DORINKA Fashion Korlátolt Felelősségű Társaság (registered office: 1143 Budapest, Hungária körút 83.; company registration number: 01-09-389178; VAT number: 27415201-2-42; hereinafter referred to as the “Data Controller”) as the Data Controller hereby informs the customers (hereinafter referred to as the “Data Subject“) who shop through the Data Controller’s webshop about the processing of their personal data, in accordance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).
DORINKA Fashion Korlátolt Felelősségű Társaság (registered office: 1143 Budapest, Hungária körút 83.; company registration number: 01-09-389178; VAT number: 27415201-2-42)
“personal data”: any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Data Controller”:the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and executes decisions regarding the data processing (including the means used) or has them executed by a Data Processor, within the limits set by law or by a legally binding act of the European Union;
“data processing”: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“the Data Subject’s consent”: a freely given, specific, informed and unambiguous indication of his/her wishes by which the Data Subject signifies, by a statement or by an act expressing his/her unambiguous consent, that he/she signifies his/her agreement to the processing of personal data concerning him/her;
“Data Processor”: a natural or legal person or an unincorporated body which processes personal data on behalf of or under the instructions of the Data Controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;
“data processing”: all data processing operations carried out by a Data Processor acting on behalf of or under the instructions of the Data Controller;
“data transfer”: the making available of data to a specified third party;
“disclosure to the public”: making the data available to anyone;
“data erasure“: rendering the data unrecognisable in such a way that it is no longer possible to recover it;
“profiling”: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his/her performance at work, economic situation, health, personal preferences or interests, reliability, behaviour, location or movements;
“recipient”: a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities that may have access to personal data in the context of an individual investigation in accordance with the EU or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the data processing;
“data breach”: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The processing of personal data must be lawful, fair and transparent for the Data Subject. (Article 5(1)(a) of the GDPR)
Personal data may be collected only for specified, explicit and legitimate purposes, for the exercise of rights and the performance of obligations and may not be processed in a way incompatible with those purposes. Only personal data that is necessary for the purpose of the data processing and is suitable for achieving that purpose may be processed. Personal data may be processed only to the extent and for the duration necessary for the purposes for which they are collected. (Article 5(1)(b) of the GDPR)
The personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. (Article 5(1)(c) of the GDPR)
The personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay. (Article 5(1)(d) of the GDPR)
Personal data should be kept in a form which permits the identification of the Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data should be kept for longer periods only if the personal data are processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with the applicable law, subject to the implementation of appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of the Data Subjects. (Article 5(1)(e) of the GDPR)
Personal data must be processed in such a way as to ensure the adequate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures. (Article 5(1)(f) of the GDPR)
The Data Controller is responsible for compliance with the data processing principles and must be able to demonstrate such compliance (Article 5(2) of the GDPR)
The Data Subject may withdraw his/her consent at any time. The withdrawal of consent does not affect the lawfulness of the data processing prior to the withdrawal.
The Data Controller and the Data Processor it uses shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the scale of the risk, taking into account the state of science and technology and the cost of implementation, the nature, scope, context and purposes of the processing, and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons.
The Data Controller shall ensure the security of the personal data of the Data Subjects and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the GDPR, the Information Act and other data protection and confidentiality rules.
The Data Controller shall take appropriate measures to protect the personal data against, in particular, unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or damage and inaccessibility resulting from changes in the technology used.
All persons involved in the data processing must exercise the utmost care in their work to ensure the authenticity and preservation of the data and to prevent unauthorised access.
Everyone should have access only to the data they need to do their job, and only to the extent they need it.
In order to protect the electronically managed data files in the different registers, the Data Controller shall ensure by appropriate technical means that the data stored in the registers cannot be directly linked and attributed to the Data Subject, unless permitted by law.
In order to maintain security and prevent processing in breach of the GDPR or the Information Act, the Data Controller shall assess the risks inherent in the nature of the data processing and, where necessary, apply additional measures to mitigate those risks, such as encryption, pseudonymisation. Currently, the Data Controller does not apply such measures.
The Data Controller shall select and operate the IT tools used to process the personal data in the course of providing its services in such a way that the personal data processed:
The Data Controller shall check the following during the data processing:
In order to enforce and ensure the conditions of data security, the Data Controller shall ensure the adequate and regular training and further training of the employees, subcontractors and personal contributors concerned.
No automated decision making, including profiling, takes place during the data processing.
The Data Controller uses the following Data Processor in connection with the data processing:
UPS Magyarország Kft., its data processing related activities: transport, forwarding; e-mail address: firstname.lastname@example.org
The personal data will be transferred to the following recipients:
The personal data will not be transferred to a third country (i.e. outside the European Union) or to an international organisation.
Within the Data Controller’s organisation, the personal data of the Data Subjects may only be transferred in accordance with the purpose limitation principle and access to such data may only be granted for an appropriate purpose.
The Data Controller may use the personal data of the Data Subjects for direct marketing or information purposes, in particular for its own commercial purposes, only with the explicit and prior consent of the Data Subject.
General rules on the transfer of data to third parties other than the Data Controller:
Personal data may be transferred to third parties only on the basis of a legal authorisation or with the prior consent of the Data Subject.
Prior to the data transfer, the Data Controller is obliged to check whether the legal conditions for the data transfer are met and whether the conditions for the processing of each personal data are met after the transfer.
The Data Protection Officer must be involved in the examination of the lawfulness of the data transfer before the transfer is made to the same Data Controllers for the same Data Subject and for the same purpose. Subsequent data transfers do not require a specific investigation.
Data transfers abroad or to a third country:
Prior to the data transfer, the Data Controller, with the involvement of the Data Protection Officer, is obliged to verify that the legal conditions for the data transfer are met and that the conditions for the data processing are met for each personal data subject to the transfer.
Pursuant to Article 13(1)(f) of the GDPR, the Data Controller states that at the date of entry into force of this Privacy Notice, it does not transfer any data processed by it to an international organisation.
Pursuant to Article 13(1)(f) of the GDPR, the Data Controller states that, at the date of entry into force of this Privacy Notice, in the case of air transportation to a third country of a person cared for by the Data Controller, or to another country for the purpose of organising care, the Data Controller will only transfer personal data to the air traffic controller or ground ambulance service or the Data Subject’s close family members in accordance with this Privacy Notice, if at least one of the following conditions are met:
In any other cases, the Data Controller will not transfer data it processes to third countries.
Provision of data following a request from a public authority
On the basis of a request for data from the official bodies (in particular, but not exclusively, courts, prosecutors’ offices, investigating authorities, law enforcement authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law), the Data Controller shall provide information, disclose data, transfer data or make documents available – in the manner and with the content specified therein – if the request for data from the requesting authority is, to the best of the Data Controller’s knowledge, likely to be lawful. The Data Controller excludes any further liability for any unlawful transmission of personal data to the official bodies.
The personal data processed by the Data Controller may be transferred without the consent of the Data Subject in the following cases:
I acknowledge that the following personal data stored by the Data Controller DORINKA Fashion Korlátolt Felelősségű Társaság (registered office: 1143 Budapest, Hungária körút 83.) in the user database of dorinadobor.com will be transferred to OTP Mobil Kft. as Data Processor. The data transmitted by the Data Controller are the following: [name, e-mail address, billing address, delivery address, phone number]. The nature and purpose of the data processing activities carried out by the Data Processor can be found in the SimplePay Privacy Notice, at the following link: https://simplepay.hu/vasarlo-aff
A data breach is a breach of security within the meaning of the GDPR that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Any employee, Data Processor or other person involved in the processing of the personal data who becomes aware of a personal data breach shall notify the Data Controller without delay to the Data Controller’s representative or the Data Protection Officer, who shall promptly investigate and propose the necessary measures and ensure and monitor the implementation of the measures set out below.
Reporting a data breach:
The Data Controller shall notify the data breach to the competent supervisory authority (NAIH) without undue delay and, if possible, no later than 72 hours after becoming aware of the data breach, unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it must be accompanied by the reasons justifying the delay.
The information provided must include:
Informing the Data Subjects:
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the representative of the Data Controller shall, without undue delay, inform the Data Subject of the personal data breach, indicating its nature, the name and contact details of the Data Controller’s contact person, the likely consequences and the measures taken or envisaged to remedy or mitigate the personal data breach, unless one of the cases provided for in Article 34(3) of the GDPR applies.
Investigating and handling data breaches:
The person in charge of the process that handles or processes the data must inform the Data Controller’s representative or the Data Protection Officer of the measures taken to remedy the data breach immediately after the implementation of the measures in question, but no later than within 2 (two) working days.
Registration of data breaches:
The Data Controller shall keep a record of the data breaches, which shall include the facts relating to the data breach, its effects and the measures taken to remedy it.
The Data Subject may request the Data Controller to:
Right of access:
The Data Subject has the right to receive feedback from the Data Controller as to whether or not his/her personal data are being processed and, if such processing is ongoing, the right to access the personal data. The Data Controller shall provide the Data Subject with a copy of the personal data subject to the data processing. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on the administrative costs. If the Data Subject has submitted the request by electronic means, the information shall be provided in a commonly used electronic format, unless the Data Subject requests otherwise.
Right to rectification:
The Data Subject shall have the right to obtain from the Data Controller, upon his/her request, the rectification of inaccurate personal data relating to him/her without undue delay.
Right to erasure:
The Data Subject shall have the right to obtain from the Data Controller, upon his/her request, the erasure of personal data relating to him/her without undue delay, and the Data Controller shall be obliged to erase the personal data relating to the Data Subject without undue delay if one of the following grounds applies:
Right to the restriction of the data processing:
The Data Subject shall have the right to obtain from the data Controller, at his/her request, the restriction of the data processing if one of the following conditions is met:
If the data processing is restricted, such personal data, except for storage, may only be processed with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the EU or of a Member State.
Right to data portability:
The Data Subject is also entitled to receive the personal data concerning him/her which he/ she has provided to the Data Controller in a structured, commonly used, machine-readable format and to transmit such data to another data controller without hindrance from the Data Controller to which he/she has provided the personal data, if: (i) the data processing is based on Article 6(1)(a) of the GDPR, or on the consent within the meaning of Article 9(2)(a) of the GDPR, or on a contract within the meaning of Article 6(1)(b) of the GDPR; and (ii) if the data processing is carried out by automated means.
Right to object:
The Data Subject shall have the right to object at any time, on grounds relating to his/her particular situation, to the processing of his/her personal data based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. In this case, the Data Controller may no longer process the personal data, unless the Data Controller proves that the data processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject or are related to the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to the processing of the personal data concerning him/her for such purposes, including profiling, where it is related to direct marketing. If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.
General rules on the exercise of the rights of the Data Subject:
The Data Controller shall inform the Data Subject of the action taken in response to his/her request without undue delay, but no later than one month from the date of receipt of the request. If necessary and taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the Data Subject of the extension of the deadline within one month of receipt of the request, stating the reasons for the delay. If the Data Subject has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless the Data Subject requests otherwise.
The Data Controller shall provide the Data Subject with information and action free of charge. Where the Data Subject’s request is manifestly unfounded or excessive – in particular because of its repetitive nature – the Data Controller shall, taking into account the administrative costs of providing the information or information requested or of taking the action requested:
The burden of proving that the request is manifestly unfounded or excessive lies with the Data Controller.
If the Data Controller has reasonable doubts about the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the Data Subject.
The Data Subject may take the Data Controller to court in case of a breach of his/her rights. The court is acting out of turn in the case. The Data Controller is required to prove that the data processing complies with the law. The court, in the capital the Metropolitan Court, has jurisdiction to hear the case. The action may also be brought before the courts of the place of residence or domicile of the Data Subject.
The Data Controller shall compensate for any damage caused to others by the unlawful processing of the Data Subject’s data or by breaching the requirements of data security. The Data Controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of the data processing. No compensation is payable if the damage was caused intentionally or by gross negligence on the part of the victim.
The Data Subject may also contact the National Authority for Data Protection and Freedom of Information in the event of a complaint regarding the processing of his/her personal data (Dr. Attila Péterfalvi, President of the National Authority for Data Protection and Freedom of Information, postal address: 1363 Budapest, Pf.: 9., address: 1055 Budapest, Falk Miksa utca 9-11.; Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410; E-mail: email@example.com; website: www.naih.hu).