1. Name of the Data Controller
Company Name | Keleti Real Hospitality and Arts Service Limited Liability Company |
---|---|
Address | 1182 Budapest, Üllői út 789. |
hello@madhousebudapest.hu |
2. Purpose, Legal Basis, and Retention Period of Data Processing
Purpose of Data Processing | Processed Data | Legal Basis | Retention Period |
---|---|---|---|
Registration | Name, email address, billing address, billing name, shipping address, shipping name, phone number, date of birth, login details (username and password). | Consent of the data subject. [GDPR Article 6 (1)(a)] | Until the registration is active or until the consent is withdrawn (request for deletion). |
Order Fulfillment | Name, email address, date of birth; order details (e.g., quantity of ordered products, payment information) | Performance of the contract [GDPR Article 6 (1)(b)] | For five years following the fulfillment, as the general limitation period under civil law. |
Invoicing | Billing name, billing address, tax status | Compliance with a legal obligation [GDPR Article 6 (1)(c)] | Data is processed to meet tax (five years) and accounting (eight years) obligations. |
Delivery | Shipping name, shipping address, email address, phone number | Consent of the data subject. [GDPR Article 6 (1)(a)] | Contracts are retained for five years following their termination, as the general limitation period under civil law. |
Complaint Handling | Unique identifier of the complaint, consumer’s name, address, place and time of complaint, mode of complaint, list of documents and evidence submitted by the consumer, description of the complaint | Compliance with a legal obligation [GDPR Article 6 (1)(c)] | Complaints are retained for five years as per the Consumer Protection Act. |
Marketing Communication | Personal data you provide when contacting us in connection with the webshop, such as via phone, email, or postal mail, or when communicating with us through social media. | Consent of the data subject. [GDPR Article 6 (1)(a)] | Until the consent is withdrawn. |
Remarketing | Data processed by cookies as specified in the Cookie Policy. | Consent of the data subject. [GDPR Article 6 (1)(a)] | Detailed information can be found in the general data management information available here. |
Note: Registration is not a prerequisite for purchasing in the webshop, but we are obliged to verify your age in any case.
Note: Withdrawal of consent does not affect the legality of data processing based on consent before its withdrawal.
3. Source and Scope of Processed Personal Data
The Data Controller does not process personal data that is not collected directly from the data subject.
4. Recipients and Categories of Recipients of Personal Data
For the provision of our services, it is essential to cooperate with other organizations, with whom we share certain data:
Service | Provider | Details |
---|---|---|
Technology Services | Netwerk Media Developer and Service Limited Liability Company | Responsible for the development and maintenance of our site, and operation of IT systems necessary for the website. Tax number: 22776721241, Company registration number: 01 09 943073. |
Data Storage Services | Tárhely.eu Ltd. | Web hosting provider (1132 Budapest, Victor Hugo u. 18-22.). |
Payment Processing | Barion Payment Ltd. | Online card payments are processed through Barion. Card data is not accessible to the merchant. Barion Payment Ltd. is supervised by the Hungarian National Bank, license number: H-EN-I-1064/2013. |
Delivery Services | Magyar Posta Zrt. | Provides our delivery services. |
We only share personal data with these organizations that are essential for their services.
Beyond this, laws or public authorities may require us to share personal data.
5. Data Security
The Data Controller ensures the security of the personal data processed, considering the state of the art, implementation costs, nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.
The Data Controller takes technical and organizational measures and develops procedural rules to ensure the protection of processed data and prevent their destruction, unauthorized use, and unauthorized alteration.
Only the Data Controller and its employees, and the data processors it employs, may access the data according to their authorization levels, and data will not be shared with third parties not authorized to access it.
6. Rights of the Data Subject Regarding Data Processing
6.1 Deadlines
The Data Controller will fulfill the data subject’s request to exercise their rights within one month of receipt. The day of receipt is not included in the deadline.
If necessary, considering the complexity and number of requests, the Data Controller may extend this deadline by an additional two months. The data subject will be informed of the reasons for the delay within one month of receipt of the request.
6.2 Data Subject Rights
6.2.1 Right of Access
The data subject has the right to request information from the Data Controller about whether their personal data is being processed and, if so, to know:
- What personal data is being processed, on what legal basis, for what purpose, and for how long;
- To whom, when, under what legal basis, and which personal data has been made accessible or transferred;
- The source of the personal data;
- Whether the Data Controller uses automated decision-making, including profiling.
The Data Controller provides a copy of the personal data undergoing processing upon request. The first copy is free, and a reasonable fee may be charged for additional copies.
To ensure data security and the protection of the data subject’s rights, the Data Controller must verify the identity of the data subject and the person wishing to exercise the right of access.
6.2.2 Right to Rectification
The data subject can request the Data Controller to modify any of their personal data. If the data subject credibly proves the accuracy of the rectified data, the Data Controller will fulfill the request within one month and inform the data subject accordingly.
6.2.3 Right to Restriction of Processing
The data subject can request the Data Controller to restrict the processing of their personal data if:
- The accuracy of the personal data is contested (the restriction applies for the period needed to verify the data’s accuracy);
- The processing is unlawful, and the data subject opposes the erasure of the data and requests restriction instead;
- The Data Controller no longer needs the personal data for processing, but the data subject requires it for legal claims; or
- The data subject has objected to processing (the restriction applies until it is determined whether the Data Controller’s legitimate grounds override those of the data subject).
6.2.4 Right to Object
The data subject does not have the right to object to processing if the processing is based on the legal basis described in this notice.
6.2.5 Right to Erasure
The data subject can request the Data Controller to delete their personal data without undue delay if there is no other legal basis for the processing.
6.2.6 Right to Data Portability
The data subject has the right to receive their personal data provided to the Data Controller in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance from the Data Controller.
7. Right to Legal Remedy
If the data subject believes that the Data Controller has violated their privacy rights, they can:
- Lodge a complaint with the National Authority for Data Protection and Freedom of Information (Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Postal address: 1530 Budapest, Pf.: 5. Email: ugyfelszolgalat@naih.hu, Website: www.naih.hu); or
- Take legal action to protect their data. They can choose to submit their case to the court competent for their residence (permanent address) or place of stay (temporary address), or to the court of jurisdiction based on the Authority’s headquarters. The court competent for residence or place of stay can be found at http://birosag.hu/ugyfelkapcsolatiportal/birosag-kereso. The court of jurisdiction based on the Authority’s headquarters is the Metropolitan Court of Budapest.