risk scores that help avoid fraudulent transactions. In this capacity, MaxMind acts as an independent data controller with regard to the personal data it processes. More information about MaxMind's privacy practices can be found here: www.maxmind.com/en/privacy-policy.

Parental consent

The GDPR includes separate parental consent requirements for the processing of personal data of users under the age of 16. Pursuant to Article 8 of the GDPR, in the case of a child under the age of 16, the processing of the children's personal data is only legal if and to the extent that the consent was given or authorized by the person exercising parental supervision over the child.

Data transfer

Your personal data is controlled by Shopify International Ltd., a subsidiary of Shopify in Ireland. The data is then transferred by Shopify to other Shopify locations and service providers located in other regions, including Canada (where Shopify is headquartered) and the United States of America. Sending personal data outside of Europe is done in accordance with European legislation.

Article ajouté au panier

Politique de confidentialité

Pays/région

Langue