Privacy Policy

of GIRONDE Household and Cosmetic Products Manufacturing and Trading Limited Liability Company

(3333 Terpes, Petőfi Street 2-4.)

Approved by: Béla Csepcsányi, Managing Director

Effective as of: February 1, 2024, until revoked or modified

This Notice is the property of GIRONDE Ltd. Any use of it in any form without the written permission of the Company is prohibited.

I. INTRODUCTORY PROVISIONS, PURPOSE AND SCOPE OF THIS NOTICE

GIRONDE Ltd., a company registered at 3333 Terpes, Petőfi Street 2-4 (hereinafter referred to as the Data Controller/Company), provides information through this data protection notice (hereinafter referred to as the Notice) to natural persons about its practices regarding the processing of personal data.

The Data Controller considers the protection and confidential handling of the personal data of its natural person partners, clients, customers, and employees of paramount importance. Accordingly, personal data is treated confidentially, and all necessary technical and organizational measures are taken to ensure data security. In this context, the Data Controller commits to ensuring that the data processing described in this Notice complies with the relevant Hungarian and European Union regulations, particularly the provisions of the General Data Protection Regulation (GDPR), which has been mandatory since May 25, 2018.

When preparing this Notice, in addition to the relevant and applicable legal regulations, the Data Controller also considered the recommendations and guidelines of the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: NAIH/Authority), such as:

When preparing this Notice, in addition to the relevant and applicable legal regulations, the Data Controller also considered the recommendations and guidelines of the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: NAIH/Authority), such as:

  • the “data protection requirements of prior information,”
  • the “basic requirements for workplace data processing,”
  • the “basic requirements for electronic surveillance systems used in the workplace,”
  • as well as the documents issued by the Article 29 Data Protection Working Party and the European Data Protection Board.

The Data Controller reserves the right to amend this Notice and its contents at any time. The currently eƯective version of the Notice is published on the following websites before the changes come into force, accessible by clicking the "Data Protection" menu:

  • www.gironde.hu
  • www.justhouseholds.hu
  • www.lorin.hu


Affected individuals will also be informed via the website. The Data Controller accepts this Notice as binding and follows it in all personal data processing activities.

If you have any questions regarding this Notice, you may contact the Data Controller at the email address below or via the contact details provided in Section II:

[email protected]

The data processing activities of the Data Controller are primarily, but not exclusively — governed by the following laws:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR);
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.);
  • Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (Szvtv.);
  • Act I of 2012 on the Labour Code (Mt.);
  • Act V of 2013 on the Civil Code (Ptk.);
  • Act LXXXI of 1997 on Social Security Pension Benefits (Tbny.);
  • Act C of 2000 on Accounting (Számv tv.);
  • Act CLV of 1997 on Consumer Protection (Fgytv.);
  • Decree 19/2014 (IV.29.) of the Ministry for National Economy on Procedural Rules for Warranty and Guarantee Claims in Contracts between Consumers and Businesses (Szav. r.);
  • Act CL of 2017 on the Rules of Taxation (Art.);
  • Act CLIX of 2012 on Postal Services (Posta tv.);
  • Act XC of 2017 on Criminal Procedure (Be.)

Purpose of the Notice:

This Notice defines the principles regarding the processing of data of natural persons (data subjects) by the Data Controller, informs the data subjects about their rights in connection with their personal data, the means of exercising these rights, details of the personal data managed by the Data Controller, as well as the necessary contact information and available legal remedies. Additionally, the Notice reflects the Data Controller’s commitment to data protection and its intent to conduct its data processing practices in accordance with the applicable legal requirements and the statements, recommendations, and decisions of NAIH.

Temporal Scope of the Notice:

This Notice is effective from February 1, 2024, until it is revoked or amended.

Personal Scope of the Notice:

The personal scope of this Notice extends to the Data Controller and all natural persons affected by its data processing activities, explicitly including the data of employees (representatives) of legal entities in business relationships with the Company.

Material Scope of the Notice:

The material scope covers all data processing activities of the Data Controller, regardless of whether they are carried out in electronic or paper-based form.

The complete data protection documentation of the Data Controller consists of several other documents — formally separate from this Notice and recorded in distinct instruments. The most significant of these are listed below. These documents are available at the Company’s registered office located at 3333 Terpes, Petőfi Street 2-4:

  1. Regulation on the use of the electronic surveillance system and its annexes
  2. Information sheets/pictograms regarding the application of the electronic surveillance system, specific to each camera
  3. Impact assessment for the application of the electronic surveillance system
  4. Legitimate interest assessment for the application of the electronic surveillance system
  5. Register of data processing activities
  6. Data processing agreements
  7. Data protection notices concerning the use of company devices affecting employees (e.g., computers, email accounts) and other forms of monitoring
  8. Data breach incident register
  9. Legitimate interest assessments regarding further data processing necessary for the enforcement of the Data Controller’s legitimate interests, including data processing related to the monitoring of company devices
  10. Confidentiality declarations
  11. IT policy and its annexes
II. DATA CONTROLLER AND DATA PROTECTION OFFICERS – CONTACT DETAILS
DATA CONTROLLER:
Company name:
GIRONDE Household and Cosmetic Products Manufacturing and Trading Limited Liability Company
Company registration number:
10-09-022679
Registered office:
3333 Terpes, Petőfi Street 2-4
Place of data processing:
3333 Terpes, Petőfi Street 2-4
Websites:
  • www.gironde.hu
  • www.lorin.hu
  • www.justhouseholds.hu
Tax number:
11175171-2-10
Represented by:
Béla Csepcsányi, Managing Director
Email:
[email protected]
Phone number:
+36-36/561-310
Fax:
+36-36/371-022
DATA PROTECTION OFFICERS:
III. DEFINITIONS
The following section provides definitions—and where deemed necessary, explanations (in italic)—of key terms used in this Privacy Notice:
Data subject:
any identified or identifiable natural person based on any information.
Personal data:
any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples include: the data subject's place and date of birth, IP address, email address, phone number, or a person visible in a video surveillance recording.
Data subject rights:
the right to be informed, right of access to personal data, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object (including profiling), right to lodge a complaint with a supervisory authority or a court, relevant deadlines, procedural rules, compensation and non-material damages.
A detailed explanation of the data subject's rights and legal remedies is provided in Sections X and XI of this Notice.
Data controller:
a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided by Union or Member State law.
In the present case, this refers to the legal entity detailed in Section II of the Notice.
Data processing:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Employee / Worker / Business Partner:
a natural or legal person having an employment relationship, assignment agreement, or other business connection with the Data Controller.
Data transfer:
making data available to a specific third party.
Data processor:
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Data processors are required to act only on the instructions of the controller and may not collect data for their own purposes or make independent decisions regarding the data (e.g., deletion).
Examples: accountant, hosting provider.
Data processing (by a processor):
all processing activities carried out by a data processor on behalf of or under the instructions of the data controller.
Data erasure:
rendering the data unrecognizable in such a way that it cannot be restored—whether it concerns paper-based or electronic records.
For example: incineration, shredding, crushing, or anonymization, in which case the personal data is stripped of all characteristics that made identification of the data subject possible.
Health data:
personal data related to the physical or mental health of a natural person, including any data relating to health services provided to the natural person, which contains information about their health status.
The Controller does not process such data, except for cases concerning employees' illness, incapacity for work, or health data that are required by law for fulfilling a specific job position.
Profiling:
any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
The Controller does not perform such data processing for employees or any other data subjects.
Anonymization:
a method equivalent to erasure, whereby personal data is stripped of all identifying characteristics, eliminating the connection between the data and the data subject.
Pseudonymization:
the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Unlike anonymization, the link between the data and the data subject can be restored.
Recipient:
a natural or legal person, public authority, agency, or another body to whom or with whom the personal data is disclosed, regardless of whether it is a third party or not.
Examples include data processors. Public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; such processing must comply with applicable data protection rules.
Recipients are listed individually under each processing activity in this Privacy Notice.
Data subject's consent:
any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Example: subscribing to the Controller's newsletter.
Data protection incident (GDPR):
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Example: an external attack such as a hacker breach that compromises the data security system, allowing unauthorized persons to access data subjects' personal data.
Website:
the websites operated by the Controller:
  • www.gironde.hu
  • www.lorin.hu
  • www.justhouseholds.hu
Product:
cosmetic and household chemical products manufactured by the Controller.
Social media platforms:
the Facebook pages maintained and supervised by the Controller at
  • https://www.facebook.com/lorinhungary/
  • https://www.facebook.com/justatisztaotthonert
and the Instagram pages:
  • https://www.instagram.com/lorin_hungary
  • https://www.instagram.com/justhousehold/
Meta, which operates Facebook and Instagram, is an independent data controller. Their privacy policy is available at:
https://hu-hu.facebook.com/privacy/policy?section_id=13-HowToContactMeta
IV. PRINCIPLES, LEGAL BASIS AND DURATION OF DATA PROCESSING
In accordance with the GDPR, the following data processing principles are respected and obligatorily applied by the Controller:
Lawfulness, fairness and transparency:
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose limitation:
Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes.
Data minimization:
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy:
Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation:
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by the Regulation to safeguard the rights and freedoms of the data subject.
Integrity and confidentiality:
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Accountability:
The Controller is responsible for, and must be able to demonstrate, compliance with the above principles.
Necessity and proportionality:
This principle essentially coincides with the principle of data minimization.
Privacy by design:
While this term is not explicitly named as such in the GDPR, it is clearly reflected in Recital 78 and Article 25 of the Regulation.
The essence of this principle is a proactive data protection mindset, whereby the Controller implements technical and organizational measures—such as pseudonymization—during the processing and at the planning stage to embed data protection principles and safeguards for the rights of the data subjects into the processing operation itself.
Legal Bases for Data Processing under the GDPR
Each data processing activity must have only one legal basis. The possible legal bases are provided in Article 6(1) of the GDPR, which lists six potential legal grounds for processing personal data. The list does not imply a hierarchy among them. Below, we outline all six legal bases in the order presented by the GDPR, along with illustrative examples:
a) The data subject has given consent to the processing of their personal data for one or more specific purposes.
Example: retaining a CV submitted for a job application for a defined period, or subscribing to a newsletter.
The Controller emphasizes here—and also in Section VI detailing specific processing activities—that when the legal basis is voluntary consent (given in writing via the website, email, fax, or post), the data subject may withdraw their consent at any time by submitting a written declaration to any of the Controller's contact details listed in Section II.
Withdrawal of consent is free of charge and not subject to any conditions. However, the withdrawal does not affect the lawfulness of data processing based on consent before its withdrawal.
b) Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
Example: requesting a quote from the Controller, followed by contract conclusion.
c) Processing is necessary for compliance with a legal obligation to which the Controller is subject.
Example: the mandatory retention of invoices and other accounting documents issued in connection with the Controller's activities, in accordance with Act C of 2000 on Accounting.
d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Not applicable to the Controller.
Example: humanitarian emergencies, life-threatening situations.
e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
Also not applicable to the Controller.
Example: tasks performed under public authority.
f) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data—especially where the data subject is a child.
Example: processing personal data of contact persons employed by the Controller's business partners, or operating an electronic surveillance system.
The Controller specifies the legal basis for each data processing activity individually in Sections V and VI of this Privacy Notice, regardless of whether the processing is based on voluntary consent, contract performance, legal obligation, or legitimate interest.
Duration of Data Processing
Similarly to the legal bases, the duration of each data processing activity is also specified individually in this Privacy Notice, regardless of whether the processing is based on the data subject's voluntary consent, contract performance, legal obligation, or the Controller's legitimate interest.
V. DATA PROCESSING RELATED TO THE OPERATION OF THE ELECTRONIC SURVEILLANCE SYSTEM
The Controller operates an electronic surveillance (camera) system at its registered office. In connection with the operation of the surveillance system, the Controller has not only conducted a legitimate interest assessment but has also decided to carry out a data protection impact assessment (DPIA). During the assessment, particular attention was paid to the guidelines set out in WP 248, issued by the Article 29 Data Protection Working Party established under Directive 95/46/EC, especially the recommendations found in Section III/C concerning ongoing processing operations, as well as the guidelines issued by the European Data Protection Board (EDPB) in Guidance 3/2019 and the list published by the Hungarian Data Protection Authority (NAIH) pursuant to Article 35(4) of the GDPR.
The Controller has chosen not to publish the full DPIA—exercising the option allowed in the WP 248 guidelines—in order to protect the measures taken to mitigate identified risks. However, the results of the DPIA are disclosed to the data subjects as follows:
1. The DPIA concluded that the high risk to the rights and freedoms of natural persons—as referred to in Article 35(1) of the GDPR and originally justifying the need for the DPIA—no longer exists, due to the detailed data protection and data security measures implemented by the Controller in connection with the camera surveillance.
2. The residual risks to data subjects have been reduced to an acceptable level. There are no specific circumstances—identified in the guidelines—that would expose data subjects to irreversible consequences, nor any that they would be unable to overcome. There is no risk to life, unlawful termination of employment, or financial hardship resulting from the data processing.
3. There is no realistic threat of unauthorized access to the recordings stored by the Controller. The Controller has taken all reasonable and comprehensive physical, logical, and administrative measures to prevent any data protection incident and to ensure that the personal rights of data subjects are restricted only to the minimum necessary extent.
Each area monitored by a camera is preceded by a one-page written notice and a clearly visible camera icon, informing data subjects of the surveillance.
The one-page notice placed before each monitored area provides brief and clear information in compliance with the GDPR about the purpose and legal basis of the data processing, the duration of data retention, information on data storage, the rights of the data subject, and the identity and contact details of the Controller. It also specifies that the Controller does not engage a data processor for the recordings and does not perform profiling.
The Controller has recorded the detailed rules related to the operation of the camera system in a separate document entitled "Rules on Electronic Surveillance." This camera policy, including its annexes, is available to all data subjects—including employees—on the premises of the Controller at the office.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
Any natural person (e.g., employees, customers, suppliers, delivery drivers, guests, business partners) who enters and remains in the area monitored by cameras, either on foot or by vehicle. Image of the data subject and other personal data captured by the camera (location, time, behavior of the individual). In case of vehicle entry: vehicle license plate and other identifying features. If not used, recordings are deleted after 5 calendar days from the date of recording.
Legal Basis for Processing
The legal basis for data processing in connection with the operation of the surveillance system is the legitimate interest of the Company (GDPR Article 6(1)(f)).
The Company has a legitimate interest—based on its right to conduct business and its employment obligations—in ensuring the efficient operation of the business, the effectiveness of work processes, the security of operations, and the protection of property (both real estate and movables) in connection with its activities. These legitimate interests also include the right to monitor for these purposes. The detailed, camera-specific legitimate interest analysis is included in the internal camera policy.
The Legitimate Interest Assessment concerning data processing based on legitimate interest may be viewed by data subjects upon request at the Controller's premises.
Naturally, each data subject is only entitled to access those annexes to which they are also authorized to enter physically. Accordingly, an employee of the Company may access different annexes than a business partner or guest who is only authorized to enter, for example, the finished goods warehouse or the office building.
In the case of data processing based on legitimate interest, the data subject may object to the data processing at any time. In such a case, the Controller shall carry out a renewed legitimate interest assessment, during which it must justify—taking into account the reasons indicated in the request—whether other legitimate interests override the interests of the data subject.
The purposes of data processing carried out via the camera system are: asset protection, protection of the Company's business secrets, recording the activities of unauthorized individuals present at the Company's headquarters, etc. The specific purposes have been defined separately for each camera in the camera policy.
Source of the data: the data subject.
Recipients of the personal data, or categories of recipients: none.
Data transfer to third countries or international organizations: none.
Automated decision-making, profiling: the Company does not carry out any such data processing; it does not score or categorize data subjects according to any system, criteria, etc.
The cameras operated by the Controller's system perform image recording only; none of the cameras record sound. The electronic surveillance system was installed by an external company independent of the Controller; however, this company does not have any access (viewing rights) to the live images transmitted by the installed camera surveillance system or to the recordings made by the system.
Furthermore, neither the live images nor the recorded footage are transmitted or processed for any purpose outside the Controller, except for authorities acting in regulatory offense or criminal matters, or if the recordings are necessary for asserting or establishing, for example, employment-related or civil law claims or liability.
The recordings are stored and backed up exclusively at the Controller's headquarters.
The Controller has restricted the number of persons authorized to view the current (live) images and playback of the recorded footage to the smallest possible group. Those authorized to view the live images and the recorded footage may do so only in compliance with the safeguards set out in the camera policy.
The camera system and the recordings (stored footage), including their backups, are all highly protected from an IT security perspective in order to prevent unauthorized individuals from accessing the recordings in any form.
Further information about the specific data security measures implemented by the Controller can be found in Section VII of the Privacy Notice under the chapter titled "Security of Data Processing."
Employees of the Controller receive information about the electronic surveillance system and the related data processing affecting them in a separate document.

VI. OTHER DATA PROCESSING ACTIVITIES OF THE DATA CONTROLLER

Pursuant to Articles 13 and 14 of the GDPR, the Data Controller informs the data subjects through this Notice of the following information:

  • the contact details of the Data Controller and its representative
  • the name and contact details of the Data Protection Officer
  • the legal basis of the data processing
  • the categories of data subjects
  • the categories of personal data processed and their source
  • the purpose of the data processing
  • in case of data processing based on legitimate interest, the legitimate interest of the Data Controller
  • the duration of the data processing
  • the consequences of the failure to provide data
  • in case of data transfers, the recipients of the data
  • in case of international data transfers, the recipients and legal basis thereof
  • the rights of the data subjects and the possibilities for legal remedy
  • all other material facts concerning the circumstances of the data processing

Further information listed in the GDPR (such as the rights of data subjects, the right to lodge a complaint with a supervisory authority, and the right to judicial remedy) is summarized in separate sections (X., XI.) of this Notice.

The Data Controller informs the data subjects that it does not perform automated decision-making or profiling in any form with regard to the personal data it processes. It also does not transfer data outside the territory of Hungary.

In the case of data processing based on the legitimate interest of the Data Controller, the balancing test related to the processing based on legitimate interest can be reviewed in full at the request of the data subjects. Such a request must be submitted to the Data Controller via its email or postal address.

In addition to the data processing operations listed in this Notice, the Data Controller also carries out other data processing activities, about which data subjects (such as employees regarding the processing of their personal data in connection with their employment relationship, or individuals affected by the electronic monitoring system) receive detailed information in separate documents.

Information related to data processing concerning the operation of the whistleblowing system is also provided to data subjects through a separate notice in accordance with Section 25 of Act XXV of 2023. This information is available on our websites by clicking on the whistleblowing menu item.

The Data Controller may also occasionally carry out other data processing activities not included in this Notice or in the above-mentioned documents, for which data subjects will receive detailed information before the processing of their data begins.

VI/1. Processing of personal data of natural persons acting as contact persons for the legal and natural person business partners of the Data Controller (e.g., resellers, suppliers, carriers, providers, etc.)
The Data Controller has a legitimate interest in maintaining contact with its business partners and suppliers, sending business-related notifications, facilitating business cooperation, concluding contracts, ensuring the continuous flow of goods, complying with the obligations of cooperation and information provision set out in Section 6:62 of the Civil Code after the conclusion of contracts, and thereby ensuring the prevention of contractual breaches or delays.
Similarly, it is equally important for the given business partner (it serves their interest to the same extent) to receive timely information from the Data Controller, or to be able to inform the Data Controller in time about changes in circumstances necessary for fulfilling their contractual obligations.
To realize all these legitimate interests, it is necessary for the Data Controller to be aware of the data recorded in the table below concerning the natural person designated as the contact person at the given business partner (employee, executive officer, etc.). For contact purposes, the Data Controller primarily requests a corporate phone number and email address from the data subjects. The data processed during contact management is strictly necessary for achieving the specific legitimate interests of the Data Controller. The scope of processed data is limited to the minimum, and processing of this data is absolutely necessary to achieve the purpose of data processing. Due to the nature of the data processing, without the processed data, the legitimate interest of the Data Controller cannot be enforced, and the purpose of the processing cannot be achieved.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
Natural persons designated as contact persons (employees, executive officers) at all business partners name, corporate phone number and email address, and possibly (typically for sole proprietors) home address until the termination of the relationship with the given business partner, or the existence of the contact status of the data subject
Legal basis of processing:
The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller and its business partner (Article 6(1)(f) GDPR). It is the legitimate interest of both the Data Controller and its business partner to ensure that contact with business partners and suppliers, the sending of business notifications, the facilitation of business cooperation, contract conclusion and performance, and compliance with the cooperation and information provision obligations defined in Section 6:62 of the Civil Code after contract conclusion are maintained, thus avoiding contractual breaches or delays.
(The balancing test related to the legitimate interest-based data processing may be reviewed in full at the request of the data subjects. The request must be submitted to the Data Controller via its email or postal address.)
Purpose of processing:
To ensure continuous contact between the Data Controller and its business partners, sending business-related notifications, and facilitating business cooperation.
Consequences of failure to provide data:
Failure of business contact
Source of data:
From the business partner employing the natural person designated for contact
Recipients or categories of recipients of personal data:
none
Transfer of data to a third country or international organization:
none
Automated decision-making, profiling:
the Company does not carry out any such data processing; it does not score or categorize data subjects based on any system, criteria, etc.
VI/2. Issuance of Invoice Related to Purchase
The Data Controller issues an invoice in connection with the sale of the products it distributes. The invoice is processed and stored in its own administrative/invoicing system for the duration specified by applicable legislation.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
All natural persons who purchase products offered by the Data Controller and request an invoice. Name, address (country, city/town name, street, square, etc., house number, floor, door number), quantity of the product, its value (total amount payable), selected payment method, date of purchase, tax identification number in the case of a natural person who is a sole proprietor or primary agricultural producer (EU VAT number), company name, registered office, in the case of card payment: card and transaction data and transaction approval from the financial service provider. Eight years pursuant to Section 169 (2) of the Accounting Act.
Legal basis of data processing:
The processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR, with regard to Section 169 (2) of the Accounting Act).
Source of data:
Directly from the data subject.
Purpose of data processing:
To issue a receipt certifying payment for the purchased product and to fulfill the Data Controller's accounting obligations.
Consequences of failure to provide data:
The natural person/sole proprietor purchasing the product will not be able to receive an invoice made out in their name.
Recipients of personal data:
1. PRONETT AGRIA Kft. (Registered office: 3300 Eger, Tévesztő köz 5., company registration number: 10-09-024690, represented by: Tünde Smider, Managing Director, phone number: +36-30/678-3656, email: [email protected]) – for performing accounting tasks; Legal basis: necessary for the performance of a contract (Article 6(1)(b) of the GDPR).
2. Cégmenedzser Szoftver Kft. (Registered office: 1081 Budapest, Rákóczi út 61. 2nd floor, 1st door, company registration number: 01-09-956747, represented by: Tamás Jagodics, Managing Director, phone: +36-1/814-7882, email: [email protected]) – for supporting the operation of the enterprise resource planning system; Legal basis: necessary for the performance of a contract (Article 6(1)(b) of the GDPR).
3. National Tax and Customs Administration (Nemzeti Adó- és Vámhivatal) (1054 Budapest, Széchenyi u. 2.) – for the purpose of forwarding data specified in Sections 169 and 170 of the VAT Act, in the case of tax-subject natural persons (sole proprietors, primary agricultural producers) and non-tax-subject natural persons. Legal basis: necessary for compliance with a legal obligation (Article 6(1)(c) of the GDPR, Annex 10, points 1, 2, and 4 of the VAT Act).
Data transfer to third countries or international organizations:
None
Automated decision-making, profiling:
The Company does not perform such data processing; it does not score or categorize data subjects based on any system or criteria.
VI/3. Request for an Offer (in electronic form, by mail, or via fax)
The Data Controller allows interested parties to request an offer for its products. The request for an offer can be made via the electronic email address [email protected], by mail, or via fax.
In the case of a request for an offer by phone (without recording data), the Data Controller asks the interested party to send their request in writing to one of the contact details provided in Section II, unless the question related to the offer request can be answered simply and immediately, and no recording or documentation of personal data is necessary.
After receiving the offer request, the Data Controller prepares the requested offer for the interested party and sends it to them via the provided contact method.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
All parties who request an offer from the Data Controller, providing their personal data. Name, email address, subject of the message (offer), for requests received by post, the address data of the person requesting the offer: city name, street, street name, square, etc., house number, floor, apartment, postal code. Until the validity period of the given offer expires.
Legal basis for data processing:
The voluntary consent of the data subject (Article 6(1)(a) of the GDPR).
Source of data:
Directly from the data subject.
Purpose of data processing:
To provide the interested party with an appropriate offer and the necessary communication related to it.
Consequence of failure to provide data:
The failure of the offer request.
Recipients of personal data:
1. ForumSoft Kft. (headquarters: 2000 Szentendre, Szatmári utca 41., company registration number: 13-09-128715, represented by: Lajos Toldi, managing director, phone: +36-26-500-075, email: [email protected]) for providing online hosting (gironde.hu) and email mail system; the legal basis for data processing is the necessity for the performance of a contract (Article 6(1)(b) of the GDPR)
Transfer of data to third countries:
None
Automated decision-making, profiling:
The Data Controller does not perform any such data processing and does not score or categorize the data subjects in any system or based on any criteria.
The data subject may withdraw their voluntary consent to the personal data specified in this section and the specified data processing purpose at any time by sending a written statement to any of the contact details provided in Section II. The withdrawal of consent is free of charge and not subject to any conditions, but it does not affect the lawfulness of data processing before the withdrawal.
VI/4. Request for Information, Opinion, Idea, Question, Proposal (in electronic form, by post, or via fax)
The Data Controller also enables data subjects interested in its product to request information from it on any other subject not falling within the scope of a request for quotation, or to formulate an opinion, idea, question, or proposal. The request for information, the formulation of an opinion, idea, question, or proposal is equally possible via the electronic email address [email protected], by post, or via fax.
In the case of a question received by phone (without recording the data), the Data Controller requests the data subject to submit the question in written form to one of the contact details provided in point II of the Data Controller, except if the request can be simply and immediately answered and no documentation is necessary in any form. For example, the data subject inquires about the Data Controller's products or the availability of products, or possibly the opening hours of the Data Controller, without providing their own name and other data.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
All data subjects who request information from the Data Controller regarding its products or services, formulate an opinion, idea, question, or proposal, with the provision of their personal data (not anonymous), and all this does not fall within the scope of a request for quotation name, e-mail address, subject of the message (in the case of a request received by post, the data of the notification address of the person requesting information or giving an opinion, idea, question, or proposal: name of the locality, road, street, square, etc., house number, floor, door, postal code), content of the request, opinion, idea, question, proposal until the purpose is fulfilled
Legal basis of data processing:
the voluntary consent of the data subject (Article 6(1)(a) of the GDPR)
Source of data:
directly from the data subject.
Purpose of data processing:
to provide information to the data subject and to respond to the received opinion, idea, question, or proposal.
Consequence of failure to provide data:
failure of the response/notification related to the request for information, opinion, idea, question, or proposal.
Recipients or categories of recipients of personal data:
1. ForumSoft Kft. (registered office: 2000 Szentendre, Szatmári Street 41., company registration number: 13-09-128715, represented by: Lajos Toldi managing director, phone number: +36-26-500-075, e-mail: [email protected]) for the purpose of providing online hosting (gironde.hu) and email correspondence system; legal basis: data processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR).
Transfer of data to a third country:
none
Automated decision-making, profiling:
the Data Controller does not carry out such data processing, does not score or classify data subjects into different categories based on any system, criteria, etc.
The data subject may withdraw their voluntary consent given to the personal data specified in this point and to the data processing purpose indicated at any time by written declaration (electronically or in paper form by post) sent to any of the contact details listed in point II of the Data Controller. The withdrawal of consent is free of charge and not subject to any condition; however, the withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.
VI/5. Processing of Personal Data of Job Applicants
The Data Controller processes the CVs and any accompanying documents submitted by individuals who apply for a job advertised by the Company or who submit their applications voluntarily – either electronically or on paper – without any open position being advertised.
In the case of applicants who are not selected for the position, their application documents are promptly destroyed once the recruitment process is concluded and the position has been filled, unless the Data Controller considers their application potentially suitable for a future job opening.
In such cases, the application materials will only be retained for an additional period of 1 year, provided that the applicant has given specific written consent to this effect. Naturally, if the data subject requests deletion of their data during this time, the Data Controller will comply without delay.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
Any natural person applying for a job advertised by the Data Controller or submitting a voluntary application name, place and date of birth, exact job title applied for, previous work experience, former employers, educational qualifications, driving licence, language certificates (if required for the role), motivation letter, e-mail address or postal address, and any other skills or competencies relevant to the given position Until the purpose is fulfilled; or, if the applicant is not selected but consents to further data processing, their data will be retained for up to 1 year from the date of application, unless the data subject requests earlier deletion.
• Legal basis for processing: the data subject's voluntary consent (Article 6(1)(a) of the GDPR)
• Purpose of processing: handling applications for the job positions advertised by the Data Controller and facilitating the necessary communication
• Consequence of not providing data: the data subject will not be able to apply for the advertised job
• Source of the data: directly from the data subject
Recipients or categories of recipients of the personal data:
1. ForumSoft Kft. (Registered office: 2000 Szentendre, Szatmári utca 41., Company reg. no.: 13-09-128715, represented by: Lajos Toldi, Managing Director, Phone: +36-26-500-075, E-mail: [email protected]) – for the purpose of providing online storage (gironde.hu) and e-mail services. Legal basis: the processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR)
Data transfers to third countries or international organisations:
None
Automated decision-making or profiling:
The Company does not engage in such activities; applicants are not scored or categorized based on any system or criteria.
VI/6. Handling of Quality Complaints
The Data Controller keeps a record of and investigates quality (warranty) complaints submitted in person, via email, or by post concerning products it manufactures and distributes. The Data Controller informs the data subject of the outcome of the investigation.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
All natural persons who submit a quality (warranty) complaint—either orally in person or in writing via electronic or paper-based means—concerning the products manufactured and distributed by the Data Controller. The minutes recorded regarding the quality (warranty) complaint, including: the name and address of the consumer, the place, date, and method of complaint submission, a detailed description of the consumer's complaint, a list of documents, records, and other evidence presented by the consumer, the company's statement regarding the complaint, if the complaint can be resolved immediately, the name of the person recording the minutes, and—except in the case of oral complaints made via telephone or other electronic communications services—the signature of the consumer and the place and date of recording the minutes. 3 years pursuant to Section 4 § (6) of Government Decree on Warranties (Szav. r.)
• Legal basis for data processing: Necessary for compliance with a legal obligation (Article 6(1)(c) GDPR, with reference to Section 4(6) of the Government Decree on Warranties – "Szavatossági rendelet").
• Purpose of data processing: To handle quality complaints concerning products manufactured and distributed by the Data Controller, to comply with the procedural rules of handling warranty and guarantee claims under consumer contracts, and to support investigations by the consumer protection authority.
• Source of the data: Directly from the data subject.
• Consequence of failure to provide data: The complaint cannot be processed; the data subject cannot exercise consumer rights.
Recipients of personal data:
1. ForumSoft Kft. (registered seat: 2000 Szentendre, Szatmári utca 41., company reg. no.: 13-09-128715, represented by: Lajos Toldi, Managing Director, phone: +36-26-500-075, email: [email protected]) for the purpose of providing online storage (gironde.hu) and email communication services. Legal basis: Processing is necessary for the performance of a contract (Article 6(1)(b) GDPR).
Data transfers to third countries or international organizations:
None.
Automated decision-making, profiling:
Not performed. The Data Controller does not score or categorize data subjects in any way.
VI/7. Presence on Social Media Platforms (Facebook, Instagram)
The Data Controller can be reached on the Facebook social platform at the following links:
https://www.facebook.com/lorinhungary/ and https://www.facebook.com/justatisztaotthonert
as well as on the Instagram social platform at
https://www.instagram.com/lorin_hungary/?next=%2Fjuanmagini%2Ftagged%2F&hl=hu and
https://www.instagram.com/justhousehold/.
Here, natural persons (data subjects) may express various opinions, comments, and posts related to the Data Controller or the products distributed by them, react to content shared by the Data Controller, or maintain contact with them.
The Data Controller does not request any statistics based on personal data (e.g., visitor age, gender, marital status, etc.) from Facebook or Instagram regarding the individuals who visit their page.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
All natural persons who have registered on Facebook or Instagram and share, like, comment on, or voluntarily follow the Data Controller's content on their social media pages The registered name on the social platform, public profile picture, any additional photos, email address, other voluntarily uploaded data, opinions or messages related to the Data Controller or its products Until the voluntary withdrawal of the data subject's consent by deleting the comment/post
Legal basis for processing:
The data subject's voluntary consent (Article 6(1)(a) of the GDPR)
Source of data:
Directly from the data subject.
Purpose of data processing:
Operating the Facebook and Instagram pages. This includes communication and maintaining contact, sharing and liking content posted by the Data Controller about its products and promotions, thereby making its products more well-known and popular, and providing information to users about the promotions and other information advertised by the Data Controller. Furthermore, feedback for quality improvement regarding the product's quality or potential shortcomings. Also includes replying to messages and comments from visitors.
Consequence of failure to provide data:
The data subject will not be able to appear on the Data Controller's social media pages.
Recipients of personal data:
Meta, which operates Facebook and Instagram, acts as an independent data controller.
Contact details:
Meta Platforms Ireland Limited
4 Grand Canal Square
Grand Canal Harbour
Dublin 2, Ireland
Online contact: https://www.facebook.com/help/contact/1650115808681298
Facebook and Instagram's joint privacy policy can be accessed here:
https://hu-hu.facebook.com/privacy/policy?section_id=13-HowToContactMeta
Meta's privacy center can be accessed here:
https://www.facebook.com/privacy/center/
Automated decision-making, profiling:
The Data Controller does not perform any such data processing and does not score or categorize data subjects based on any system or criteria.
The Data Controller hereby informs data subjects that Facebook/Instagram (Meta) operates as an independent data controller. Users of Facebook/Instagram accept the social platform's privacy, contractual, and cookie policies independently of Gironde Kft., and these documents are beyond the control of Gironde Kft. Accordingly, the placement, deletion, withdrawal, and processing of personal data voluntarily provided by the data subject on the Data Controller's Facebook/Instagram pages are governed by the Facebook/Instagram (Meta) privacy policy.
We kindly ask that you consult the aforementioned websites and data protection information documents to learn about the data management principles and policies of Facebook/Instagram (Meta).
VI/8. Data Processing Related to Extraordinary Events and (Work) Accident Reports
According to point 3 of § 87 of Act XCIII of 1993 on Occupational Safety, a work accident is defined as an accident that occurs to the employee during organized work or in connection with it, regardless of the location and time of the event and the degree of the employee's (injured person's) involvement.
An accident is considered to be related to work if it occurs while the employee is engaged in activities connected to their occupation, such as commuting during work-related travel, material procurement and handling, cleaning, organized workplace catering, occupational health services, or other services provided by the employer.
An accident that occurs to an employee on their way from home (or accommodation) to the workplace or back is not considered a work accident, unless it happens in a vehicle owned by the employer or provided by the employer through a rental, contract, or other agreement.
If an employee suffers an accident falling under the above definition, the Data Controller – if possible, together with the injured employee and other key persons involved in investigating the circumstances of the accident, such as eyewitnesses – shall immediately complete the work accident report as defined in Annex 4/a of Decree No. 5/1993 (XII.26.) of the Ministry of Labour (hereinafter referred to as the "report"). If there are multiple injured parties, a separate report shall be completed for each.
In addition to employees, other natural persons present at the Data Controller's headquarters (guests, business partners) may also suffer accidents or other extraordinary events (e.g., sudden illness), which may require the creation of a report and the processing of personal data.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
- All employees who suffer a work accident
- Other natural persons present at the headquarters (guests, business partners)
- Personal data required in the report: name, social security number, birth name, mother's name, place and date of birth, gender, nationality, address, phone number (with the consent of the injured party), occupation (according to FEOR), nature of employment, and type of employment. In addition to these, other personal data necessary for reconstructing the accident and clarifying the facts, e.g., data of witnesses or persons providing first aid: name, address, phone number, statements, as well as photo and video recordings.
- For extraordinary events involving customers or visitors: name, phone number, contact address, in the case of minors the legal guardian's name and contact details, the date and description of the event/accident/illness, names and contact details of witnesses, actions taken by the Data Controller
 Five years from the date the report is completed, according to the general statute of limitations
Legal Basis for Data Processing:
1. In case of a work accident: Data processing is necessary for the fulfillment of a legal obligation (Article 6(1)(c) of the GDPR, §§ 64–68 of Act XCIII of 1993, and Annex 4/a of Decree No. 5/1993 (XII.26.) of the Ministry of Labour).
2. In case of an event/accident/illness involving other natural persons: Data processing is necessary for the purposes of the legitimate interest pursued by the Data Controller (Article 6(1)(f) of the GDPR).
Source of Data:
Directly from the data subject.
Purpose of Data Processing:
1. In case of a work accident: Notifying the competent authority (occupational safety inspectorate), the social insurance payment body, and/or insurance company; taking necessary legal actions; identifying the injured employee(s).
2. In case of an event involving other natural persons: To precisely document the occurrence and circumstances of the event in order to prevent possible future legal claims or proceedings against the Data Controller.
The Data Controller has a legitimate interest in accurately documenting extraordinary events, accidents, or sudden illnesses that occur at its headquarters to prevent potential future legal claims or proceedings.
(A legitimate interest assessment concerning such data processing is available in full upon request by the data subjects. Requests must be submitted via the Data Controller's email or postal address.)
Duration of Data Processing:
Five years from the date the report is completed.
Consequence of not providing data:
Without the data, it is not possible to clarify the circumstances of the work accident or other nonwork-related events/accidents and to assert potential future claims.
Recipients of Personal Data:
• Competent occupational safety and other authorities, courts, and state bodies involved in investigating the accident or other events.
Data Transfers to Third Countries or International Organizations:
None.
Automated Decision-Making or Profiling:
The Company does not engage in any such data processing. The data subjects are not rated or categorized in any way based on any system or criteria.
VI/9. Organizing Prize Draws
The Data Controller provides the data subject with the opportunity to participate in prize draws organized, announced, and promoted on its websites and/or Facebook/Instagram pages, by accepting the published game rules.
DATA SUBJECTS PERSONAL DATA PROCESSED DURATION OF DATA PROCESSING
All natural persons who wish to participate in prize draws organized on the Data Controller's websites and/or Facebook/Instagram pages in accordance with the announced game rules Name, email address, and in case of winning, the winner's delivery address data: name of town/city, street name, house number, floor, door number, postal code. Additionally, the name registered on the data subject's Facebook/Instagram profile, comments submitted/posted in connection with the prize draw, and – subject to separate consent – display of the data subject as a winner on the Data Controller's Facebook/Instagram page. Until the announcement of the result of the prize draw and/or until the voluntary consent of the data subject is withdrawn
• Legal basis of data processing: the data subject’s voluntary consent (Article 6(1)(a) of the GDPR)
• Source of data: provided directly by the data subject
• Purpose of data processing: participation in prize draws organized by the Data Controller, conducting the draw, notifying winners, delivering the prize, and the necessary communication related thereto
Recipients or categories of recipients of personal data:
1. Highlights Group Kft.
(registered seat: 1071 Budapest, Damjanich utca 28. A building, 3rd floor, 6/A door, company registration number: 01-09-409474, represented by: Veronika Heckmann, managing director, phone: +36-30-410-8374, e-mail: [email protected]), for marketing and promotional activities including prize draw organization.
o Legal basis: necessary for the performance of a contract (Article 6(1)(b) of the GDPR)
2. Meta, the independent data controller operating Facebook/Instagram
o Address: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
o Online contact: https://www.facebook.com/help/contact/1650115808681298
o Joint Facebook and Instagram privacy policy: https://hu-hu.facebook.com/privacy/policy?section_id=13-HowToContactMeta
o Meta privacy center: https://www.facebook.com/privacy/center/
Automated decision-making and profiling:
The Company does not carry out any such data processing activities. No profiling or categorization of data subjects is performed based on any system or criteria.
The data subject may withdraw their voluntary consent given for the personal data specified in this section and for the specified data processing purposes at any time by sending a written statement to any of the contact details indicated in Section II of this policy. Withdrawal of consent is free of charge and not subject to any condition. However, the withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.
Important Note from the Data Controller:
Facebook/Instagram (Meta) acts as an independent data controller, separate from the Data Controller. Users of these social media platforms accept the platforms’ privacy, contractual, and cookie policies independently of Gironde Kft., over which the Data Controller has no influence. Therefore, regarding the submission, deletion, withdrawal, and processing of personal data and related content provided voluntarily by the data subject on the Data Controller’s Facebook/Instagram pages, the relevant privacy policy of Facebook/Instagram (Meta) shall apply. Please refer to the links above for more information.
The Data Controller does not request any statistics (e.g., regarding age, gender, marital status, etc.) based on personal data from Facebook/Instagram in relation to those visiting, liking, participating in, or commenting on the prize draws organized on its page.
VII. SECURITY OF DATA PROCESSING
The Data Controller hereby informs the data subjects that, in accordance with Article 32(1) of the GDPR and Recital (83) of the GDPR, it has implemented and continuously implements all appropriate technical and organizational measures to ensure the protection of personal data during data processing in compliance with the provisions of the GDPR, and to minimize the risk of data protection incidents as much as possible.
The Data Controller has established its own data security policy(ies) and procedure(s) capable of ensuring data security appropriate to the level of risk associated with the data it processes, with special regard to preventing unauthorized access, deletion, destruction, alteration, and disclosure.
In order to meet data security criteria, the Data Controller has taken several data security – including IT-related – measures to avoid data protection incidents, such as:
• Use of specially designed software to prevent easy access via the internet to the Data Controller’s computer systems (including both hardware and software).
• Prevention of unauthorized access to, copying, deletion, or removal of data carriers.
• Regular scheduling of backups at defined intervals.
• Storage of backups on different physical devices than the source device.
• Password protection on IT devices.
• Regular password changes at defined intervals.
• All staff of both the Data Controller and any data processors are bound by confidentiality obligations.
• Even authorized system users may only access data for which they have explicit permission.
• The Data Controller ensures that the installed systems can be restored in the event of a malfunction and that such malfunctions are properly reported.
In addition to striving to process only data that is absolutely necessary for the purposes of processing and for only as long as necessary, the Data Controller also pays special attention to the continuous development and testing of the company's IT protection systems.
During all data processing activities listed in Section VI – including data storage, deletion, and correction – the Data Controller ensures that the protection level of the data subjects’ personal data meets the statutory requirements.
If, despite the security efforts described in this section, a data protection incident should occur, the Data Controller will immediately take all actions required by law, proportionate to the severity of the incident.
In the event of a data protection incident, and depending on its severity (if the breach poses a high risk to the rights and freedoms of the data subject), the Data Controller will promptly notify the affected data subjects and report the incident to the Authority within 72 hours as prescribed.
Employees of the Data Controller who are responsible for processing personal data may only carry out their duties after signing a confidentiality agreement.
Recordings made by the camera system, their backups, and other documents containing personal data are stored on servers located at the Data Controller’s headquarters, under enhanced security measures.
In addition to physical protection measures, the servers are also equipped with adequate IT security to prevent virus infections, hacking attempts, data leaks, unauthorized access, and other IT threats – thereby minimizing the chance of a data protection incident.
Administrative protection of the servers and the personal data stored on them is ensured by the Data Controller’s data protection structure, policies, strictly regulated and documented access controls, and the data protection training of employees handling personal data.
VIII. OTHER RECIPIENTS
For each data processing activity outlined in Section VI, the Data Controller provides a detailed description of the recipients, i.e., the entities or individuals with whom personal data may be shared. In every instance, the legal basis and purpose of such data transfers are also specified.
In addition to the recipients listed for each processing activity in Section VI, personal data may also be disclosed to the following authorities, organizations, and individuals under specific circumstances:
• Authorities or organizations handling consumer protection complaints, including courts and arbitration bodies (e.g., the Conciliation Board).
Purpose of transfer: To support the official procedures of the authority or organization.
Legal basis: Compliance with a legal obligation.
• Authorities and courts authorized to supervise the Data Controller or compel it to provide data.
Purpose of transfer: To facilitate lawful oversight and regulatory processes.
Legal basis: Compliance with a legal obligation.
• Courts, bailiffs, notaries public, and legal or contractual representatives of the data subject in connection with legal proceedings involving the data subject.
Purpose of transfer: Initiation of legal proceedings or the facilitation of legal representation.
Legal basis: Compliance with a legal obligation.
The Data Controller shall only disclose personal data to the aforementioned authorities or entities to the extent that such data is necessary to fulfill the specific request.
Principles Governing Data Processing and Data Transfer
The following principles are upheld by the Data Controller during data processing and transfers, and it seeks to ensure these are also observed by any Data Processor acting on its behalf:
• Personal data shall only be transferred on the basis of the data subject’s explicit consent, contractual necessity, legitimate interest, or legal obligation, provided that the legal basis for the transfer is clearly identified and both the recipient and the purpose of the transfer are well defined.
• The Data Controller defines the instructions for data processing to the Data Processor and remains fully responsible for the lawfulness of such instructions.
• The Data Processor shall not perform any independent data processing or use the personal data provided for its own purposes.
• The Data Processor is obliged to comply with the Data Controller's instructions regarding the processing of the transferred personal data.
• Accordingly, the Data Processor may not make independent decisions concerning the personal data, such as unilaterally deleting it.
• The Data Processor may only engage a sub-processor with the prior written consent of the Data Controller.
• In the event of a personal data breach occurring at the Data Processor, the Data Processor is required to report the incident without undue delay to the Data Controller.
The Data Controller is committed to ensuring full compliance with the provisions and principles of the General Data Protection Regulation (GDPR) during any data processing or transfer operations.
IX. RIGHTS OF DATA SUBJECTS
The rights of data subjects in relation to the data controllers processing their personal data are primarily governed by Articles 7 and 12–22 of the General Data Protection Regulation (GDPR). The exercise of these rights may depend on the legal basis of the data processing. An overview is provided in the table below, followed by a detailed explanation of each right and the available remedies as described in Section XI.
Legal Basis Right to Information Right of Access Right to Data Portability Right to Rectification Right to Erasure Right to Restriction of Processing Right to Object Right to Withdraw Consent
Consent
Contractual Necessity
Legal Obligation
Vital Interests
Public Interest / Authority
Legitimate Interests
Data subjects may exercise their rights by contacting the Data Controller using the contact information provided in Section II of this Privacy Notice.
Under the GDPR, the general requirements for fulfilling these rights are as follows:
• All information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
• Information must be provided in writing or by other means, including, where appropriate, electronic formats.
• Upon the data subject’s request, oral information may also be provided, provided that identity can be verified by other means.
• If the request was submitted electronically, the response should also be provided electronically, unless otherwise requested by the data subject.
• The Data Controller must provide the requested information or take the necessary actions without undue delay, and at the latest within one month of receiving the request. This period may be extended by a further two months if the request is complex or numerous. In such cases, the Data Controller must inform the data subject within one month of receiving the request, explaining the reasons for the delay.
• If the Data Controller does not take action in response to a request, they must inform the data subject within one month, providing the reason and notifying the data subject of their right to lodge a complaint with a supervisory authority and seek judicial remedy.
• The information required under Articles 13 and 14, as well as data subject rights from Articles 15 to 22, and notifications under Article 34 (in case of a data breach), must be provided free of charge. However, if a request is manifestly unfounded or excessive, in particular due to its repetitive nature, the Data Controller may either:
o charge a reasonable fee reflecting the administrative costs of responding to the request; or
o refuse to act on the request, provided the Controller can demonstrate its unfounded or excessive nature.
RIGHT TO INFORMATION – Articles 13 and 14 of the GDPR
Where personal data relating to a data subject is collected directly from the individual, the Data Controller shall, at the time of collection, provide the following information (the corresponding section of this Privacy Notice is indicated in parentheses):
a) The identity and contact details of the Data Controller and its representative (Section II)
b) Contact details of the Data Protection Officer, if applicable (Section II)
c) The purpose of the processing and the legal basis (Sections V, VI)
d) Where processing is based on legitimate interests under Article 6(1)(f), the legitimate interests pursued by the Controller or a third party (Sections V, VI/1). The Data Controller shall make the legitimate interest assessment available upon request via email or postal address.
e) The recipients or categories of recipients of the personal data, if any (Sections VI, IX)
f) Where applicable, the intention to transfer personal data to a third country or international organisation
In addition, the Data Controller must provide:
a) The period for which the personal data will be stored, or if not possible, the criteria used to determine that period (Sections V, VI)
b) The data subject’s rights to request access, rectification, erasure, restriction of processing, objection, and data portability (Section X)
c) In cases where processing is based on consent under Article 6(1)(a) or Article 9(2)(a), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Section VI)
d) The right to lodge a complaint with a supervisory authority (Section XI)
e) Whether the provision of personal data is a statutory or contractual requirement, or necessary for entering into a contract, and whether the data subject is obliged to provide the data and the consequences of not doing so (Section VI)
f) The existence of automated decision-making, including profiling, as referred to in Articles 22(1) and (4), and meaningful information about the logic involved, as well as the significance and potential consequences of such processing for the data subject. (The Data Controller does not engage in such automated decision-making or profiling.)
If the Data Controller intends to process the personal data for a purpose other than that for which it was collected, the data subject shall be informed in advance of the new purpose and any relevant additional information.
The Data Controller also has an obligation to inform data subjects:
• About any personal data breach, including the nature of the incident, its likely consequences, and the measures taken to address it (Article 34)
• About any data transfers to recipients, including the legal basis, purpose, and the identity of the recipients (Sections VI, IX)
RIGHT OF ACCESS TO PERSONAL DATA – Article 15 of the GDPR
The data subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed. Where that is the case, the data subject shall have the right to access such personal data and the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the data subject’s rights to request from the Controller the rectification or erasure of personal data or the restriction of processing, or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Upon the data subject’s request, the Data Controller shall provide a copy of the personal data undergoing processing. This shall be provided free of charge, either electronically or by postal mail, depending on the data subject’s request.
In case of repeated requests concerning the same subject matter, the Data Controller reserves the right to charge a reasonable fee based on administrative costs or to refuse to act on the request, provided the request is manifestly unfounded or excessive.
The right of access may be exercised in writing via the contact details provided in Section II, or orally, provided that the data subject’s identity can be verified.
Right to Rectification: Article 16 of the GDPR
The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If the data necessary for rectification is already available to the Controller, the rectification shall be carried out automatically, without the need for a separate request from the data subject.
Right to Erasure ("Right to be Forgotten"): Article 17 of the GDPR
The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
• the personal data have been collected in relation to the offer of information society services.
However, the right to erasure is not absolute and does not apply to the extent that processing is necessary:
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation requiring processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
• for the establishment, exercise or defence of legal claims.
In such cases, even if the data subject submits a request for erasure, the Controller may reject the request where the processing is based on legal obligations (e.g. mandatory retention of invoices under the Accounting Act for 8 years, or consumer complaint documentation under consumer protection laws for 3 years), or where the processing is necessary for the purposes of legitimate interest (e.g. pending legal disputes).
In cases where processing is based solely on the voluntary consent of the data subject, such limitations do not apply, and the data shall be erased upon request.
If the Controller denies an erasure request, it will always respond in writing with a justification for the refusal.
Right to Restriction of Processing: Article 18 of the GDPR
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, the controller shall inform the data subject before the restriction is lifted.
Right to Data Portability: Article 20 of the GDPR
The data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
• the processing is based on consent or on a contract; and
• the processing is carried out by automated means.
The exercise of the right to data portability shall not adversely affect the rights and freedoms of others, and shall not undermine the right to erasure (“right to be forgotten”).
Right to Object: Article 21 of the GDPR
The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them based on:
• processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) GDPR) – note: the Controller does not engage in this type of processing; or
• processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1)(f) GDPR), unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.
In cases of data processing based on legitimate interest, the data subject may object at any time. Upon receiving an objection, the Controller shall perform a renewed legitimate interest assessment, weighing the interests of the data subject against the compelling legitimate grounds of the Controller.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to Withdraw Consent: Article 7 of the GDPR
The data subject shall have the right to withdraw their previously given voluntary consent at any time — for example, in the case of subscribing to newsletters or receiving marketing messages.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The data subject must be informed of this right prior to giving consent.
In all data processing activities listed under Section V that are based on voluntary consent, this will be explicitly indicated.
Automated Decision-Making in Individual Cases, Including Profiling: Article 22 of the GDPR
(This type of data processing is not carried out by the Controller and is presented here for the sake of completeness.)
The data subject shall have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them.
This right shall not apply if the decision:
• is necessary for entering into, or the performance of, a contract between the data subject and a data controller;
• is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests;
• is based on the data subject’s explicit consent.
According to the GDPR, “profiling” refers to any form of automated processing of personal data evaluating certain personal aspects relating to a natural person — in particular, to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Exercising Data Subject Rights After Death: Section 25 of the Hungarian Info Act (Infotv.)
In the case of data processing falling under the scope of the GDPR, the rights of access, rectification, erasure, restriction of processing, and objection — which would have applied to the deceased data subject during their lifetime — may be exercised by a person authorized by the data subject in a public document or in a private document with full probative force, submitted to the data controller.
This authorization remains valid for five years following the death of the data subject.
For data processing activities not covered by the GDPR, the exercisable rights are access, rectification, erasure, and restriction of processing.
If the data subject did not make a legal declaration as described above, their close relative — as defined by the Hungarian Civil Code — shall be entitled to exercise certain rights related to data processing (whether under or outside the scope of the GDPR), within five years after the data subject’s death.
Among such relatives, the one who first exercises these rights shall be entitled to do so.
XI. REMEDIES
As a guarantee of the enforcement of the rights of the data subject, the data controller shall examine the request submitted by the data subject within the shortest possible time, but no later than one month from the submission, and shall make a decision on the merits of the request. The data subject will be informed of the decision in writing (electronically, if the request was submitted electronically) free of charge.
Therefore, if you, as the data subject, have any questions or requests concerning the processing of your personal data by us, please do not hesitate to contact us directly using the contact details provided in Section II. We place great emphasis on fully complying with data protection regulations, including responding to requests and inquiries from data subjects within the set deadlines and resolving any issues in a satisfactory manner.
By contacting us, you not only ensure the quickest possible solution to your specific data protection issue or question, but also avoid unnecessary and unfounded authority or judicial procedures.
If we grant your request, we or the data processor acting on our behalf or under our instructions will correct, delete, or restrict the processing of your personal data. If your request is granted, we will also inform the recipients to whom the data was transferred before this action, so they can implement the correction, deletion, or restriction of data processing within their own data processing activities.
If we reject your request, we will inform you immediately in writing, providing the legal and factual grounds for the rejection, and informing you of your rights (including the possibility to exercise your rights of rectification, erasure, or restriction of processing with the assistance of the Authority).
In case of a rejection, the following legal remedies are available to you:
1. You may initiate an investigation by the Data Protection Authority, citing that an infringement of your personal data rights has occurred or is at risk of occurring.
2. You may request the Data Protection Authority to conduct an administrative procedure if you believe that your personal data is being processed in violation of the applicable legal requirements set forth in national or European Union law.
3. You may also turn to the courts if you believe that your personal data is being processed in violation of the relevant legal requirements by the data controller or a data processor acting on their behalf or under their instructions. The data controller or the data processor must prove that the processing of the data complies with the relevant laws and regulations. You may file the lawsuit at the court in your place of residence or habitual residence.
If the court upholds your claim, it will confirm the fact of the infringement and order the data controller or the data processor acting on their behalf to:
• Cease the unlawful processing of personal data;
• Restore the lawfulness of data processing; and
• Ensure the enforcement of your rights, as per specific behavior requirements.
Additionally, the court may also decide on claims for compensation or damages.
Any person who has suffered material or non-material damage as a result of a GDPR infringement is entitled to compensation from the data controller or the data processor.
All data controllers involved in the data processing are responsible for any damage caused by processing that infringes the GDPR. A data processor is liable for damage caused by processing only if it failed to comply with specific obligations set out in the GDPR or ignored the lawful instructions of the data controller.
The data controller or its data processor is exempt from liability if it can prove that it was not responsible for the event that caused the damage.
Contact Details of the National Data Protection and Freedom of Information Authority
Address: 1055 Budapest, Falk Miksa Street 9-11.
Mailing Address: 1363 Budapest, P.O. Box 9.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: [email protected]
URL: http://naih.hu
Information on complaints related to the exercise of data subject rights: http://naih.hu/panaszuegyintezes-rendje.html

We are looking for distributors!

We invite interested distributors to join us in delivering high-quality, affordable products to consumers worldwide.

Fill out the form and we will reach out!