1. INTRODUCTORY PROVISIONS

1.1 DRPG Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (2000 Szentendre, Petyina utca 4., tax number: 14378012-2-13, company registration number: Cg.13-09-135588), as service provider and data controller (“the Service Provider” or “the Data Controller”), acknowledges the provisions set out in this Policy as binding upon itself. It undertakes that all data processing related to its activities shall comply with the requirements set forth in this Policy and in the applicable legislation in force at all times.

1.2 The Service Provider reserves the right to amend this Policy unilaterally at any time, which shall be binding on its customers as of the publication of the amended Policy.

1.3.1 The Service Provider is committed to protecting the personal data of its customers and users (“customers” or “users”); it treats personal data confidentially and takes all security, technical, and organizational measures that guarantee the security of such data.

1.3.2 The Service Provider processes exclusively the personal data of customers who register voluntarily, in accordance with the provisions of this Policy.

For the purposes of this Policy, the Service Provider defines as “customers” those persons who purchase or order goods distributed by the Service Provider either in person or by other means.

1.3.3 The Service Provider sells goods to natural person customers only if the natural person is at least sixteen (16) years old. Since in the case of orders placed electronically or otherwise in writing, natural person customers provide their personal data themselves and voluntarily, responsibility for the accuracy of the birth date or age provided to the Service Provider rests with the natural person customer.

1.4 Data processing by the Service Provider is always based on voluntary consent.

However, statutory provisions may require the processing, storage, or transmission of a specified scope of data provided by customers; the Service Provider will inform customers separately in such cases.

1.5 We draw the attention of data providers to the fact that if they provide personal data not of their own, it is their responsibility to obtain the consent of the data subject. The data provider is responsible for disclosing data without consent and for the accuracy of the disclosed data.

1.6 By accepting this Policy, customers also accept that for the purpose of delivering the ordered goods to their home, the Service Provider will provide their address and telephone number, on a case-by-case basis, to its subcontractor performing the delivery. The Service Provider informs its customers that, to the best of its knowledge, such subcontractors do not record these data, do not create databases from them, do not process or use them, and do not identify customers based on them.

1.7 The data processing principles of the Service Provider are in line with the applicable legislation on data protection, in particular the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);

• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.);

• Act V of 2013 on the Civil Code (Ptk.);

• Act CLV of 1997 on Consumer Protection (Fgytv.);

• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Services Related to the Information Society (Eker. tv.);

• Act C of 2003 on Electronic Communications (Eht.).

2. SCOPE OF PERSONAL DATA – PURPOSE, LEGAL BASIS, DURATION

2.1 DATA PROCESSING

2.1.1 Customer Data

Purpose of processing: purchase from the Service Provider, ensuring home delivery, issuing invoices, maintaining customer records, distinguishing customers from each other, documenting purchases and payments, fulfilling accounting obligations, customer relations, analyzing customer habits.

Legal basis for processing: data processing is necessary for the performance of a contract [Article 6 (1) b) GDPR], and under Section 169 (2) of the Accounting Act.

Types of processed personal data: ID number generated by the Service Provider, order date and time, customer’s full name, delivery address, purchased products’ names, quantities, purchase price, payment method.

Duration of processing: eight (8) years, in accordance with Section 169 (2) of the Accounting Act.

In the case of card payments, the data of the bank card and the card payment transaction are processed by MKB Bank Zrt. (1056 Budapest, Váci utca 38.) and Salt Hungary Zrt. (1072 Budapest, Rákóczi út 42. EMKE Office Building II. floor).

In the case of payment by bank transfer, the payment transaction data are processed by MKB Bank Zrt. (1056 Budapest, Váci utca 38.).

Possible consequences of non-provision of data: the customer will not receive the ordered goods, the ordered goods cannot be delivered, and the customer cannot receive an invoice issued in their name.

Data transfer: in case of card payment, the payer’s identifier, transaction amount, date, and time are transferred to MKB Bank Zrt. (1056 Budapest, Váci utca 38.).

Legal basis of transfer: processing is necessary for the performance of a contract [Article 6 (1) b) GDPR].

Processors:

• IT administration: Intralog Magyarország Kft. (1148 Budapest, Nagy Lajos király útja 62. I/11.)

• Maintenance of the cash register system: Pezo Info Kft. (1037 Budapest, Erdőalja út 36. fszt. 2.)

• Operation of the card reader terminal: MKB Bank Zrt. (1056 Budapest, Váci utca 38.) and Salt Hungary Zrt. (1072 Budapest, Rákóczi út 42. EMKE Office Building II. floor)

• Document storage, document destruction: Service Provider

2.1.2 Handling of Quality Complaints, Returns

Purpose of processing: handling of quality complaints related to the goods distributed by the Service Provider.

Legal basis for processing: processing is necessary for the performance of a contract [Article 6 (1) b) GDPR] and Section 17/A (7) of the Consumer Protection Act (Fgytv.).

Types of processed personal data: unique complaint identifier, customer’s name, address, place and time of complaint submission, method of complaint submission, list of documents and other evidence submitted by the customer, description of complaint, place and time of record of minutes, name and signature of recorder, and in the case of returns, product data.

Duration of processing: copies of minutes of complaints and responses to written complaints shall be kept for five (5) years under Section 17/A (7) Fgytv. Entries in the Customer Complaint Book shall be retained for two (2) years.

Consequences of non-provision of data: the data subject cannot exercise their consumer rights.

Data transfer: complaints and quality issues sent to the Service Provider’s central e-mail address or postal address are forwarded to the relevant suppliers.

Legal basis of transfer: processing is necessary for the performance of a contract [Article 6 (1) b) GDPR].

Processor:

• Document storage and destruction: Service Provider

2.1.3 Extraordinary Events

Purpose of processing: handling extraordinary events related to goods distributed by the Service Provider, including recording minutes.

Legal basis for processing: the legitimate interest of the controller and other persons in handling extraordinary events [Article 6 (1) f) GDPR].

Types of processed personal data: name, address, telephone number of affected person(s), name and contact of parent/guardian, place, date and time of extraordinary event, description, description of Service Provider’s action, names, addresses, and contacts of witnesses.

Duration of processing: five (5) years.

Processor:

• Document storage and destruction: Service Provider

Consequences of non-provision of data: enforcement of rights arising from the extraordinary event may become impossible.

2.2 MARKETING DATABASE

The Service Provider processes the data of customers who have given their consent to be contacted for direct marketing purposes.

Purpose of processing: building a business database, sending newsletters including commercial advertisements, preparing personalized offers using online analytics, and forwarding the Service Provider’s and its partners’ offers.

Legal basis for processing: voluntary consent of the data subject, Section 6 (5) of the Advertising Act (Grtv.).

Types of processed data: ID generated by Service Provider, name, address, e-mail, phone number, consent to direct marketing, as well as system-stored analytics regarding subscription/unsubscription, sending, delivery, opening, and online activity.

Duration of processing: until withdrawal of consent.

Processor: Service Provider (development and database management).

Consequences of non-provision of data: the data subject will not be informed about the Service Provider’s offers.

Withdrawal of consent for direct marketing messages and requests for deletion or modification of personal data can be made at:

• e-mail: drpg@drpg.eu

• post: to the Service Provider’s registered seat.

3. CONTACT

3.1 Customers may contact the Service Provider via the contact details provided in this Policy or on the Service Provider’s website. The Service Provider stores all messages received together with the sender’s name, e-mail address, date and time, and other personal data provided in the message, and deletes them after a maximum of five (5) years.

Purpose of processing: responding to inquiries, distinguishing individuals, ensuring traceability.

Legal basis: legitimate interest of the controller in responding to inquiries, distinguishing individuals, and ensuring traceability [Article 6 (1) f) GDPR].

Types of processed data: name, e-mail, date, time, other data provided in the messages.

Duration: five (5) years.

Consequences of non-provision: the data subject cannot contact the Service Provider.

Processors:

• Online hosting: Websupport Magyarország Kft. (1132 Budapest, Victor Hugo utca 18-22.)

• Website backups, development and database management: Service Provider

• Document storage and destruction: Service Provider

4. OTHER DATA PROCESSING

The Service Provider informs customers that courts, prosecution services, investigative authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information (NAIH), or other bodies empowered by law may request information, disclosure, transfer, or provision of documents.

The Service Provider will only provide as much personal data as is strictly necessary to fulfill the purpose of the request, provided the requesting authority specifies the purpose and scope of the data.

5. METHOD OF STORING PERSONAL DATA, DATA SECURITY

The Service Provider and its processors implement appropriate technical and organizational measures, taking into account the state of technology, costs, the nature, scope, context, and purposes of processing, and the varying risks to individuals’ rights and freedoms, in order to guarantee a level of security appropriate to the risk.

The Service Provider ensures that personal data are:

• accessible to authorized persons (availability),

• authentic and verifiable (integrity),

• protected against unauthorized access (confidentiality).

The Service Provider protects data against unauthorized access, alteration, transmission, disclosure, deletion, destruction, accidental loss or damage, and inaccessibility resulting from changes in technology.

All IT systems and networks of the Service Provider and its partners are protected against fraud, espionage, sabotage, vandalism, fire, flood, viruses, hacking, and denial-of-service attacks.

The Service Provider records all data protection incidents, noting facts, effects, and remedial actions. It reports any data protection incident to the NAIH without undue delay, and within 72 hours if possible, unless the incident is unlikely to pose a risk to individuals’ rights and freedoms.

6. DATA CONTROLLER INFORMATION

• Name: DRPG Kereskedelmi és Szolgáltató Kft.

• Seat: 2000 Szentendre, Petyina utca 4.

• Company registration no.: 13-09-135588

• Court of registration: Budapest Környéki Törvényszék Cégbírósága

• Tax number: 14378012-2-13

• E-mail: drpg@drpg.eu

7. Legal Remedies

The data subject (customer) may request information about the processing of their personal data, as well as request the rectification, erasure, withdrawal, or restriction of the processing of their personal data, and may exercise their right to data portability and objection in the manner indicated at the time of data collection or through the customer service of the data controller.

8. Right to Information

At the request of the data subject, the Service Provider shall take appropriate measures to provide the data subject with all information regarding the processing of their personal data as referred to in Articles 13 and 14 of the GDPR and each piece of information referred to in Articles 15–22 and 34, in a concise, transparent, intelligible, and easily accessible form, clearly and in plain language.

9. Right of Access

The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them are being processed, and, if so, to access the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations; the envisaged period of storage of the personal data; the right to request rectification, erasure or restriction of processing, and the right to object; the right to lodge a complaint with a supervisory authority; information about the sources of the data; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.

The Service Provider shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

At the request of the data subject, the information shall be provided in electronic form. The right of access may be exercised in writing via the contact details provided in the header of this Policy or in Section 6.

At the request of the data subject, following credible proof of identity and verification, information may also be provided orally.

10. Right to Rectification

The data subject has the right to request the rectification of inaccurate personal data concerning them processed by the Service Provider and to have incomplete personal data completed.

11. Right to Erasure (“Right to be Forgotten”)

The data subject has the right to obtain the erasure of personal data concerning them without undue delay where one of the following grounds applies: the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data must be erased for compliance with a legal obligation in Union or Member State law; the personal data were collected in relation to the offer of information society services.

Erasure may not be requested where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest or in the exercise of official authority vested in the controller; for reasons of public health; for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or for the establishment, exercise, or defense of legal claims.

12. Right to Restriction of Processing

At the request of the data subject, the Service Provider shall restrict processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling verification of the accuracy; the processing is unlawful and the data subject opposes the erasure and requests restriction instead; the controller no longer needs the personal data for processing, but they are required by the data subject for legal claims; the data subject has objected to processing pending verification of whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent, for legal claims, for the protection of the rights of another person, or for important public interest reasons.

The Service Provider shall inform the data subject before lifting the restriction of processing.

13. Right to Data Portability

The data subject has the right to receive the personal data concerning them, which they have provided to the Service Provider, in a structured, commonly used, machine-readable format, and to transmit those data to another controller.

14. Right to Object

The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them where the processing is carried out in the public interest, in the exercise of official authority, or for the legitimate interests pursued by the controller or a third party, including profiling.

In such cases, the Service Provider shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to such processing, including profiling related to direct marketing. If the data subject objects to processing for direct marketing, the personal data shall no longer be processed for such purposes.

15. Automated Decision-Making, Including Profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This shall not apply if the processing is necessary for entering into or performing a contract, is authorized by Union or Member State law providing suitable safeguards, or is based on the data subject’s explicit consent.

16. Right to Withdraw Consent

The data subject has the right to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

17. Procedural Rules

The Service Provider shall provide information on action taken on a request under Articles 15–22 GDPR without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of requests.

The controller shall inform the data subject of any extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request electronically, the information shall be provided electronically unless otherwise requested.

If the controller does not act on the request, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Service Provider shall provide the requested information and communications free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee or refuse to act on the request.

The Service Provider shall inform each recipient to whom personal data have been disclosed of any rectification or erasure of personal data or restriction of processing, unless this proves impossible or involves disproportionate effort. At the request of the data subject, the controller shall inform them about those recipients.

18. Compensation and Damages

Any person who has suffered material or non-material damage as a result of an infringement of data protection legislation shall have the right to receive compensation from the Service Provider or the processor.

The processor shall only be liable where it has failed to comply with obligations specifically directed to processors or has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor is involved and responsible for the same processing, each shall be held jointly and severally liable for the entire damage.

The Service Provider or the processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

19. Right to Apply to Court

In the event of a violation of their rights, the data subject may bring proceedings against the Service Provider before the court competent according to the place of residence or seat of the defendant or the residence of the data subject. The court shall proceed without delay. Proceedings relating to the protection of personal data are exempt from charges.

20. Data Protection Authority Procedure

Complaints may be submitted to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
Address: 1055 Budapest, Falk Miksa utca 9–11.
E-mail: ugyfelszolgalat@naih.hu

​

Budapest, 21 March 2023

DRPG Ltd.

 

Dr. Gábor Petruska
Managing Director