Privacy Policy

Date of entry into force: June 12, 2022

  • Introduction 

Services provided by Gábor Hajdu sole proprietor (registered seat: 1022 Budapest, Bimbó út 24. ground floor 3; registration number: 76912571; tax number: 58389324-1-41) (the “Data Controller”) on the website www.gaborsmandalas.com and in other ways as a Data Controller acknowledges that the content of this Privacy Policy is binding on him.

The personal data of the user using the services of the Data Controller (“Data Subject”) are managed by the Data Controller. The Data Controller undertakes that the data management related to the services provided on the website and in other ways comply with the applicable legislation and the requirements set forth in this Privacy Policy. The Data Controller reserves the right to unilaterally amend this Privacy Policy. In this regard, it is recommended that you visit https://www.gaborsmandalas.com regularly to keep abreast of the changes. The current content of the Privacy Policy can be here viewed and saved all the time. If the e-mail address of the Data Subject is available to us, we will send you an e-mail notification of the changes upon request.

By providing the given personal data, the Data Subject declares that he/she has read and expressly accepted the version of this Privacy Policy in force at the time of providing the data.

The requirements set out in the Privacy Policy are in accordance with the applicable data protection legislation:

  • Fundamental Law of Hungary (Freedoms and Responsibilities, Article VI);
  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information– („Privacy Act”);
  • Act V of 2013 on the Civil Code
  • Data of the Data Controller

Name: Gábor Hajdu sole proprietor

Seat: 1022 Budapest, Bimbó út 24. ground floor 3

Contact details of the Data Controller through which the Data Subject shall exercise the rights included in this Privacy Policy:

E-mail: info@gaborsmandalas.com  

Phone: +36 30 626 6605

Website: www.gaborsmandalas.com 

The Data Controller according to Article 37 (1) of the GDPR and the Article L. (1) of the Privacy Act is not obliged to appoint a data protection officer.

  1. Basic definitions of data protection

2.1. Personal data:

Data that can be linked to any specific (identified or identifiable) natural person (the “Data Subject”), a conclusion that can be drawn from the data about the data subject. Personal data retains this quality during data processing as long as its connection with the data subject can be restored. In particular, a person shall be deemed to be identifiable if he or she can be identified, directly or indirectly, by reference to name, identification mark or one or more factors specific to physical, physiological, mental, economic, cultural or social identity;

2.2. Consent:

Voluntary and firm expression of the data subject’s wish, based on adequate information and giving his or her unambiguous consent to the processing of personal data concerning him or her, in full or in part;

2.3. Right to object:

A statement by the data subject objecting the data management of his/her personal data and requesting the termination of the data management or the deletion of the managed data.

2.4. Data Controller:

A natural or legal person, or an organization without legal personality, which determines the purpose of the processing of personal data, makes and implements decisions on the processing of data (including the means used) or with a data controller entrusted by it.

2.5. Data management:

Irrespective of the procedure used, any operation or set of operations on personal data, such as collecting, recording, organizing, storing, altering, using, transmitting, disclosing, reconciling or linking, locking, deleting and destroying and preventing its further use. Data management also includes the taking of photographs, sound or videos, as well as the recording of physical characteristics that can be used to identify a person (e.g. fingerprint or palm print, DNA sample, iris image).

2.6. Data transfer:

If the data is made available to a specific third party.

2.7. Making to public:

If the data is made available to anyone.

2.8 Data erasure:

Making data unrecognizable in such a way that it is no longer possible to recover it.

2.9. Data locking:

Making it impossible the data to be transmitted, accessed, disclosed, transformed, altered, destroyed, deleted, linked or coordinated and used for permanently or for a definite period of time.

2.10. Data destroying:

Complete physical destruction of the data or the data carrier containing them.

2.11. Data processing:

Perform technical tasks related to data management operations, regardless of the method and means used to perform the operations and the place of application.

2.12. Data processor:

A natural or legal person or an organization without legal personality who processes personal data on behalf of the data controller, including a commission based on the provisions of the law.

2.13. Third party:

A natural or legal person or an organization without legal personality which is not identical to the data subject, the data controller or the data processor.

2.14. EEA Member State:

A member state of the European Union and another state member to the Agreement on the European Economic Area and a state of which citizen is under the same status as the citizen of a state member to the European Community and its member states and citizen to a state which signed an international agreement concluded with a state not party to the Agreement on the European Economic Area.

2.15. Third country:

Any non-EEA state.

  1. Principles of data protection 

Personal data:

  1. shall be processed lawfully and fairly and in a manner that is transparent to the data subject („lawfulness, fairness and transparency”);
  2. shall be collected only for specified, explicit and legitimate purposes and not be treated in a way incompatible with those purposes; further processing for data purposes for archiving in the public interest, for scientific and historical research purposes or for statistical purposes („purpose limitation”) shall not be considered incompatible with the original purpose in accordance with Article 89 (1) of the GDPR;
  3. must be appropriate, relevant and limited to what is necessary for the purposes of the processing („data minimisation”);
  4. shall be accurate and, where necessary, kept up to date; all reasonable measures shall be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or corrected without delay („accuracy”);
  5. must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data shall be stored for a longer period only if the personal data are processed for archiving in the public interest, for scientific and historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, and subject to the implementation of appropriate technical and organizational measures to protect their freedoms in accordance with the rights of data subjects in this regulation („storage limitation”);
  6. processing must be carried out in such a way using appropriate technical or organizational measures as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to personal data („integrity and confidentiality”).

The data controller is responsible for complying with the above and must be able to demonstrate such compliance („accountability”). The Data Controller does not collect personal data about minors.

  1. The detailed rules of the data management

In all cases, all personal data processed by the Data Controller is collected directly from the Data Subject. Accordingly, the Data Controller stores only the personal data in its databases and uses them for the purposes specified in this Privacy Policy, which the Data Subjects themselves have made available to the Data Controller. Data Controller does not collect personal data from publicly available databases or other sources, nor does the Data Controller obtain personal data through the transfer of data to third parties.

Scope of data access:

  • the staff of the Data Controller;
  • the staff of the Data Processors defined below
  • concerning certain authorities with regard to data requested by them during official proceedings and data given by the Data Controller based on the provisions of law
  • other persons with the expressed consent of the Data Subject.

Data Controller undertakes a strict obligation of confidentiality with regard to the personal data managed by it without any time limitation, and may not disclose them to third parties, except with the consent of the Data Subject. 

Withdrawal of consent shall not affect the lawfulness of previous data management.

4.1. Data management related to product ordering

Data Subjects, as they cannot register in the web store, can only place an order without registration.

4.1.1 Scope of data processed and purpose of data management:

  • Full name: the name of the Data Subject is essential for the conclusion and performance of the contract for the sale of the product
  • Home address and billing address: the Data Subject’s address is essential for the conclusion and performance of the contract for the sale of the product, the Data Subject’s billing address is essential for the issuance of an invoice according to the accounting rules
  • E-mail address: for the purpose of communication between the Data Controller and the Data Subject
  • Cell phone number: in case of delivery of the ordered product, it is used for the purpose of contact between the shipping company and the Data Subject 
  • Shipping Address: Required to ship the ordered product to the requested address

We would like to inform you that we will process the above personal data for the purpose of providing you with information on the use of the service provided by the Data Controller as a service provider, including confirming the receipt, recording and begin of processing of the order in the web store and to inform you about the status of order processing (including the expected date of delivery). 

Please note that we will also process the information listed above for the purpose of initiating legal proceedings to enforce our contractual purchase price claim in the absence of any voluntary performance by you. The legal basis for the processing of the data for this purpose is the legitimate interest of the Data Controller as a service provider to enforce its claim against you. We would also like to inform you that if we have a claim against you under the contract resulting from the purchase in the online store, the personal data processed for claims management purposes in order to initiate the claim may be passed on to third parties (legal representatives) involved.

Please note that if you do not provide us with the personal data listed above or only partially, we will not be able to enter into a contract with you due to a lack of basic information required to perform the contract.

4.1.2 Legal basis for data management

The legal basis for data processing is the performance of the contract (Article 6 (1) (b) of GDPR). 

4.1.3 Duration of data management

After the termination of the relationship with the Data Subject, the data shall be deleted based on the Section 6:22 of the Civil Code after 5 years. If we are required to retain the data pursuant to Section 169 of Act C of 2000 on Accounting (“Accounting Act”), the data will be deleted 8 years after the termination of the relationship with the Data Subject. In practice, this case can happen if the data are part of the supporting documents for the accounting, for example in the contract documents (where applicable in the contract itself) or on the invoice issued.

4.2. Data processing related to the essential working process (session-id) placed on our website and cookies

4.2.1 Scope of data processed and purpose of data management:

By visiting www.gaborsmandalas.com or any of its sub-pages and browsing the content of this page, you agree to the following terms and conditions, even if you do not place an order.

Some services of the Data Controller place unique identifiers, so-called cookies, on the computer of the Data Subjects (users). These only cover the identification of the visitor’s current session, the storage of the data provided, the prevention of data loss, and the anonymous analysis of the Data Subject’s habits using Google Analytics. Such information may include the visitor’s IP address, the time and duration of the visit, the pages visited, the type of browser, the operating system, and so on. This data will be stored, which will be kept confidential and will only be used for the further development of the www.gaborsmandalas.com website and for the making of the statistics. 

4.2.2 Legal basis for data management

The legal basis for data processing is the consent of the Data Subject. The visitor can confirm the use of cookies by clicking on the „I accept” button in the pop-up window that appears on the website of www.gaborsmandalas.com. 

 

4.2.3 Duration of data management

A cookie lasts until the moment you leave the website of www.gaborsmandalas.com. 

4.2.4 The cookie data processing rights of the Data Subject

It is possible to delete the cookie at any time in the Data Subject’s browser.

  1. Persons authorized to process data

The Data Controller uses the data processors listed in the table below to perform technical tasks related to data management operations. The rights and obligations of the data processor in relation to the processing of personal data are defined by the Data Controller within the framework of the GDPR and the separate laws on data processing. The Data Controller is responsible for the legality of the instructions given by him. The data processor may not make a substantive decision concerning data processing, may process personal data obtained only in accordance with the provisions of the Data Controller, may not process data for its own purposes, and is obliged to store and retain personal data in accordance with the Data Controller’s provisions.

 

Name and contact details of the data processor

Personal data obtained by the data controller and the activity performed during the data processing

Lotte Kft., shipping partner to Hungary and Europe

Personal data provided by the Data Subject.

It has an access to the delivery address, name, e-mail address and telephone number of the Data Subject managed by the Data Controller in accordance with this Privacy Policy. Its task is to deliver the products based on the delivery data provided by the Data Controller.

Marketing Astro Kft., website and web store partner

Personal data provided by the Data Subject.

It has access to all data managed by the Data Controller pursuant to this Privacy Policy. Its task is to maintain the website and the web store, to ensure its continuous operation.

Pigmenta Art Kft. pick-up point

Personal data provided by the Data Subject.

It has access to all data managed by the Data Controller pursuant to this Privacy Policy. It is responsible for printing, packaging and handing over the product to the shipping partner with the necessary accompanying documents (invoice, documents required for customs clearance).

FedEx Corporate Services, Inc., as shipping partner to non-European counries 

Personal data provided by the Data Subject.

It has an access to the delivery address, name, e-mail address and telephone number of the Data Subject managed by the Data Controller in accordance with this Privacy Policy. Its task is to deliver the products based on the delivery data provided by the Data Controller.

 

  1. External payment service providers

6.1. Credit card payment is provided by Stripe Inc. with headquarters in Ireland-US as a two-centered financial services company. Data to be provided to Stripe Inc.: last name, first name, card number, card expiration date, card security code. Stripe Inc. operates with the data as a stand-alone data controller, and its activities are completely separate from those of the Data Controller. The purpose of the data transfer is to pay the purchase price of products with credit cards authorized for online payment, to verify transactions and to perform fraud protection in order to protect users. Stripe Inc. privacy policy is available at https://stripe.com/en-us/privacy  

6.2. Information on the data management of the payment method provided by PayPal can be found here: https://www.paypal.com/
en/webapps/mpp/ua/privacy-full
 

6.3. In case of online payment, after providing the data requested during the order, the customer will be transferred from the payment preparation page of the web store to the secure payment page of Raiffeisen Bank Zrt. and PayPal, where the card data required for payment must be provided. The Data Controller is not aware of the data content of these payment sites, as they are independent from it and protected Internet sites. 

  1. Data security measures

In connection with the personal data provided by the Data Subject, the Data Controller shall comply with the “2016/679 Decree of the European Parliament” and the “Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information”.

 

Data Controller shall take all necessary measures to ensure the security of the data, ensuring an adequate level of protection against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction and damage. The Data Controller ensures the security of the data with appropriate technical (e.g. logical protection, especially encryption of passwords and communication channels) and organizational measures (physical protection, especially data security training of the Data Controller’s employees, restriction of access to information).

  • Rights of data subjects in relation to data processing

The data protection rights and remedies of the Data Subject and the relevant provisions and limitations of the GDPR are set out in detail in the GDPR (in particular the 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 Articles of GDPR). The most important provisions are summarized below. 

8.1 Right of access of the Data Subject

The Data Subject has the right to receive feedback on whether the processing of his / her personal data is in progress. If such data processing is in progress, the Data Subject shall have the right to access personal data and the following information:

  1. the purposes of data management;
  2. categories of personal data of the Data Subject;
  3. the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular third country recipients or international organizations;
  4. where applicable, the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
  5. the right of the Data Subject to request the correction, erasure or restriction of the processing of personal data concerning the Data Subject and to object against processing of such personal data;
  6. the right to address a complaint to a supervisory authority; and
  7. if the data were not collected from the Data Subject, all available information on their source;
  8. the fact of the automated decision-making, including profiling, and at least in such cases, comprehensible information on the logic used and the significance and probable consequences of such data processing for the Data Subject.

If personal data transferred to a third country, the Data Subject is entitled to be informed of the appropriate guarantees regarding the transfer.

 

A copy of the personal data that is the subject of data processing will be made available to the Data Subject. If the Data Subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless other way requested by the Data Subject.

8.2 Right to amend

The Data Subject has the right to correct inaccurate personal data about the Data Subject without undue delay upon request. The Data Subject has the right to request the completion of incomplete personal data, inter alia by means of giving additional statement.

8.3 Right of erasure („right to be forgotten”)

8.3.1 The Data Subject shall have the right to delete personal data concerning the Data Subject without undue delay upon request, if any of the following reasons exist:

  1. Personal data is no longer required for the purpose for which it was collected or other way processed;
  2. Data Subject shall withdraw the consent on which the data processing is based and there is no other legal basis for the data processing;
  3. Data Subject objects against the processing of the data and where applicable, there is no overriding legitimate reason for the processing;
  4. Personal data has been processed unlawfully;
  5. Personal data must be deleted in order to comply with the legal obligation under the applicable European Union or member state law; 
  6. Personal data was collected in connection with the provision of information society services.

8.3.2 If the Data Controller has disclosed personal data and is required to delete it pursuant to Section 8.3.1, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the data controllers that the Data Subject has requested that the links to the personal data in question or a copy or duplicate of the personal data in question be deleted.

8.3.3 Sections 8.3.1 and 8.3.2 do not apply if data processing is required, inter alia:

  1. for the purpose of exercising the right to freedom of expression and information;
  2. in order to comply with the obligation under EU or member state law to process personal data;
  3. for archiving purposes for the public interest, for scientific and historical research purposes or for statistical purposes, where the right referred to in paragraph 1 would be likely to make such processing impossible or seriously jeopardize it; or
  4. to submit, enforce or defend legal claims.

8.4 Right to restrict data processing

The Data Subject has the right to restrict the processing of data upon request if one of the following is fulfilled:

  1. Data Subject disputes the accuracy of the personal data, in which case the restriction applies to the period of time that allows us to verify the accuracy of the personal data;
  2. the processing is unlawful and the Data Subject objects against the deletion of the data and instead requests that their use be restricted; 
  3. we no longer need personal data for the purpose of data processing, but the Data Subject requests it in order to submit, enforce or protect legal claims; or
  4. Data Subject protested against the data processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the Data Subject.

If the processing is subjected to a restriction under this point, such personal data may be managed only with the consent of the data subject or for the purpose of claiming, enforcing or protecting legal claims or protecting the rights of another natural or legal person or important public interest of the European Union or any of its member states.

We will inform the Data Subject in advance about the end of the data processing restriction.

8.5 Obligation of notification about the correction or erasure of personal data or the restriction of data processing 

Data Controller shall inform all recipients to whom the personal data have been communicated about any correction, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort. At the request of the Data Subject, we will inform about these recipients.

8.6 The right to data portability

Data Subject is entitled to receive the personal data concerning Data Subject provided to us in a structured, widely used, machine-readable format, and is entitled to transfer this data to another data controller without the Data Controller’s obstruction, if:

  1. the data processing is based on consent or contract; and
  2. data management is automated.

In exercising the right to data portability under this section, the Data Subject shall have the right, if technically possible, to request the direct transfer of personal data between data controllers.

 

8.7 Right to object

Data Subject has the right to object at any time for reasons related to his or her situation to the processing of his or her personal data based on a legitimate interest, including profiling. In this case, the personal data will not be further processed unless it is proved that the processing is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the Data Subject or which relate to the submission, enforcement or protection of legal claims.

 

If the managing of personal data is for the purpose of direct business acquisition, the Data Subject has the right to object at any time about the managing of personal data concerning the Data Subject for this purpose, including profiling, if it is related to the direct business acquisition. 

If the Data Subject objects against the processing of personal data for the purpose of direct business acquisition, the personal data may no longer be processed for this purpose.

In connection with the use of information society services and by way of derogation from Directive 2002/58 / EC, the data subject may also exercise the right to object by automated means based on technical specifications.

 

If personal data are processed for scientific and historical research or statistical purposes, the Data Subject has the right to object to the processing of personal data concerning the Data Subject for reasons related to his or her own situation, unless the processing is necessary for the performance of a task for the public interest.


  • Legal remedy

9.1. The Data Subject may enforce its rights in court under the GDPR and the Civil Code, as well as with the National Data Protection and Freedom of Information Authority (NAIH) (https://www.naih.hu; 1055 Budapest, Falk Miksa u. 9-11; mailing address: 1363 Budapest, Pf.: 9; phone: +36 1 391 1400; e-mail: ugyfelszolgalat@naih.hu) in case of a complaint arising in connection with the data management practice of the Data Controller. The detailed rights and remedies related to data processing are detailed in Articles 77, 79 and 82 of the GDPR.

9.2. If you do not agree with the decision of the NAIH, or if the NAIH does not investigate your complaint within the time limit or inform you within 3 months of the progress of the proceedings or the outcome thereof, you can appeal to the court competent at the NAIH’s seat, the Budapest-Capital Regional Court (address:1055 Budapest, Markó u. 27.).

9.3. If, according to your view, our Company has violated your rights to process your personal data by handling your data improperly, you may apply to the Budapest-Capital Regional Court (address: 1055 Budapest, Markó u. 27.) or initiate proceedings before the court competent at your place of residence or stay.

  1. Handling of privacy incidents

10.1. Data protection incident: a breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized transfer or disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled

10.2. We inform those who are concerned that despite the data security measures put in place by the Data Controller and in place throughout the process of processing personal data, there may be unfortunate incidents that could compromise the data processed and stored.

10.3. In the case of an incident involving personal data, the Data Controller shall report the incident to the National Data Protection and Freedom of Information Authority without delay, but no later than 72 hours after its discovery, unless the incident is not likely to endanger the rights and freedoms of natural persons.

10.4. Pursuant to Article 25 / K. of Privacy Act the Data Controller shall notify the Data Subject if the data protection incident is likely to have consequences that significantly affect the exercise of a fundamental right of the Data Subject (hereinafter: high-risk data protection incident). Such a high risk is particularly the case if the incident affects a set of data that is considered sensitive (eg special data, information on the data subject’s financial situation, data that could lead to personality theft or social perception of the data subject).

  1. Governing language

11.1. In case of translation of the Privacy Policy to any other language, the translation is for convenience and information purposes only, in all cases the Hungarian text shall prevail.

 

0
    0
    Your cart
    A kosarad üres
      Calculate Shipping