(hereinafter also referred to as “Information” or “Privacy policy”)

1.1. History

The new European Union General Data Protection Regulation (GDPR) No. 2016/679 (hereinafter referred to as the “Regulation” or “GDPR”) is also directly applicable in Hungary.

Palmetta Design Bt. is considered a data controller under the Regulation, meaning that the Regulation also applies to personal data processed by Palmetta Design Bt.

1.2 Purposes

The purpose of the Notice is to establish the data protection and data management provisions, principles and data management policy followed and applied by Palmetta Design Bt. (hereinafter referred to as the “Data Controller”) and considered to be governing it.

1.3 Legal basis

When determining the content of the Information Notice, the Data Controller took into account, in addition to the Regulation, the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information (“Infotv.”), Act V of 2013 on the Civil Code (“Ptk.”), and Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities (“Grtv.”).

1.4 Scope

The scope of this Data Protection Notice covers the website available at www.palmettadesign.hu (hereinafter referred to as the “Website”) and data processing related to the Data Controller’s commercial activities.

Unless otherwise stated, the scope of the Notice does not extend to services and data processing related to the promotions, sweepstakes, services, other campaigns, or content published by third parties advertising or otherwise appearing on the Website.

Unless otherwise stated, the scope of the Notice does not extend to the services and data processing of websites and service providers to which links on the Websites lead. The scope of the Notice does not extend to the data processing of persons (organizations, companies) from whose information, newsletter, or advertising letter the Data Subject learned about the Website.

1.5. Amendment of the Information

1.5.1. The Data Controller reserves the right to modify the Information by unilateral decision.

1.5.2. By accessing the Website, the Data Subject accepts the provisions of the Information in force at all times; further consent of the Data Subject is not required unless otherwise provided in the Information.

The terms used in this Privacy Policy have the following meanings:

2.1. Data processing: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.2. Data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.3. Personal data or data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.4. Data Processor: the natural or legal person, public authority, agency or service provider who processes personal data on behalf of the Data Controller.

2.5. Data Subject: the natural person who provides personal data or whose personal data is made available to the Data Controller.

2.6. External service provider: third-party service providers used by the Data Controller or the Website operator in connection with the provision of certain services – either directly or indirectly – to whom Personal Data is or may be transferred in order to provide their services, or who may transfer Personal Data to the Data Controller. Service providers that are not in cooperation with either the Data Controller or the service operators, but that, by accessing the Website, collect data about the Data Subjects, which, either independently or in combination with other data, may be suitable for identifying the Data Subject, are also considered to be External service providers. When providing hosting services, the Data Controller also considers the Data Subject to be an External service provider in terms of the data processing activities carried out on the hosting used by it.

2.7. Information: this data processing information of the Data Controller.

Name: Palmetta Design Bt.

Headquarters: 2000 Szentendre, Bogdányi u., Hungary 14

tax number: 24625016-2-13

Phone: +36 30 296 6254

E-mail: palmettadesign@t-online.hu

The Data Controller is a company registered in Hungary.

The Data Controller operates the Website, which was created for the purpose of operating a webshop under the Palmetta Design brand name.

4.1. Legality, fairness

The processing of data must be carried out lawfully and fairly, and in a manner that is transparent to the data subject. The Data Controller shall only process data as specified in the law or as provided by the Data Subjects or their employers/clients/customers, for the purposes specified below. The scope of the Personal Data processed shall be proportionate to the purpose of the processing and shall not go beyond it.

4.2 Accuracy

The data must be necessary and relevant for the purposes of the processing, and must be accurate and, where necessary, kept up to date.

4.3. Purposefulness

In all cases where the Data Controller intends to use Personal Data for a purpose other than the purpose of the original data collection, it shall inform the Data Subject thereof and obtain their prior, express consent, or provide them with the opportunity to prohibit the use.

4.4. Compliance

The Data Controller does not verify the Personal Data provided to it. The person providing the Personal Data is solely responsible for the accuracy of the Personal Data provided.

4.5 Limited storage capacity

It must be stored in a form that allows identification of data subjects only for the time necessary to achieve the purposes of processing personal data.

4.6. 16. Protection of personal data of persons under the age of 16

The Personal Data of a data subject under the age of 16 may only be processed with the consent of an adult exercising parental supervision over the data subject. The Data Controller is not able to verify the eligibility of the consenting person or the content of his/her declaration, so the Data Subject or the person exercising parental supervision over the data subject guarantees that the consent complies with the law. In the absence of a consenting declaration, the Data Controller does not collect Personal Data relating to a data subject under the age of 16.

4.7. The Data Controller does not transfer the Personal data it processes to third parties other than the Data Processors and External Service Providers specified in the Notice.

Data must be processed in such a way that the appropriate security of personal data is ensured by applying appropriate technical and/or organizational measures.

An exception to the provision contained in this point is the use of data in a statistically aggregated form, which may not contain any other data capable of identifying the Data Subject in any form.

In certain cases – due to an official court or police request, legal proceedings, copyright, property or other infringement or reasonable suspicion thereof, harm to the interests of the Data Controller, endangerment of the provision of the service, etc. – the Data Controller makes the Data Subject’s available Personal Data accessible to third parties.

4.8. The Data Controller shall notify the Data Subject, as well as all those to whom the Personal Data was previously transmitted for the purpose of Data Processing, of the correction, restriction or deletion of the Personal Data it processes. The notification may be omitted if this does not violate the legitimate interests of the Data Subject, taking into account the purpose of the Data Processing.

4.9. Based on the Regulation, the Data Controller is not obliged to appoint a data protection officer, as the Data Controller is not considered a public authority or a body performing public tasks, the Data Controller’s activities do not include any operation that requires regular and systematic, large-scale monitoring of Data Subjects, and the Data Controller does not process sensitive data or personal data related to decisions establishing criminal liability and crimes.

5.1 Article 6 of the GDPR states in which cases the personal data of Data Subjects may be processed:

“(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject’s request prior to entering into a contract;

c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

d) the processing is necessary to protect the vital interests of the data subject or of another natural person;

e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

5.2. aking into account the nature of the Data Controller’s activity, the legal basis for data processing is primarily the voluntary, informed and explicit consent of the Data Subject 5. § (1) bek. a) pont), az Adatkezelő és az Érintett vagy annak munkáltatója/megbízója/megrendelője közti bármely szerződéses kötelem előkészítése során vagy annak létrejöttét követően a Rendelet fenti 5.1.b) pontja és a Rendelet fenti 5.1.c) pontja. a kamerával megfigyelt területek esetében a Rendelet fenti 5.1.d) pontja. Az Érintett önként, akár munkáltatója/megbízója/megrendelője részére végzett feladat ellátása során lép kapcsolatba az Adatkezelővel, vagy önként regisztrál, vagy önként veszi igénybe az Adatkezelő szolgáltatását. Az Adatkezelő az Érintettek hozzájárulásának a hiányában csak akkor kezel adatot, ha erre jogszabály egyértelműen felhatalmazza.

5.3 Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their personal data.

5.4. The Data Subject has the right to withdraw his/her consent at any time with regard to all data processing for which the legal basis is the Regulation, point 5.1.a) above. The withdrawal of consent does not affect the lawfulness of the data processing based on the consent and prior to the withdrawal, and in accordance with points 5.1.b) and/or c) and/or 5.1.d) above of the Regulation.

5.5. Data Transfer to Data Processors specified in the Information may be carried out without the specific consent of the Data Subject. The release of personal data to third parties or authorities – unless otherwise provided by law – is possible only on the basis of a final authority decision or with the prior, express consent of the Data Subject.

5.6. When the User accesses the individual websites, the Data Controller records the User’s IP address in connection with the provision of the service, in view of the Data Controller’s legitimate interest and for the lawful provision of the service (e.g. to filter out illegal use or illegal content), even without the User’s separate consent.

5.7. When providing an e-mail address and the data provided during registration (e.g. user name, ID, password, etc.), any User assumes responsibility for the fact that he or she is the only one using the service from the e-mail address provided or using the data provided. In view of this assumption of responsibility, any liability related to logins made using a given e-mail address and/or data lies solely with the User who registered the e-mail address and provided the data.

The processing of data must be carried out lawfully and fairly, and in a manner that is transparent to the Data Subject. The Data Controller strives to process only personal data that is essential for the purpose of the processing and is suitable for achieving the purpose. Personal data may only be processed to the extent and for the period necessary to achieve the purpose.

The purpose of data management is primarily to operate the Website, provide the Data Controller’s services, and establish and fulfill commercial and contractual relationships.

The purpose of data processing based on the above is:

● identification of the Data Subject, contact with the Data Subject

● Preparation of the contract concluded during the purchase on the Website, fulfillment of contractual obligations by the Data Controller, and enforcement of its rights;

● provide concise, transparent, understandable and easily accessible information to the Data Subject

● the establishment and performance of legal transactions between the Data Controller and the Data Subject within the scope of the Data Controller’s activities

● in the case of using a service subject to payment of a fee, collection of the fee and invoicing

● fulfilling the obligations of the Data Controller, exercising the rights of the Data Controller

● protection of the rights of the Data Subject.

The Data Controller only processes Personal Data provided by the Data Subjects or legal entities using the services (work) of the Data Subjects for the purpose of preparing/performing the transaction, and does not collect data from other sources.

The data is provided during the registration of the Data Subject. During registration, the Data Subject provides his/her name, e-mail address, and password.

The Data Controller only processes personal data provided in accordance with point 8. The processed data are the following:

The data processed by the Data Controller can be classified into the following groups based on the purpose of the data processing:

● Data required for registration: As part of the registration required for purchasing on the Website, the Data Subject enables purchases from the webshop by providing their last name, first name, e-mail address, password, telephone number and address.

● Billing data. If the Data Subject makes a payment to the Data Controller, the Data Controller processes the data related to payment and billing (method of payment, details of the payment instrument, in the case of billing, the name, address, tax number of the customer). The legal basis for data processing is partly the consent of the Data Subject, partly the legislation on taxation and accounting. The purpose of data processing is invoicing and collection of fees.

In addition to the above, the Data Controller processes technical data, including the IP address, as described in point 13.

The source of the data is the Data Subject or a legal entity in an employment/managerial/business relationship with him/her, who provides the data (i) during any registration and/or (ii) during the preparation, establishment or performance of the legal transaction and/or (iii) during the newsletter or when making a declaration in connection with direct contact pursuant to Section 6(1) of Act XLVIII of 2008. The provision of the data on the registration form is mandatory, unless expressly stated otherwise.

The Data Subject provides the data independently, the Data Controller does not provide any binding guidelines in this regard, nor does it impose any content requirements. The Data Subject expressly consents to the processing of the data provided by him/her. The Data Subject is entitled to provide other data in his/her profile in addition to the data requested by the Data Controller, the legal basis for the processing of the data in this case as well is the voluntary consent of the Data Subject.

If the Data Subject registers for a promotion organized by the Data Controller (e.g. on Facebook) and provides the requested data there, he/she accepts the data processing information related to the given promotion. In this case, by providing the data, the Data Subject does not register on the Website, but consents to the processing of the provided data as specified in the promotion information.

If the Data Subject consents, the Data Controller will contact the Data Subject at the provided contact details and send him/her advertising by direct inquiry. The advertising may be sent by post, telephone (including SMS), or e-mail (including Messenger), in each case subject to the Data Subject’s consent. The Data Subject may withdraw his/her consent at any time without giving reasons.

The Data Controller’s system may automatically record the IP address of the Data Subject’s computer, the start time of the visit, and in some cases – depending on the computer’s settings – the type of browser and operating system. The data recorded in this way cannot be linked to other personal data. The data is processed for statistical purposes only.

Cookies enable the Website to recognize, identify and record previous visitors. Cookies help the Data Controller, as the operator of the Website, to optimize the Website and to tailor the Website services to the habits of the Data Subjects. Cookies are also suitable for

● remember the settings so that the Data Subject does not have to re-enter them when accessing a new page,

● remember previously entered data, so you don’t have to retype it,

● analyze the use of the website in order to ensure that, as a result of the developments carried out using the information obtained in this way, it functions as much as possible according to the expectations of the Data Subject, the Data Subject can easily find the information they are looking for, and

● monitor the effectiveness of our ads.

If the Data Controller displays various contents on the Website using external web services, this may result in the storage of some cookies that are not controlled by the Data Controller, so it has no influence on what data these websites or external domains collect. Information about these cookies is provided in the policies applicable to the given service.

The Data Controller uses cookies to display advertisements to Data Subjects via Google and Facebook. Data processing takes place without human intervention.

The Data Subject has the option to delete cookies in their browser (usually in the privacy section of the settings). By prohibiting the use of cookies, the Data Subject acknowledges that the Website cannot function fully without cookies.

The Data Controller will only transfer personal data to a third party if the Data Subject has clearly consented to this – knowing the scope of the data transferred and the recipient of the data transfer – or if the data transfer is authorized by law.

The Data Controller is entitled and obliged to transmit all Personal Data in its possession and duly stored by it to the competent authorities, which Personal Data it is obliged to transmit by law or a legally binding official obligation. The Data Controller cannot be held liable for such Data Transmission and the consequences arising therefrom.

The Data Controller documents data transfers in all cases and keeps records of data transfers.

The Data Controller is entitled to use a data processor to perform its activities. Data processors do not make independent decisions, they are entitled to act only in accordance with the contract concluded with the Data Controller and the instructions received. The Data Controller monitors the work of data processors. Data processors are entitled to use additional data processors only with the consent of the Data Controller. The Data Controller may only use data processors who, or which provide adequate guarantees for the implementation of appropriate technical and organizational measures ensuring the compliance of data processing and the protection of the rights of data subjects.

The data processor may not use additional data processors without the prior written or general authorisation of the Data Controller. In the case of a general written authorisation, the data processor shall inform the Data Controller of any planned changes affecting the use of additional data processors or their replacement, thereby providing the Data Controller with the opportunity to object to these changes.

The Data Controller indicates the data processors used in the Notice.

• Data processors used by the Data Controller:

• K&H Bank Zrt. 1095 Budapest, Lechner Ödön fasor 9.

The Data Controller does not use external service providers.

The Data Controller ensures the security of the data, takes the technical and organizational measures and develops the procedural rules that are necessary to enforce the applicable laws, data and privacy protection rules. The Data Controller protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, and against inaccessibility resulting from changes in the technology used.

The Data Controller and the Data Processor shall implement appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, the nature, scope, circumstances and purposes of the data processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the degree of the risk.

Within the framework of the above, the Data Controller:

● ensures measures to protect against unauthorized access, including the protection of software and hardware devices, as well as physical protection (access protection, network protection);

● take measures to ensure the possibility of restoring data files, including regular backups;

● takes care of virus protection.

The Data Controller deletes the Personal Data,

a) If it turns out that the data is being processed unlawfully, the Data Controller will delete it immediately.

b) If requested by the Data Subject (except for data processing based on legal provisions).

The Data Subject may request the deletion of data processed based on the Data Subject’s voluntary consent. In this case, the Data Controller will delete the data. Deletion may only be refused if the processing of the data is authorized by law. The Data Controller will always provide information about the refusal of the deletion request and the law permitting the processing of the data.

c) If it becomes known that the data is incomplete or incorrect – and this condition cannot be legally remedied – provided that deletion is not precluded by law.

d) If the purpose of data processing has ceased to exist or the statutory period for data storage has expired;

Deletion may be refused (i) if the processing of Personal Data is authorized by law; and (ii) if it is necessary for legal protection or enforcement.

e) It has been ordered by the court or the National Data Protection and Freedom of Information Authority

If a court or the National Authority for Data Protection and Freedom of Information orders the deletion of the data with final effect, the deletion will be carried out by the Data Controller.

Instead of erasure, the Data Controller shall block the personal data – informing the Data Subject – if the Data Subject so requests or if, based on the information available to it, it can be assumed that erasure would harm the legitimate interests of the Data Subject. Personal data blocked in this way may only be processed for as long as the purpose of the data processing that precluded the erasure of the personal data exists. The Data Controller shall mark the personal data it processes if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.

In the case of data processing ordered by law, the deletion of data is governed by the provisions of the law.

In the event of deletion, the Data Controller will make the data unidentifiable. If required by law, the Data Controller will destroy the data carrier containing the personal data.

In all cases, the Data Controller will inform the Data Subject of the refusal of the deletion request, indicating the reason for the refusal of the deletion. After the request for deletion of personal data has been fulfilled, the previous (deleted) data can no longer be restored.

Newsletters sent by the Data Controller can be unsubscribed via the unsubscribe link in them. In case of unsubscription, the Data Controller will automatically delete the Data Subject’s Personal Data in the newsletter database.

17.1. The Data Controller informs the Data Subject about the processing of the data at the same time as the contact is made. The Data Subject also has the right to request information about the processing of the data at any time.

The Data Subject has the right to obtain from the Controller whether or not personal data concerning him or her are being processed and, where such processing is taking place, to have access to the personal data and to be informed of the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom or to whom the personal data have been or will be disclosed, the planned period for which the personal data will be stored or, where that is not possible, the criteria for determining such period. The Data Subject has the right to request from the Controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data. He or she also has the right to lodge a complaint with a supervisory authority and, where the data were not collected from the data subject, all available information on their source.

17.2. The data subject shall have the right to obtain from the controller, upon request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

17.3. The Data Subject may request the Data Controller to delete personal data concerning him or her without undue delay, with the exception of data processing operations required by law. The Data Controller shall inform the Data Subject of the deletion.

17.4. The Data Subject may object to the processing of his or her personal data as specified in the Privacy Act.

17.5. The Data Subject may submit his/her request for information, correction or deletion in writing, in a letter addressed to the Data Controller’s registered office or premises, or in an e-mail sent to the Data Controller at palmettadesign@t-online.hu.

17.6. The Data Subject may request that the Data Controller restrict the processing of his or her Personal Data if the Data Subject disputes the accuracy of the Personal Data processed. In this case, the restriction shall apply for a period of time that allows the Data Controller to verify the accuracy of the Personal Data. The Data Controller shall mark the Personal Data processed by it if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.

The Data Subject may request that the Data Controller restrict the processing of his or her Personal Data even if the Processing is unlawful, but the Data Subject opposes the deletion of the processed Personal Data and instead requests the restriction of their use.

The Data Subject may also request the Data Controller to restrict the processing of their Personal Data if the purpose of the Data Processing has been achieved, but the Data Subject requires the Data Controller to process them for the establishment, exercise or defense of legal claims.

17.7. The Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided.

17.8. If the Data Controller does not comply with the Data Subject’s request for rectification, blocking or erasure, it shall communicate in writing the reasons for rejecting the request for rectification, blocking or erasure within 30 days of receipt of the request. In the event of rejection of the request for rectification, blocking or erasure, the Data Controller shall inform the Data Subject of the possibility of judicial redress and of contacting the National Data Protection and Freedom of Information Authority.

17.9. The Data Subject may make the above declarations regarding the exercise of his/her rights at the contact details of the data controller as stated in point 2.

17.10. The Data Subject may also file a complaint directly with the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu). 22. In the event of a violation of his or her rights, the Data Subject has the right to apply to court pursuant to Section (1) of the Infotv. The adjudication of the lawsuit falls within the jurisdiction of the court. The lawsuit may also be initiated – at the choice of the Data Subject – before the court of the place of residence or residence of the Data Subject. Upon request, the Data Controller shall inform the Data Subject in detail about the possibility and means of legal remedy.