External data protection rules and information on data processing
This external data protection rules and information on data processing (hereinafter as: Rules) is the inseparable annex of General Terms and Conditions (https://www.officeshoes.hu/tartalom-vasarlasi-tudnivalok/11#10, hereinafter as: GTC) according to Point 10 of the GTC.
I. General Provisions
I.1. For SHOEBOX Kereskedelmi Korlátolt Felelősségű Társaság (registered office: 1033 Budapest, Szőlőkert utca 9., tax no.: 12318847-2-41, contact: phone.: +36 1 453 70 30, e-mail: firstname.lastname@example.org, registration Court: Fővárosi Törvényszék, registration no.: 01 09 665913, NAIH-64278/2013, hereinafter as: Operator) a particularly important goal is to protect the personal data provided by visitors of the website www.officeshoes.hu (hereinafter as: Website) operated by Operator, the individuals who order and register on the Website, furthermore the visitors of the retail premises of Operator (hereinafter: Users) during their registration / order process / User’s digital information request / retail premises visit, as well as to ensure the Users’ right for informational self-determination, which is provided by Operator according to this Rules.
On the Website, a wide range of footwear is available for online shopping. The Operator manages and processes the data received when identifying the Users in order to execute the orders made by them. The Operator manages all the data which is considered as being personal and is uploaded by the Users during their visits of the Website or while using the Website’s services.
Operator provides its services and manages Users’ personal data in full compliance with the relevant effective regulations and ensures the Users’ security during their Website online session.
Operator manages and processes the personal data of the Users confidential in accordance with the effective legal requirements – in particular with the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information („Information Act”), as well as the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (27 April 2016; hereinafter as: GDPR) – ensures their security, takes all the necessary technical and organizational measures, furthermore establishes the procedural rules, which are necessary to comply with the relevant legal provisions and other recommendations.
I.2. This Rules summarize those principles, determine the policy and daily practice of Operator regarding the protection of personal data, as well as identifies the services, which require the Users personal data. Furthermore in this Rules Operator declares the purpose for the data procession and the way it uses this data, as well as how it ensures the safety and protection of the personal data.
I.3. While creating this Rules the Operator took into consideration the effective relevant regulation and the important international recommendations, namely:
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information;
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Act VI of 1998 on Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Strasbourg, 28 January 1981;
Act CXIX of 1995 on managing name and address data for the purposes of research and direct business acquisition
Act C of 2003 on electronic communications;
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities;
The recommendations and resolutions of the Data Protection Commissioner and the relevant data protection practice.
I.4. Upon the Users’ request Operator is ready in every case to provide full information on the personal data processed, the purpose, reason and duration of the processing, as well as on its activities relating to data processing.
The Operator processes and stores only the personal data which is required to asses and quantify the frequency of Website visits, to ensure the execution of the User’s right and Operators obligations, to communicate with Users, furthermore to execute business transaction with Users.
II. The main definitions and principles regarding managing personal data
II.1.1. Data management: shall mean any operation or set of operations that is performed with data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or making available otherwise, alignment or combination, blocking, erasure or destruction, and prevention of further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);
II.1.2. Disclosure by transmission: shall mean making data available to a specific third party;
II.1.3. Data manager: shall mean the natural or legal person, or unincorporated body which alone or jointly with others determines the purpose of the data processing, makes decisions regarding data processing (including about the means) and implements such decisions itself or engages a data processor to execute them;
II.1.4. Data subject: shall mean a natural person who has been identified with the help of his specific personal data, or who can be identified, directly or indirectly
II.1.5. ‘Personal data: shall mean any information relating to the data subject, in particular his name, identification number or to the details of his physical, physiological, mental, economic, cultural or social identity, as well as any reference which can be deducted from such information pertaining to the data subject;
II.1.6. Data protection incident: unlawful management or processing of personal data, especially unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as accidental deletion or damage.
II.1.7. Profiling: shall mean any form of automated processing of personal data which uses personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
II.1.8. Pseudonymization: shall mean the processing of personal data in such a way that this personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
II.2.1. Lawfulness, fairness and transparency
Personal data may be processed only for specified purposes, for the implementation of certain rights or obligations. The recording of personal data shall be done under the principle of lawfulness and fairness.
Personal data may be processed when the data subject has given his consent or when processing is necessary as determined by a law or by a local authority to serve the public interest (hereinafter as “mandatory processing”).
II.2.2. Purpose limitation
At all stages of the data management the purpose of processing and storing this data should correspond to the initial and lawful reasons of such data management.
II.2.3. Data minimization
The personal data managed must be essential and serving the purpose of the data management, as well as suitable to achieve that purpose.
The data manager shall carry out the measures in order to secure the accuracy (correctness) of the managed data.
II.2.5. Storage limitation
Personal data can be managed to the extent and for the duration necessary to achieve the purpose of data management.
Personal data shall be erased if the its management or processing is unlawful, if requested by the data subject, if it is incomplete or inaccurate and cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision, if the purpose of processing no longer exists or if the legal time limit for data storage has expired, if instructed so by a court decision or by National Authority for Data Protection and Freedom of Information (hereinafter as: NAIH).
II.2.6. Integrity and confidentiality
Data must be protected by appropriate means and measures against the unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as against damage and accidental loss. Operator needs to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes or modification of the applied technique.
If the User provides personal information to Operator, the latter shall take all the necessary steps to ensure the security of these data - both during network communication (i.e. online data management) and during storing the data (i.e. offline data management).
The data subject may request from the data manager i) information when its personal data has been processed, ii) the rectification of its personal data, and iii) the erasure or blocking of its personal data, with the exception of the cases of the mandatory processing.
II.2.8. Operator declares as a general principle, that every time it requests the Users’ personal information, the Users are entitled to decide freely whether or not to provide the requested information after reading and interpreting the obligatory notification. However, it should be clearly stated that if the User does not provide the personal information, that User will not be able to enjoy the Website’s service accessible only to registered users.
Operator respects the principles of data management and always aims to enforce.
III. The legal basis of the data management
Operator manages the data set out in Chapter V based on reference to the legal basis below.
III.1. The legal basis of the data management: Paragraph 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce activities and information society services and Article 6 Section (1) Point c) of GDPR (name, delivery address, billing address).
The legal basis of the data management Regarding Point IV.2.: the voluntary consent of the concerned person (Article 6. Section (1) Point a) of GDPR), the lawful interest of the User and Operator (Article 6. Section (1) Points d) and f) of GDPR; image and sound recording), contractual data management (Article 6 Section (1) Point b) of GDPR; name, delivery address, billing address), Paragraph 6. § (5) of Grt. (Article 6 Section (1) Point c) of GDPR, name, e-mail address), furthermore in case of User’s request for information by an e-mail - the Article 6. Section (1) Points b) and f) of GDPR (name, e-mail address).
The Operator declares that in the event of default the legal basis for data processing under Article 6 Section (1) Point b) of GDPR (contractual) is converted into the legal basis under Article 6 (1) (b) and (f) of the GDPR (lawful interest).
III.2. The Operator manages the data of the User set out at Point V.1. according to the Point 5. § (1) a) of the Information Act and on the basis of the voluntary consent of the concerned person (Article 6 Section (1) Point a) of GDPR) and contractual obligation (Article 6 Section (1) Point b) of GDPR; name, delivery address, billing address), furthermore in accordance of the provisions of Act CVIII of 2001 on certain issues of electronic commerce activities and information society services.
The User gives the consent personally or electronically by using the Website1 and by signing the Data Management Declaration / checking the box2 during the process of the registration/ making orders/ Users’ information request. The User is entitled to withdraw the consent anytime and at the same time to request the deletion of its data or to modify the contributed data. In case of the pending order the withdrawal of the consent is considered as the cancellation of the order, which should be communicated to Users by Operator together with the response to its request for data deletion as Article 6. Section (1) Point f) of GDPR provides that Operator is entitled to manage the data of User until parties do not settle the contractual obligation. According to the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management in the past.
III.3. Operator manages the User’s personal data set out in Point V (image recordings) for the purposes related to quality assurance, security of property, prevention and investigation of crime in accordance with the Paragraph 6. § Section (1) Point b) of Information Act and Article 6 Section (1) Point f) of GDPR with the proportional limitation of the right to protect personal data in order to enforce the legitimate interests of Operator and third parties.
IV. The purpose of the data management
Operator manages and processes the data set out in Chapter V. in order to serve the following purposes:
IV.1. The purposes of the Data management: i) making orders (name, delivery address); ii) controlling the execution of the service (name, phone number, e-mail address); iii) preventing the abuses (name, phone number, e-mail address); iv) identification of Users and differentiating between them (name, date of birth, phone number, delivery address, billing address, e-mail address, user name, password); v) contact (name, phone number, e-mail address); vi) presenting statistics (pseudonymisation) vii) direct marketing (name, e-mail); viii) exercising rights regarding the legal relationship with users (clients) (name, billing address, phone number, e-mail address) ix) fulfilling the obligations (name, billing address, delivery address, date of birth, phone number, e-mail address); x) issuing invoices (name, billing address); xi) monitoring and recording consumer preferences in order to recommend customized Website’s advertisements to the Users (profiling: name and order data); xii) security of property, investigation and prevention of unlawful acts (image recording).
IV.2. The Users can give their consent personally or electronically by using the Website1 and signing up for the newsletter / checking the box2 during the process of the registration/ making orders/ User’s information request to contact them for the purpose of direct marketing or electronic advertisement (newsletter, e-mail, SMS, etc.) using the provided contacts. The consent can be withdrawn anytime without any charges, limitations and justification, furthermore the consent can be withdrawn in a way which is set out in the electronic advertisement. The consent can be also withdrawn via a declaration posted to the registered office of the Operator. In the case of pending order the withdrawal of the consent set out in this Point (regarding the newsletters) does not affect the execution of the order. According to the Article 7. Section (3) and the Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management and processing in the past.
IV.3. In every case when Operator intends to use the provided personal data for other purposes than the original purpose of the recording he needs to inform the User and receive his prior direct consent, furthermore to provide the User a possibility to prohibit the use of his personal data.
V. The subject of the data management
V.1. Placing orders on the Website does not require a registration. Depending on the needs of the Users there are two levels of how to use the Website and where the following data – based on legal requirement described in Point III. and Point IV.1. - are necessary to provide:
V.2. For not registered users:
Date of birth
Personal portrayal (image capture) – if necessary
The scope of the managed and processed data is determined by the certification of the legal capacity of the User (date of birth) the execution of the order (name, delivery address), the contact (name, phone number, e-mail) and the issuing the invoice (name, billing address).
V.3. For registered users:
Date of birth
Personal portrayal (image capture) – if necessary
The scope of the managed data is determined by the certification of the legal capacity of the User (date of birth) the execution of the order (name, delivery address), the contact (name, phone number, e-mail) and the issuing the invoice (name, billing address).
V.4. Providing the personal data is based on legal provisions and contractual obligations, it is the prior condition of concluding the agreement in respect of the order. The user shall provide his personal data if he intends to shop online. The lack of data makes the ordering online impossible.
V.5. Users under age of 16
To manage and process the personal data of users under the age of 16 as well as to get their legal declarations the prior parental consent is necessary.
The User under the age of 16 needs to have his parent or legal representative provided his consent for to the order.
V.6. The Operator does not collect sensitive data under any circumstances, which refers to personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs, health, pathological addictions, or criminal record.
V.7. The personal and other data provided by Users is not combined with or linked to other data or information from other sources by Operator.
V.8. The Operator performs camera recording in the retail premises for security, crime detection and crime prevention purposes, which is stored for up to 30 business days. Regarding the fact of the image recording the User is warned by Operator by a sign placed at visible place in the retail premises. User consents to the recording of the image by entering to the business premises and by signing the Data Management Declaration / checking the box3. If the User does not consent to the image recording according to Point III.3 User can make online orders and use other customer service (chat, e-mail). Otherwise the legal basis for the data management and processing is Article 6 Section (1) Points d) and f) of GDPR.
V.9. A few data of the User, like IP address, other traffic data, and behavioral data are recorded in order to quantify the number of visitors of the Website and to identify the potential errors and incidents that may occur. These data are managed by Operator only for the necessary time-frame and are not linked to those data which are required to check the identity of the User (pseudonymisation). The managing and processing of the data can be performed on third-parties’ servers.
VI. The duration of the data management
VI.1. The duration of the data management:
VI.1.1. In case of not registered users (see V.1.1) - 3 years starting from the achievement of the data management goal (delivery of the order, issuing an invoice) or to the date determined by law.
The billing information (name, billing address) are retained for 8 years starting from the issue of the invoice according to the 169. § (2) of accounting act.
VI.1.2. In case of registered users (see V.1.2) 3 years stating from the deletion of the profile or execution of the last order in case if the order was placed prior to the deletion which was not delivered before the date of the deletion for the date set out in Point VI.1.1.
The billing information (name, billing address) are retained for 8 years starting from the issue of the invoice according to the 169. § (2) of the accounting act.
VI.1.3. Regarding the image recordings at Operator’s retail premises in accordance with the Point V.6., the duration of the data management and processing is 30 days. If the storage of the recordings is not necessary during this period, the recordings will be automatically deleted. If justified (for example if it becomes aware that the content might be used as an evidence in official proceeding) Operator processes the image capture until the achievement of the goal (pending final decision).
VI.2. User is entitled to withdraw the consent to the data processing and management and to request the deletion of his data or to modify his data. In case of the pending order the withdrawal of consent to data management is considered as cancellation of the order which fact is brought to Users attention by Operator as according to Article 6. Section (1) Point f) of GDPR Operator is entitled to manage the data of User until parties do not restore the original state. According to the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management in the past.
VI.3. If personal data were recorded based on the User’s consent, the Operator shall - unless otherwise provided for by law - be able to process the data recorded where this is necessary:
a) for compliance with a legal obligation pertaining to the Operator, or
b) for the purposes of legitimate interests pursued by the Operator or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data,
without the data subject’s further consent, or after the data subject having withdrawn his consent.
VII. Exercising the rights of the data subject
VII.1. In case if any User in accordance with Point VII.2., requests the Operator to delete his personal data from the registry, Operator performs this deletion of the data provided by User in the past without any delay.
VII.2. The request to delete the data / to be forgotten can be filed in electronic way via the e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises of the Operator. The orally communicated requests to delete the data / to be forgotten shall be confirmed by Operator via e-mail.
In case of the request to delete the information (withdrawal of the consent to data management) the data stored by the Operator cannot be managed and processed starting from the day when the request was received.
In case of the request to be forgotten the Operator shall delete from the registry all the links to the lawfully processed data which were provided prior to receiving the request, the profile of the User and his automatic decisions.
VII.3. If there were changes in the data provided in the past, the User is entitled to request the modification of his data in the database. The request for modification can be filed in electronic way via the e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises of the Operator. The orally communicated requests for data modifications shall be confirmed by Operator via e-mail.
VII.4. Personal data shall be blocked instead of deletion by Operator if so requested by the User, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the User. Blocked data shall be processed only for the purpose which prevented its erasure. Restricted data may be handled only with the consent of the User or for the submission, validation or protection of legal claims, or the protection of other rights of a natural or legal person, or in the public interest (Right to Restriction of Data Management).
VII.5. If the Operator refuses to comply with the User’s request for rectification, blocking or deletion, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within the 25 days starting from the request. If rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or filing a complaint with the authority.
VII.6. The User shall have the right to object the processing and management of the related data:
a) if processing or disclosure is carried out solely for the purpose of discharging the Operators’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
c) in all other cases prescribed by law.
In the event of a User's objection, the Operator shall not be entitled to further data management unless it proves that data management is justified by compelling legitimate reasons that prevail over the interests and rights of the User or are related to the submission, validation or protection of legal claims.
Regarding the data managed on the legal basis of Article 6. Paragraph (1) Points d) and f) (lawful interest) instead of request to delete the data / to be forgotten User is entitled to object the processing and management of its data.
In the event of objection, the Operator shall investigate the cause of objection within the shortest possible time inside a 15 days timeframe, make a decision if to satisfy the objection and notify the User in writing of its decision.
VII.7. Users are entitled to request for information regarding the management of their personal data. The request for information can be filed in electronic way via the e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises. The orally communicated requests for information shall be confirmed by Operator via an e-mail.
Upon the User’s request the Operator shall provide him the information about the data regarding him, the sources from where they were obtained, the purpose, grounds and duration of the management, the name and address of the recipients and every activity regarding the data management.
Operator shall respond to the requests for information without any delay, and provide the information requested in an intelligible form in a suitable for the User format as early as possible but not later than in 30 days.
The information regarding the concerned person shall be provided free of charge for any category of data once a year. Additional information concerning the same category of data may be subject to a charge. The amount of such charge may be fixed in an agreement between the parties. If any payment is made in connection with the data that was processed unlawfully by Operator, or if the request led to rectification, the payment shall be refunded.
The Operator may refuse to provide information to the data subject in the cases defined by Information Act. If the provision of information is refused, the Operator shall inform the User in writing about the legal reasons for refusal. If the provision of information is refused, the Operator shall inform the data subject about the possibilities for seeking judicial remedy or filing a complaint with the National Authority for Data Protection and Freedom of Information. Operator shall notify the Authority about refused requests once a year, by 31 January of the following year.
VII.8. Data portability
According to 20. § of GDPR the User shall have the right to receive the provided data regarding him in a structured, commonly used and machine-readable format and have the right to transmit those data to another data processor.
In exercising his or her right to data portability in accordance with the paragraph 1, the User shall have the right to transmit his personal data to another data processor, if it is technically feasible.
The request about data portability can be filed in electronic way via an e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises. The orally communicated requests about data portability shall be confirmed by Operator via the e-mail.
If the Operator refuses to comply with the User’s request on data portability, the factual or legal reasons behind the decision for refusing the request shall be communicated in writing within the 30 days starting from the receipt of the request. Where portability is refused, the data controller shall inform the data subject about the possibilities for seeking judicial remedy or filing a complaint with the authority.
User is not entitled to the data portability for the data managed on the legal basis of Article 6. Paragraph (1) Points d) and f) (lawful interest).