Privacy Policy

 

This is a translation of the original privacy policy that can be found here. In case of any discrepancy, the original Hungarian version shall prevail.


1. Identification of controller


We inform you that the website https://www.mybettershelf.com/ is run by
Mybettershelf Kereskedelmi Korlátolt Felelősségű Társaság
Short name: Mybettershelf Kft.
Registration number: 01-09-373198 - Company Registry Court of Budapest-Capital Regional Court (Fővárosi Törvényszék Cégbírósága)
Tax number: 28768038-2-42
Headquarters: 8/B. Egyenes Street, 3rd floor 46, Budapest 1144 Hungary (Magyarország, 1144 Budapest, Egyenes utca 8/B. 3. em. 46.)
Place of establishment: 8/B. Egyenes Street, 3rd floor 46, Budapest 1144 Hungary (Magyarország, 1144 Budapest, Egyenes utca 8/B. 3. em. 46.)
Place of business: 8/B. Egyenes Street, 3rd floor 46, Budapest 1144 Hungary (Magyarország, 1144 Budapest, Egyenes utca 8/B. 3. em. 46.)
E-mail: info@mybettershelf.com
(Controller hereafter).


2. Legal requirements concerning processing, scope of present policy


2.1. Service of website identified by address above (website hereafter), run by Controller identified above (Controller hereafter), is supplies services from Hungary. In accordance with this, Hungarian and European law applies to service, Users during they are using services (including processing). Controller uses information about Users primarily based on these regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (GDPR hereafter)
(AZ EURÓPAI PARLAMENT ÉS A TANÁCS (EU) 2016/679 RENDELETE (2016. április 27.) a természetes személyeknek a személyes
adatok kezelése tekintetében történő védelméről és az ilyen adatok szabad áramlásáról, valamint a 95/46/EK irányelv hatályon kívül helyezéséről (általános adatvédelmi rendelet),
- Regulation CVIII of 2001 on Electronic commercial services and services related to some aspects of information society
(az elektronikus kereskedelmi szolgáltatások, valamint az információs társadalommal összefüggő szolgáltatások egyes kérdéseiről szóló 2001. évi CVIII. törvény (Ekertv.)),
- and Regulation XLVIII of 2008 on Basic conditions and some limits of economic advertising activities (és a gazdasági reklámtevékenység alapvető feltételeiről és egyes korlátairól szóló 2008. évi XLVIII. törvény (Grt.)).


2.2. Present policy applies to processing done during the usage of the website, drawing on services offered there, as well as fulfilling orders on the webshop.


2.3. Based on present policy, Users are: natural persons browsing website and drawing on services of website, and natural persons ordering products from Controller.


3. Legal bases of processing


3.1. Legal basis of processing done by Controller lies upon GDPR Article 6, Paragraph (1), Point a) about consent of User to processing, and Article 6, Paragraph 1, Point b) of GDPR, which states that processing is necessary for fulfillment of contracts in which User is one of the parties.


3.2. In case of processing based on given consent, User previously agrees to processing by marking an indicator box above processing agreement placed at relevant places. User can read about processing anytime under “Privacy Policy” appearing at every page of the website, or by clicking on “Privacy Policy” link in processing agreement mentioned in this point, through which Controller provides User in advance with obvious and detailed information. By marking the indicator box above processing agreement, User declares that they have read Privacy Policy and consents to handling their data in accordance with present policy knowing its content.


3.3. In certain cases, Controller is required to do some processing actions, or its rightful interest might be the legal basis to process data. User can read about these in more detailed below, in chapters about each case of processing.


4. Processing related to operation of information technology service


4.1. Controller uses ‘cookies’ to run the website and to collect technical data about the visitors of the website.


4.2. Controller represent a specific reference for visitors of the website: ‘Information about the use of cookies’


5. Processing related to receiving and answering messages


5.1. Concerned parties in processing: Users who have sent messages to Controller by sending an e-mail to Controller using the e-mail address(es) appeared on the webpage.
Users who have used the messaging surface that can be reached under ‘CONTACT US’ on the website or by sending an e-mail to Controller using the e-mail address(es) appeared on the website.


5.2. Legal basis for processing: User’s consent according to GDPR Article 6, Paragraph (1), Point a).


5.3. Determining the scope of data handled:
The following data of User who sent an e-mail
- name
- e-mail address
- country
- other possible data that was given in a message sent by User
Controller handles information concerning received messages from User only content wise, and does not require User to give personal data within. When such non-required information is provided though, they are not stored and Controller deletes them immediately from the information technology system.


5.4. Purpose of processing: to ensure exchange of messages between Controller and User.
Services involved:
- receiving e-mail messages (by using e-mail address(es) on the website),replying to messages sent to Controller the above mentioned ways within 2 working days.


5.5. Duration of processing: until answering a request or accomplishing a claim. Afterwards, Controller deletes data that is handled for these purposes. If there are more exchanges of messages, data are erased after the claim has been accomplished.
If contracting occurs during the process of exchange messages, and content of messages is important with regard to the contract, legal basis and period of processing happens based on Point 7.


5.6. Method of data storage: on separate data managing lists in the information technology system of Controller until the end of information exchange.


6. Processing related to sending newsletters


6.1. Concerned parties in processing are: Users who sign up for newsletters at website by providing personal data through filling up the related form on the website.


6.2. Legal basis of processing: User’s consent based on GDPR Article 6, Paragraph (1), Point a) and User’s consent based on law regulating economic advertising activities § 6, Paragraph (1) and (2). User gives voluntary consent by reading this Privacy Policy and filling up the form about receiving newsletters, clicking on the consenting agreement box there. Either way, User consents to handle their personal data described in Privacy Policy, and to receive newsletters.


6.3. Newsletters provide useful information to users, as well as aims direct sales purposes. User can sign up for this service regardless of drawing on other services, and it is voluntary. It is based on User’s decision after being informed. In case User does not take the newsletter service, they do not encounter any drawbacks when using website or any other services, it is not a criterion to use any other services at website.


6.4. Scope of data:
- name,
- e-mail address.


6.5. Goal of processing: sending newsletters to User by Controller in e-mails about Controller’s services, information about the latest products/services and actualities, offers and advertisements.


6.6. Duration of processing: Controller handles information until User’s cancellation of consent (User unsubscribes), or until deleting data based on User’s request.


6.7. Method of data storage: on separate data managing lists in Controller’s information technology system.


7. Processing related to orders


7.1. Scope of parties concerned: Users put in an order at website.


7.2. Legal basis of processing: based on GDPR Article 6, Paragraph (1), Point b), according to which processing is necessary to accomplishing contracts where User is one of the parties.


7.3. Scope of data handled: Processing involves personal data and contacts.
Users who are making an order:
- surname
- first name
- e-mail address
- telephone number
- e-mail address
- billing name
- billing address
- name for delivery (if different)
- address of delivery (if different)
- country
- indication of product(s)/service(s) ordered
- price of product(s)/service(s) ordered
- delivery method
- payment method
- other information User might have provided in order to accomplish order
- time of order
- time of payment
- User’s bank account number in case of pre-paid bank transfer.
In case of online payment, data of bank card used for payment is not revealed to Controller, as User provides payment service provider directly with such data.


7.4. Goal of processing: to make and fulfil contracts realized through orders.


7.5. Duration of processing: in order to fulfil orders, Controller handles information mentioned above until it is prescribed by the Act on Accounting (Számviteli
Törvény) about keeping certificates. According to the Act on Accounting (Számviteli Törvény), this period is at least 8 years after making out an invoice, after passing this deadline, Controller deletes data within one year.
During delivery - through which order is fulfilled - processing of necessary data (name, address of delivery, telephone number) lasts until the delivery is accomplished. When Controller forwards personal information to delivery company exclusively necessary for delivery, uses processing limitation, so data forwarded can be used only to a limited extent and time.
It is the rightful interest of delivery company to store above mentioned data or some parts of them for a certain period, in case of possible discontent, complaints or civil legal disputes. However, delivery company does this as independent Controller, User may read about this in specific service provider’s privacy policy. User can get more information about such service providers in chapter “Using a Processor” of present policy, where their websites containing their privacy policy is indicated as well.
Other data possibly processed during ordering – e.g. important messages between User and Controller about orders – are processed by Controller for 5 years after contracting – general term of limitation concerning civil demands.


7.6. Method of data storage: On separate processing list within the Controller’s information technology system, and on accounting documents (prepayment requests, bills) that correspond to related laws about keeping bills for certain periods of time.


8. Forwarding data


8.1. Scope of concerned: Users choosing online payment after shopping at website, regardless of using other services.


8.2. Addressee of data forwarding:
PayPal (Europe) S.a.r.l. et Cie, S.C.A.
Cégjegyzékszám: B118349 Adószám: LU 22046007 Székhely: 22-24, Boulevard Royal, 2449 Luxembourg, Luxembourg Postacím: 22-24, Boulevard Royal, 2449 Luxembourg, Luxembourg E-mail: dpo@paypal.com Webhely: https://www.paypal.com/hu/home
as service provider company of online payment service available at Controller’s website.


8.3. Legal basis of data forwarding: User’s legitimate interest based on GDPR Article 6, Paragraph (1), Point a). Recipient is obliged to run a fraud prevention and scout system in connection with offering payment services and has the right to handle personal data that is necessary for these. Recipient has developed its system regarding to legal obligations, for its operation data forwarding by Controller is necessary. Accordingly to this it is Recipient’s legitimate interest to run a fraud prevention and scout system to meet its legal obligations. Recipient falls under the following provisions:
- Act CCXXXVII of 2013 165. § (5) Paragraph on Credit Institutions and Financial Enterprises (a hitelintézetekről és a pénzügyi vállalkozásokról szóló 2013. évi CCXXXVII. törvény 165. § (5) bekezdése),
- Act CCXXXV of 2013 92/A. § (3) Paragraph Point f) on some payment services (az egyes fizetési szolgáltatókról szóló 2013. évi CCXXXV. törvény 92/A. § (3) bekezdés f) pontja),
- Act LXXXV of 2009 14. § (1) Paragraph Point v) on providing payment services (a pénzforgalmi szolgáltatás nyújtásáról szóló 2009. évi LXXXV. törvény 14. § (1) bekezdés v) pontja).
Fraud prevention and providing proper operation of online services are both Controller’s and Recipient’s legitimate interest. Both organisations’ main source of revenue connects to proper operation of payment services. Nevertheless these are User’s interests as well, in particular to avoid abuse of bank card data. Data forwarding allows preventing and detecting frauds and troubleshooting of possible stumbling block that might appears during the process of payment. Forwarded data comes from User’s data handled during booking/ordering and these data are forwarded through electronic channels which ensure encrypted data traffic solely for Recipient and only after payment is done and which are not used for any other purposes by Recipient. Therefore, data forwarding puts no significant risk on User, it has no other visible effect on them. Forwarding data is necessary for reaching goals described here and is suitable for making payment services safer. In view of the above and taking the built in guarantee operations into account, forwarding does not mean unreasonable degree encroachment into Users’ personal lives, therefore data forwarding is a necessary and proportional data processing operation.


8.4. Scope of data forwarding:
- surname
- first name
- telephone number
- e-mail address
- address
- IP address
- transaction identification
- sum of transaction
- object of transaction
Bank card data given during payment is directly provided for payment service provider, so Controller does not gain access to them.


8.5. Goal of forwarding data: Operating and managing online payment service appropriately, confirmation of transactions, operating fraud-monitoring to protect users’ interests. This is a system to reveal frauds related to online payment, supporting the control of bank transactions – and providing help through customer support service.


8.6. Controller does not forward information to third parties for business or marketing purposes.


8.7. Controller forwards information only to official bodies in accordance with legal requirements beyond the above mentioned cases.


9. Using data processing


Controller draws on the following businesses to process data.


9.1. Storage space service provider


9.1.1. Parties involved in data processing: Users visiting website, regardless of using services.


9.1.2. Controller uses
 

Wix.com Inc.
Tax no.: (EU VAT ID) - EU442008451
Seat: 500 Terry Francois Blvd., 6th Floor, San Francisco, CA 94158 USA
Postal address: 500 Terry Francois Blvd., 6th Floor, San Francisco, CA 94158 USA
Telephone: +1 415 358 0857
E-mail: abuse@wix.com
Website: https://www.wix.com/
as website storage place provider (Data Processor hereafter).


9.1.3. Defining the scope of data involved in data processing: this relates to all information mentioned in present policy.


9.1.4. Goal of data processing: To ensure functioning of website in an information technological way for Users who are involved.


9.1.5. Period of data processing: It correlates with processing periods indicated in this policy for processing with various objectives.


9.1.6. Processing data exclusively means to provide storage space necessary for the operation of website in an information technological way.


9.2. Data processing in relation with sending newsletters


9.2.1. Concerned parties: Users subscribing to newsletters, regardless of whether they use any other services.


9.2.2. Controller uses services of


Wix.com Inc.
Tax no.: (EU VAT ID) - EU442008451
Seat: 500 Terry Francois Blvd., 6th Floor, San Francisco, CA 94158 USA
Postal address: 500 Terry Francois Blvd., 6th Floor, San Francisco, CA 94158 USA
Telephone: +1 415 358 0857
E-mail: abuse@wix.com
Website: https://www.wix.com/
as company that has developed and operates the newsletter sending software that is used by Controller (Data Processor hereafter).


9.2.3. Definition of data to be processed: User’s name and e-mail address who subscribed for receiving newsletters.


9.2.4. Goal of data processing: to provide information technological conditions for sending newsletters by Controller, in processing apparent through technical operations necessary for operating the software safely.


9.2.5. Duration of processing: Controller handles information until User’s cancellation of consent (User unsubscribes), or until deleting data based on User’s request.


9.2.6. Processing data exclusively refers to technical operations to manage software about sending newsletters in an information technological way.


9.3. Data processing related to delivery company


9.3.1. Concerned parties: Users placing an order and asking for delivery.


9.3.2. Controller uses services of


GLS General Logistics Systems Hungary Csomag-Logisztikai Korlátolt Felelősségű Társaság
(GLS General Logistics Systems Hungary Parcel Logistics Company Limited GLS General Logistics Systems Hungary Co.Ltd.)
Short name: GLS General Logistics Systems Hungary Kft. Corporate registration number: 13-09-111755 Tax number: 12369410-2-44 Headquarters: Magyarország, 2351 Alsónémedi, GLS Európa u. 2. (Hungary, 2351 Alsónémedi, GLS 2 Európa Street) Postal address: Magyarország, 2351 Alsónémedi, GLS Európa u. 2. (Hungary, 2351 Alsónémedi, GLS 2 Európa Street) Telephone: +36 29 886 670 Fax: +36 29 886 610 E-mail: info@gls-hungary.com Website: https://gls-group.eu/HU/hu/home
as delivery company that delivers ordered products (Processor hereafter).


9.3.3. Controller uses services of


Magyar Posta Zártkörűen Működő Részvénytársaság
Short name: Magyar Posta Zrt.
Corporate registration number: 01-10-042463
Tax number: 10901232-2-44
Headquarters: Hungary 1138 Budapest, Dunavirág u. 2-6. (1138 Budapest, 2-6. Dunavirág Street)
Postal address: Hungary 1540 Budapest
Telephone: +36 1 767 8282
Fax: +36 46 320 136
E-mail: ugyfelszolgalat@posta.hu
Website: https://posta.hu
as delivery company that delivers ordered products (Processor hereafter).


9.3.4. Controller uses services of


UPS Magyarország Szállítmányozó Korlátolt Felelősségű Társaság
Short name: UPS Magyarország Kft.
Corporate registration number: 13-09-139285
Tax number: 22776082-2-13
Headquarters: Hungary 2220 Vecsés, Lőrinci út 154. Airport City Logistic Park G. ép. (2220 Vecsés, 154 Lőrinci Road, Airport City Logistic Park G. building)
Postal address: Hungary 2220 Vecsés, Lőrinci út 154. Airport City Logistic Park G. ép. (2220 Vecsés, 154 Lőrinci Road, Airport City Logistic Park G. building
Telephone: +36 1 877 0000
Fax: +36 1 877 0115
E-mail: upssaleshun@ups.com
Website: https://www.ups.com/hu/en/Home.page
as delivery company that delivers ordered products (Processor hereafter).


9.3.5. Controller uses services of


TNT Express Hungary Kft.
Short name: TNT Express Hungary Kft.
Corporate registration number: 01-09-068137
Tax number: 10376166-2-44
Headquarters: Hungary 1185 Budapest II. Logisztikai központ – Irodaépület, BUD Nemzetközi Repülőtér 283. ép
Postal address: Hungary 1185 Budapest II. Logisztikai központ – Irodaépület, BUD Nemzetközi Repülőtér 283. ép
Telephone: +36 29 886 670
Fax: +36 1 432 7117
E-mail: huheadoffice@tnt.com
Website: https://www.tnt.com/
as delivery company that delivers ordered products (Processor hereafter).
9.3.6. Scope of data affected by data management: in order to fulfill the contractual obligation (performing delivery) that comes from User’s order, data management affects the following data:
- surname
- first name
- e-mail address
- telephone number
- address of delivery.


9.3.7. Goal of processing: In order to fulfil the contract made when User places an order, the goal is to deliver the ordered product to an address indicated by User, checking delivery address and time if necessary on the phone.


9.4. Data processing serves no other purposes.


9.5. Controller does not draw on services of any other businesses except for the above mentioned companies.


10. User’s rights concerning data processing


10.1. Right to access: Controller gives information for User’s request about data being handled by itself and by Data Processor, their sources, goals of data processing, its legal basis, period, name and address of Data Processor, its activities related to data processing, consequences and effects of a possible data protection incident and actions done in order to avoid such cases, furthermore, in case of forwarding concerned person’s personal data, about the legal basis and addressee of data forwarding. Controller provides information without any unreasonable delay, within maximum one month after the arrival of the request.
Within the framework of the right to access, Controller provides User with a copy of personal data involved in processing, within maximum one month after the arrival of the request. For further demands from User, Controller calculates a reasonable fee based on administrative costs (see Chapter 11).


10.2. Right to portability of data: User has the right to get personal data about themselves in an articulate, widely used format, readable on devices, furthermore, has the right to forward these pieces of information to another Controller without the obstruction of Controller that has User’s data according to User’s consent, if:
a) processing is based on User’s consent or contract; and
b) processing is automatized.
Practising the right to portability of data, User has the right – if it is technically practicable – to ask Controllers to forward information between each other directly.


10.3. Right to correction: User has the right to ask for correction of their data, which Controller fulfills without any unreasonable delay, within maximum one month after the arrival of the request. Considering the goal of processing, User has the right to ask for completing their missing personal data – for example through an additional declaration.


10.4. Right to limitation of processing: Controller marks personal data in order to limit processing. User may ask for such limitation if one of the following cases occur:
a) User disputes accuracy of personal data, in this case limitation exceeds for the period that enables Controller to check the accuracy of personal data;
b) processing is illegal, and User objects against deleting their data and asks for limitation of use;
c) Controller does not need personal data for processing, however, concerned party lays claim to them in order to propose, realize or protect legal demands; or
d) User has objected to legal processing done by Controller; in such cases limitation exceeds over a period in which it becomes clear whether Controller’s legal interests dominate over concerned party’s legal interests.


10.5. Right to cancellation (right to “effacing”): Controller deletes information if:
a) personal data is no longer needed for reasons they were recorded, or were handled differently;
b) User withdraws their consent to processing, and there are no other legal bases for it;
c) User objects to processing and there are no prior rightful reasons for processing, or User objects to processing with direct sales objectives;
d) personal data was handled illegally;
e) personal data must be deleted to fulfil legal obligations claimed by European Union or member state laws;
f) User requests deletion or objects to processing, and data was recorded to offer services related to information technological society directly to children.
If Controller made personal data public – and according to cases mentioned above – has to erase them and must take reasonable steps, including technical ones – considering technology available and costs of realization – in order to
inform Controllers involved about User requesting their personal data and the links referring to them or copies of personal data to be deleted.
Controller informs User and all Controllers that are provided with information about the correction, limitation and deletion. Notification might be neglected if it seems to be impossible, or requires unreasonable efforts. Controller informs User on demand about these addressees.


10.6. Right to objection: User has the right to object to their data being managed rightfully by Controller at any time because of personal reasons, including profile creation based on mentioned actions. In such cases, Controller cannot handle personal information any longer, except when Controller proves that there are obligatory rightful reasons for processing, having priority over concerned person’s interests, rights and freedoms, or reasons that are related to proposal, enforcement or defence of legal demands.


11. Fulfilling of User’s requests


11.1. Controller offers notification and taking actions for free, as described in Point 10. If User’s request is obviously unfounded, or – especially for its repeated nature – exaggerated, Controller
a) might charge a reasonable price, or
b) might deny taking actions based on request,
considering data requested, or administrative costs of measures to be taken to fulfil request.


11.2. Controller informs User without any unreasonable delay, but maximum one month after receiving the request about actions that has been taken, including issuing copies of data. If necessary, considering the complexity of request and numbers of requests this deadline can be made longer with additional two months. Controller informs User about elongation of deadline together with indicating reasons of delay within one month after receiving the request. If concerned User sends their request electronically, Controller provides information electronically, except when concerned User asks for it in a different way.


11.3. If Controller does not take any steps as reaction to User’s request, without delay but within maximum of one month after receiving the request, Controller informs User about reasons why there have been no actions taken, and about the possibility of filing a complaint at Authority mentioned in Point 13 and can have the right to legal remedy described there as well.


11.4. User can hand in their request to Controller in any way that identifies them. Identifying Users who hand in a request is necessary because Controller can deal with only those requests that are entitled. If Controller has justified doubts about the identity of natural person handing in a request it can ask for other pieces of information to assure the identity of concerned User.


11.5. User can send their requests to Controller to the address 8/B. Egyenes Street, 3rd floor 46, Budapest 1144 Hungary (Magyarország, 1144 Budapest, Egyenes utca 8/B. 3. em. 46.) or to the e-mail address info@mybettershelf.com Controller considers requests sent in e-mail genuine only if it was sent from an e-mail address registered at Controller’s database. However, using another e-mail address does not mean in observance of such requests. Time of receiving e-mails is the first day after the e-mail was sent.


12. Data protection, data safety


12.1. Controller assures the safety of data and through technical and organizational actions, as well as internal rules of procedure ensures that laws and other data and secret protection rules are kept. Controller protects data especially against illegal access, change, forwarding, making public, deletion or effacement of data, moreover, it protects against accidental effacement and damage, as well as inaccessibility of data as a result of change in applied technology.


12.2. Data related to measuring number of visitors of the website and habits describing use of website are handled in Controller’s information technological system in a way that prevents Controller to link data to anyone, right from the beginning.


12.3. Processing takes place to reach articulated and legal goals described in present policy to a necessary and proportional degree, based on relevant laws and recommendations, keeping appropriate safety measures.


12.4. In order to achieve these, Controller uses “https” protocol to reach the website, through which web communication can be encrypted and individually identifiable. Controller stores information in encrypted data stocks on separate lists insulated from each other based on processing goals to which certain Controller employees – performing tasks indicated in present policy – have access to, who have to protect data and it is their responsibility to handle this policy and relevant laws in an appropriate manner.


13. Prosecution of rights


Concerned parties may practice their prosecution of rights based on Civil Code Act V of 2013 (Polgári Törvénykönyvről szóló 2013. évi V. törvény) and GDPR at a courthouse, and can turn to the National Authority for Data Protection and Freedom of Information:
Nemzeti Adatvédelmi és Információszabadság Hatóság
(National Authority for Data Protection and Freedom of Information)
Address: 9-11. Falk Miksa Street, Budapest 1055 Hungary (Magyarország, 1055 Budapest, Falk Miksa utca 9-11.) Postal address: P.O. Box 603 Budapest 1374 Hungary (Magyarország 1374 Budapest, pf.: 603.)
Telephone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu/
In case choosing a process involving a courthouse, the lawsuit – based on concerned User’s choice – can be initiated at the courthouse in concerned person’s residence or place of stay, as courthouses are competent in confiscation of such a lawsuit.

 

20th October 2020
Mybettershelf Kft.