Privacy notice – Tokaji Vámiroda Kft.

1. Introduction

Tokaji Vámiroda Kft. (address: 4034 Debrecen, Vágóhíd utca 2. website: www.tokajivamiroda.hu) as the operator of the Tokaj Customs Office website, ensures the lawfulness and expediency of the processing of personal data processed by it. The purpose of this information is to provide our customers with adequate information about the conditions and guarantees under which our company will process their data, and for how long, before they place an order or provide their personal data. We will abide by the terms of this notice in all cases involving the processing of personal data and we consider ourselves bound by the terms of this notice.

Our company data and contact details are as follows:

Name: Tokaji Vámiroda Kft.
Head office: 4034 Debrecen, Vágóhíd utca 2. IV. intact. Fsz. 15. door
Tax number: 23736058-2-09
Company registration number: 09-09-022320
Phone number: +36 70 315 6805
E-mail: tokajivamiroda@tokajivamiroda.hu
Website: www.tokajivamiroda.hu

(hereinafter also referred to as: “Data Controller”)

Our data management practices comply with applicable law, in particular:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”);
on the right of information self-determination and freedom of information of 2011. CXII. Act (“Infotv.”);
the Civil Code 2013. Act V of 2007;
the Act on Accounting 2000. Act C of 2006;
the 2017 Law on the Rules of Taxation. Act CL of 2006;
on the rules on the protection of persons and property and on private investigation 2005. CXXXIII. Act (hereinafter referred to as “the Act”);
on the basic conditions and certain limitations of commercial advertising activities of 2008. XLVIII. Act;
on certain aspects of electronic commerce services and information society services of 2001. CVIII. Act.

This Policy applies to your personal data if you contact us to use our Web Store services or if we contact you to describe or provide our services and we obtain any personal data in relation to that.

Our Website may also contain links to websites operated by third parties that have their own privacy policies. Please read the Privacy Policy carefully before providing your personal information on any website. As we have no control over the content of websites operated by third parties, these websites are outside our control, we are not responsible for them and the processing of data by the operators of these websites, and we expressly exclude any liability for them.

The following information is provided in relation to each of our data processing activities.

2. Interpretative concepts

Basic concepts:

data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;
personal data: data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference that can be drawn therefrom concerning the data subject;
consent: a voluntary and explicit indication of the data subject’s wishes, based on adequate information, by which he or she gives his or her unambiguous agreement to the processing of personal data concerning him or her, either in full or in relation to specific operations;
data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or has the data processed by a processor;
data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
transfer: making data available to a specified third party;
disclosure: making the data available to anyone;
erasure: making data unrecognisable in such a way that it is no longer possible to recover it;
data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
data processor: a natural or legal person or unincorporated body which processes data on the basis of a contract, including a contract concluded pursuant to a legal provision;
personal data breach: unlawful processing or handling of personal data, in particular unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage;

Data processing related to the operation of the Website

The fact of collection, the scope of the data processed and the purpose of the processing:

Personal data	Purpose of the processing
Surname and first name	It is required for contacting and issuing a proper invoice.
Place and date of birth	Identification
E-mail address	Contact
Phone number	Liaising, negotiating quotes and invoicing issues more efficiently.
Date of request for proposal/contact	Perform a technical operation.
IP address at the time of the request for proposal/contact	Perform a technical operation.

3. Scope of personal data, purpose, legal basis and duration of processing, cookie processing

In order to provide a tailored service, the Data Controller creates a small data package on the user’s computer, called a. sets a cookie and reads it back during a subsequent visit. If the browser returns a previously saved cookie, the cookie management service provider has the possibility to link the user’s current visit to previous visits, but only for its own content.

Most of the cookies used are so-called “session cookies”, which are deleted when you end your browsing session. We also have some long-lasting cookies that help us to recognise you as a visitor. Cookies do not harm your computer and do not contain viruses.

In particular, we use the following cookies:

Purely technical cookies, which are particularly necessary for online store functions or to make our offer more user-friendly (e.g. load reduction, login function, validity: one session; shopping cart function, validity: 30 days)

Fact of processing, scope of data processed: unique identifier, dates, times
Data subjects: all data subjects visiting the website.
Purpose of data processing: to identify users, to register the “shopping cart” and to track visitors.

Duration of processing, deadline for deletion of data:

Type of cake	Legal basis for processing	Duration of data processing	Managed data
Session cookies (session)	The Act on electronic commerce and certain aspects of information society services of 2001. CVIII. Act (Elkertv.) 13/A. § (3) paragraph	Period until the end of the relevant visitor session	connect.sid

Identity of the potential data controllers who may access the data: no personal data is processed by the data controller through the use of cookies.
Description of data subjects’ rights in relation to data processing: data subjects have the possibility to delete cookies in the Tools/Preferences menu of their browsers, usually under the Privacy settings
Legal basis for processing: no consent is required from the data subject where the sole purpose of the use of cookies is to provide a communication over an electronic communications network or where the service provider strictly needs the cookies to provide an information society service explicitly requested by the subscriber or user.

More information about cookies is available at: http://www.adatvedelmiszakerto.hu/cookie

You can delete the cookie from your computer or disable the use of cookies in your browser. You can usually manage cookies by going to the Tools/Preferences menu of your browser and selecting Privacy settings, and then selecting the cookie or cookie option.

THE GOOGLE ANALYTICS APPLICATION

Please note that our website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are saved on your computer to help the analysis of the use of the website visited by the User.

Cookie name	Duration of data processing
_ga	2 years
_gid	24 hours
_gat	1 minute
AMP_TOKEN	30 seconds to 1 year
_gac_	90 days

The information generated by the cookie about the website used by the User is usually transmitted to and stored by Google on servers in the USA. By activating IP anonymisation on the website, Google will shorten the User’s IP address in the Member States of the European Union or in other states party to the Agreement on the European Economic Area.

The full IP address will be transmitted to a Google server in the USA and shortened there only in exceptional cases. On behalf of the website operator, Google will use this information to evaluate your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website activity and internet usage.

The IP address transmitted by the User’s browser within the framework of Google Analytics will not be merged with other data held by Google. The User may prevent the storage of cookies by selecting the appropriate settings on his/her browser, however, please note that in this case, not all functions of this website may be fully functional. You may also prevent Google from collecting and processing information about your use of the website (including your IP address) by means of cookies by downloading and installing the browser plug-in available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

4. Data security

The controller shall design and implement the processing operations in such a way as to ensure the protection of the privacy of data subjects.

The data controller shall ensure the security of the data (password and antivirus protection), shall take the technical and organisational measures and shall establish the procedural rules necessary to enforce the Info Act and other data protection and confidentiality rules.

The controller shall take appropriate measures to protect the data, in particular by:

unauthorised access,
the change,
the transmission,
the disclosure of,
deletion or destruction,
accidental destruction and damage,
against inaccessibility due to changes in the technology used.

The controller shall ensure, by appropriate technical means, that the data stored in the records cannot be directly linked and attributed to the data subject.

The data controller shall take measures to prevent unauthorised access, alteration and unauthorised disclosure or use of personal data:

the development and operation of an appropriate IT and technical environment,
the controlled selection and supervision of staff involved in the provision of services,
issuing detailed operational, risk management and service procedures.

On the basis of the above, the data controller ensures that the data it processes

be available to the rightful claimant,
authenticity and verification,
the invariance of the unchanged is verified

The information technology system of the controller and its hosting provider protects, among other things.

computer fraud,
espionage,
computer viruses,
spam,
the hacks
and other attacks.

Data processors:

Name of data processor	Location of the data processor	Description of a data processing job
KBOSS.hu Ltd.	1031 Budapest, Záhony u. 7.	Provision of software for accounting services
OTP Bank Plc.	1051 Budapest, Nádor u. 16.	Data communication for payment transactions is handled by the between the merchant and the payment service provider’s system, ensuring transaction traceability for merchant partners
Csaba Boros E.V.	4181 Nádudvar, Mészáros Lázár street 5.	Provision of accounting services
HM Webdesign Ltd.	4025 Debrecen, Piac utca 61. 1/16.	Website operation
Rackhost Zrt.	6722 Szeged, Tisza Lajos körút 41.	Website hosting service, server hosting tasks

5. Rights of data subjects

The data subject may request the controller to provide information about the processing of his or her personal data, request the rectification of his or her personal data, and request the erasure or blocking of his or her personal data, except for mandatory processing.
At the request of the data subject, the controller shall provide information about the data of the data subject processed by the controller or by a processor appointed by the controller or on its behalf, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy the personal data breach, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer.
The controller shall, where it has an internal data protection officer, through the internal data protection officer, keep a record of the personal data concerned, the number and categories of data subjects affected by the personal data breach, the date, circumstances, effects and measures taken to remedy the personal data breach and other information specified in the legislation providing for the processing, for the purposes of monitoring the measures taken in relation to the personal data breach and informing the data subject.
For the purposes of monitoring the lawfulness of the transfer and informing the data subject, the controller shall keep a record of the transfer, including the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.
Upon the user’s request, the data controller shall provide information on the data processed by the data controller, their source, the purpose, legal basis and duration of the processing, the name and address of any data processor and its activities related to the processing, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer. The data controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but not later than 25 days. The information is free of charge.
If the personal data is not accurate and the accurate personal data is available to the controller, the controller shall correct the personal data.
Instead of deletion, the controller shall block the personal data if the user so requests or if, on the basis of the information available to it, it is likely that deletion would harm the legitimate interests of the user. Blocked personal data may be processed only for as long as the processing purpose that precluded the deletion of the personal data persists.
The controller shall erase personal data if the processing is unlawful, the user requests it, the processed data is incomplete or inaccurate – and this situation cannot be lawfully remedied – provided that erasure is not excluded by law, the purpose of the processing has ceased, or the statutory period for storing the data has expired, or the court or the National Authority for Data Protection and Freedom of Information has ordered it.
The controller shall mark the personal data that it processes if the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.
Rectification, blocking, flagging and erasure must be notified to the data subject and to all those to whom the data were previously disclosed for processing. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purposes of the processing.
If the controller does not comply with the data subject’s request for rectification, blocking or erasure, it shall, within 25 days of receipt of the request, communicate in writing the factual and legal grounds for refusing the request for rectification, blocking or erasure. If the request for rectification, erasure or blocking is refused, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.

6. Remedies

You may object to the processing of your personal data if.

the processing or transfer of personal data is necessary for the fulfilment of a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, unless the processing is required by law;
the personal data are used or disclosed for direct marketing, public opinion polling or scientific research purposes;
in other cases specified by law.

The data controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether the objection is justified and inform the applicant in writing of its decision. If the controller establishes that the data subject’s objection is justified, the controller shall terminate the processing, including further collection and further transfer, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data subject of the objection has previously disclosed the personal data subject and who are obliged to take measures to enforce the right to object.

If the user does not agree with the decision of the data controller, he/she may appeal against it to a court within 30 days of its notification. The court acts by default.

Complaints against possible infringements by the data controller can be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, P.O. Box 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
Website: https://www.naih.hu/
E-mail: ugyfelszolgalat@naih.hu

7. Judicial enforcement

The controller must prove that the processing is in compliance with the law. The burden of proof of the lawfulness of the transfer lies with the recipient.
The court has jurisdiction to hear the case. The action may also be brought before the court of the person’s domicile or residence, at the person’s choice.
A person who does not otherwise have legal capacity to sue can also be a party to the lawsuit. The Authority may intervene in the case in order to help the person concerned to win the case.
If the court upholds the application, the data controller shall be obliged to provide the information, rectify, block or erase the data, annul the decision taken by automated processing, take into account the right of the data subject to object, or disclose the data requested by the data subject.
If the court rejects the data subject’s request, the controller is obliged to delete the data subject’s personal data within 3 days of the judgment. The data controller is also obliged to delete the data if the data subject does not take the data to court within the specified time limit.
The court may order the publication of its judgment, with the publication of the controller’s identification data, if the interests of data protection and the protected rights of a large number of data subjects so require.

8. Compensation and damages

If the controller infringes the data subject’s right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the controller.
The controller is liable to the data subject for any damage caused by the processor and the controller is also liable to pay the data subject the damages due in the event of a personal data breach caused by the processor. The controller shall be exempted from liability for the damage caused and from the obligation to pay compensation if it proves that the damage or the infringement of the data subject’s personality rights was caused by an unforeseeable cause outside the scope of the processing.
No compensation shall be due and no damages shall be payable where the damage or injury to the person concerned has been caused by the intentional or grossly negligent conduct of the victim or by an infringement of a right relating to personality.

9. Contact details of the controller