1. The data controller (Service Provider)

1. The Company’s Privacy Policy
   1. The Service Provider, as the data controller, undertakes to ensure that all data processing in relation to its activities complies with the requirements set out in this Policy and the applicable legislation.
   2. Information about the Service Provider’s data management is continuously available in the footer of the home page of the bmeshop.hu website.
   3. In case of modification of the Privacy Policy, the Service Provider shall notify the User by publishing the changes on bmeshop.hu at least eight (8) days prior to the entry into force of the modification. The User accepts the amended Privacy Policy by using the Service after the amendment comes into force.
   4. The Service Provider is committed to protecting the User’s personal data and attaches the utmost importance to respecting the right of its customers to information self-determination. The Service Provider shall treat personal data confidentially and shall take all security, technical and organizational measures to guarantee the security of the data.
   5. The Service Provider’s data management principles are in accordance with the applicable legislation on data protection, in particular:

– Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Data Protection Act);

– Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (Eker. tv.);

– Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising (Act XLVIII of 2008).

1. 6. The Service Provider uses the personal data necessary for the use of its services on the basis of the consent of the data subjects and only for the purpose for which it is intended.
   7. In addition, in all cases where the collection, processing or recording is not required by law, the Company draws the User’s attention to the voluntary nature of the provision of data. In the case of mandatory data provision, the legal provision ordering the data processing must also be indicated. The data subject shall be informed of the purposes of the processing and of the persons who will process the Personal Data.
   8. In all cases where the Company intends to use the Personal Data provided for purposes other than those for which they were originally collected, the Company shall inform the User thereof and obtain his/her prior explicit consent or provide him/her with the opportunity to prohibit such use.
   9. The Company undertakes not to impose any sanctions on any User who refuses to provide the optional data.

       

2. Legal basis for data processing
   1. The legal basis for data processing is the voluntary consent of the data subject pursuant to Section 5 (1) a) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Act on Freedom of Information) and Section 13/A of Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services.
   2. The consent of the legal representative of a minor over the age of 16 is not required for the validity of the declaration of consent of the minor concerned.
   3. If the personal data have been collected with the consent of the data subject, the controller shall, unless otherwise provided by law,
   4. in order to comply with a legal obligation to which it is subject; or
   5. for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject’s consent.

       

3. Purpose of the processing and scope of the data processed, duration of the processing, persons entitled to access the data
   1. At all stages of processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful. Only personal data which is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose. The processing of the Service Provider’s services is based on voluntary consent, however, in certain cases, the processing, storage and transmission of some of the data provided is required by law. The Service Provider does not use personal data for purposes other than those stated.
4.  Online webshop service
   1. The declaration is given by the User when using the service. The declaration contains the User’s express consent to the use of the personal data provided by him/her when using the site. The legal basis for the processing of the data is the voluntary consent of the data subject pursuant to Section 5 (1) (a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information and Section 169 (2) of Act C of 2000 on Accounting.
   2. The purpose of the processing is to ensure the provision of the webshop service on the website, the order, its processing, the documentation of the purchase and payment, the fulfilment of the accounting obligation. Furthermore, the purpose of the data processing is to identify the User as a ticket purchaser and to fulfil the ordered service, to send notifications in connection with the service, to issue invoices, to process payments, to register the Users and to distinguish them from each other. Processed data: first and last name, telephone number, e-mail address, password provided during pre-registration, delivery address provided in case of a delivery request, billing address provided for invoicing, number, date and time of the transaction, receipt content, name, address and tax number in case of a VAT invoice. Duration of processing: 8 years.
   3. Registration: Pre-registration by entering a password allows the User to enter his/her data only once and not for each purchase. The data provided will be processed by the Service Provider until such time as the User prohibits the use of the data for this purpose by unsubscribing. The data that the User may choose to provide may include e-mail address, telephone number, name, place of residence/residence, the product category and products purchased by the User at the time of ordering, the date of purchase, the payment method used by the User, the amount of the User’s purchases.
   4. Electronic newsletter: If the User subscribes to the newsletter, the Data Controller may send him/her a newsletter at a frequency (but not more than twice a week) at its own discretion, unless the User himself/herself requests a more frequent sending of the newsletter.  The Data Controller shall, as far as possible, endeavour to offer the services and products of the University of Technology Student Ltd. to the readers of the newsletter in a personalised manner, according to the place of residence and previous purchases and other likely interests based on the data provided. By subscribing to the Newsletter, the User agrees to the processing of his/her personal data by the Data Controller.
   5. Legal basis for processing: voluntary consent of the data subject and Article 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities. The scope of the data processed: name, e-mail address, place of residence, data listed at registration, data on previous purchases, data provided by the User.
   6. Duration of data processing: until the consent is withdrawn. Unsubscribe from the newsletter by clicking on the Unsubscribe link at the bottom of the newsletter. Personal data will be deleted within 10 working days of receipt of the request.
   7. Cookie and location: the Data Controller places a small data package (so-called “cookie”) on the User’s computer in order to provide a personalized service. The purpose of the cookie is to ensure the best possible functioning of the site in order to enhance the user experience. By visiting the website and using some of its functions, the User gives his/her consent to the storage of these cookies on the User’s computer and their access by the Data Controller. The User can set and block cookie-related activities through the browser program. Please note, however, that in the latter case, without the use of cookies, the User may not be able to use all the services of the website.
   8. Statistical data. The use of data in aggregate statistical form may not include the name or any other identifiable data of the User concerned.
   9. Data technically recorded during the operation of the system: The data that are technically recorded during the operation of the system are the data of the User’s computer logging in, which are generated during the use of the service and which are recorded by the data controller’s system as an automatic result of technical processes. The data that are automatically recorded are automatically logged by the system at the time of log-in or log-out, without any specific declaration or action by the User. These data may not be linked to other personal data of the User, except in cases required by law. The data may only be accessed by the Data Controller. The purpose of the automatically recorded data is to ensure the provision of the services available through the Data Controller’s Internet pages, the display of personalised content and advertisements, the production of statistics, the technical development of the IT system, the protection of Users’ rights, and the general analysis of user habits. The data made available by the Users when using the service may be used by the Data Controller to form User groups and to display targeted content and/or advertisements on the Data Controller’s websites to the User groups. The data that are automatically, technically recorded during the operation of the system are stored in the system for a period of time from the moment they are generated that is reasonable for the operation of the system. The Company shall ensure that such automatically recorded data cannot be linked to other personal data of the User, except in cases required by law. If the User has withdrawn his/her consent to the processing of his/her personal data or has unsubscribed from the service, his/her identity will no longer be identifiable from the technical data.
   10. The Service Provider’s website: The html code of the portal contains links from and to external servers, independent of the University of Technology Student Ltd. The providers of these links are able to collect User data due to the direct connection to their server. An external service provider assists in the independent measurement of website traffic and other web analytics data (Google Analytics). The data controller can provide detailed information on the management of the measurement data, contact: http://www.google.com/analytics.
   11. Information on data processing not listed in this notice will be provided at the time of data collection. We inform our visitors that the court, the prosecutor, the investigating authority, the criminal investigation authority, the administrative authority, the data protection commissioner or other bodies authorised by law may contact the Data Controller to provide information, to communicate or transfer data or to provide documents. The Service Provider shall provide the authorities – if the authority has indicated the exact purpose and scope of the data – disclose personal data only to the extent and to the extent strictly necessary for the purpose of the request. The Controller does not control the Personal Data provided to it. The person providing the data is solely responsible for the correctness of the data provided. Any User who provides an e-mail address shall also be responsible for ensuring that he/she is the only one to receive services from the e-mail address provided. With regard to this assumption of responsibility, any liability for accessing the service from a given e-mail address shall be borne solely by the User who registered the e-mail address. If the User does not provide his/her own personal data, he/she is obliged to obtain the consent of the data subject. The right of access to personal data is reserved to the employees of the Service Provider, to the employees of the courier service involved in the delivery of the products (if the delivery is requested by the Customer) and to the Data Processors.
   12. Transfer of data, identification of Data Processors: The Service Provider shall only transfer personal data to third parties with the prior and informed consent of the User. This does not apply to any data transfers required by law or to the data processors indicated in this document. By using the Service, the User consents to the transfer of the data by the Service Provider to the following partners:
       1. számlázz.hu, operator: KBOSS.hu Kft. (tax number: 13421739-2-13, company registration number: 13-09-101824, registered office: 2000 Szentendre, Táltos u. 22/b).
       2. The Service Provider shall provide the financial institutions involved in the purchase process, which process the payment, with the data required by the financial institution in question for the processing of the payment. The scope of the data varies from one financial institution to another. The personal data provided by the financial institution on its own data request pages are not disclosed to the Service Provider.
       3. The Service Provider, as Data Controller, is entitled and obliged to transmit to the competent authorities any personal data available to it and stored by it in accordance with the law, which it is obliged to transmit by law or by a final and binding obligation of a public authority. The Data Controller shall not be held liable for such transfers and the consequences thereof.
   13. Data security measures: The Service Provider shall exercise the utmost care in the processing and storage of personal data. In the field of information security, the Service Provider shall use the most effective and up-to-date tools and procedures reasonably available.
       1. The Controller shall design and implement data processing operations in such a way as to ensure the protection of the privacy of the data subjects.
       2. The controller shall ensure the security of the data, and shall take the technical and organisational measures and establish the procedural rules necessary to ensure the security of the data.
       3. In particular, appropriate measures must be taken to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage and against inaccessibility resulting from changes in the technology used.
   14. In order to protect the data files managed electronically in different registers, appropriate technical arrangements shall be in place to ensure that the data stored in the registers cannot be directly linked and attributed to the data subject, except where permitted by law.
       • The controller shall take into account the state of the art when defining and implementing measures for data security. Among several possible processing solutions, the one which ensures a higher level of protection of personal data should be chosen, unless this would impose a disproportionate burden on the controller.
       • The Service Provider shall select and operate the IT tools used for the processing of personal data in the course of providing the service in such a way that the data processed:
         • accessible to authorised persons (availability);
         • authenticity and authentication are ensured (authenticity of processing);
         • is verifiable (data integrity);
         • is protected against unauthorised access (data confidentiality).
       • The Service Provider shall ensure the security of data processing by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with the processing.
       • The Service Provider shall, during the processing, retain confidentiality: it protects the information so that only those who are authorised to access it have access to it;
         • integrity: it protects the accuracy and completeness of the information and the processing method;
         • availability: ensures that when the authorised user needs it, he or she can actually access the information and that the means to do so are available.
       • The Service Provider’s IT system and network are protected against computer fraud, espionage, sabotage, vandalism, fire and flooding, computer viruses, computer intrusions and attacks that lead to denial of service. The Service Provider shall ensure security through server-level and application-level protection procedures.
       • Electronic messages transmitted over the Internet, regardless of protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity or to the disclosure or modification of information. The Service Provider will take all reasonable precautions to protect against such threats. It will monitor systems to ensure that any security discrepancies are recorded and evidence of any security incidents is available. However, the Internet is not, as is well known to Users, 100% secure. A The Service Provider shall not be liable for any damage caused by indefensible attacks that occur despite the exercise of reasonable care.
5. Rights of data subjects and their enforcement, objection to the processing of personal data, judicial redress and compensation

1. In addition, changes to certain Personal Data may be made by editing the personal profile page. Once a request for deletion or modification of Personal Data has been fulfilled, the previous (deleted) data can no longer be restored.
2. Users may request information about the processing of their personal data. Requests for information sent by e-mail shall be considered authentic by the Data Controller only if they are sent from the registered e-mail address of the User. Upon the data subject’s request, the Controller shall provide information on the data processed by the Controller or by a processor on its behalf, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, and, in the case of transfer of the data subject’s personal data, the legal basis and the recipient of the transfer. The request for information should be sent by e-mail to info@bmeshop.hu. The Service Provider is obliged to provide the information in writing in an intelligible form, at the request of the data subject, within the shortest possible time from the date of the request, but not later than 30 days. The information described above shall be provided free of charge if the data subject has not yet submitted a request for information to the controller for the same set of data in the current year. In other cases, a fee may be charged. The fee already paid shall be refunded if the data have been unlawfully processed or if the request for information has led to a rectification. The data controller may refuse to provide the data subject with information only in the cases provided for in the General Data Protection Regulation. In the event of refusal to provide information, the controller shall inform the data subject in writing of the provision of this Act on the basis of which the information was refused. In the event of refusal to provide information, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority). The controller shall notify the Authority of any refused requests annually by 31 January of the year following the year in question.
3. The data subject may request the controller to rectify his/her personal data and to erase or block his/her personal data, except for mandatory processing.
4. The controller shall keep a register of transfers for the purposes of monitoring the lawfulness of transfers and informing the data subject of the transfers of personal data processed by the controller, including the data subjects’ personal data, and the data subjects’ personal data processed by the controller. If the personal data is not accurate and the accurate personal data is available to the controller, the controller shall correct the personal data.
5. The personal data shall be deleted if
   • its processing is unlawful;
   • the data subject requests it, as provided for in the General Data Protection Act;
   • it is incomplete or inaccurate – and this situation cannot be lawfully remedied – provided that erasure is not precluded by law;
   • the purpose of the processing has ceased to exist or the statutory time limit for the storage of the data has expired;
   • ordered by a court or the Authority.

In the case referred to in point (d) of the preceding paragraph, the obligation to erase shall not apply to personal data whose data medium must be placed in archival custody pursuant to the law on the protection of archival material.

7. Instead of erasure, the controller shall block the personal data if the data subject so requests or if, on the basis of the information available to him or her, it is likely that erasure would harm the legitimate interests of the data subject. The personal data thus blocked may be processed only for as long as the processing purpose which precluded the deletion of the personal data persists.
8. The rectification, blocking, marking and erasure shall be notified to the data subject and to all those to whom the data were previously disclosed for processing. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purposes of the processing. If the controller does not comply with the data subject’s request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, provide in writing the factual and legal reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.
9. The data subject must be informed before the processing starts whether the processing is based on consent or whether it is mandatory.
10. The data subject shall be informed clearly and in detail of all facts relating to the processing of his or her data before the processing begins, in particular the purpose and legal basis of the processing, the person authorised to process and process the data, the duration of the processing, if the controller processes the personal data of the data subject pursuant to paragraph (5) of Article 6 of the Data Protection Act, and who may access the data. The information shall also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the information referred to in the above paragraph.
11. The data subject may object to the processing of his or her personal data,
12. where the processing or transfer of personal data is necessary solely for compliance with a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, except in the case of mandatory processing;
13. where the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes; and
14. in other cases specified by law.
15. The controller shall examine the request within the shortest possible period of time from the date of the submission of the request, but not later than 15 days, and shall decide whether the request is justified and inform the applicant in writing of its decision. If the controller establishes that the data subject’s objection is justified, the controller shall terminate the processing, including further collection and further transmission, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data covered by the objection have been previously disclosed and who are obliged to take measures to enforce the right to object.
16. If the data subject disagrees with the decision of the controller, or if the controller fails to comply with the time limit, the data subject may, within 30 days of the notification of the decision or the last day of the time limit, take the matter to court in the manner provided for in Article 22 of the GDPR.
17. If the controller fails to give notice, the recipient may request clarification from the controller of the circumstances surrounding the failure to disclose the data, which clarification the controller shall provide within 8 days of the delivery of the recipient’s request. In the event of a request for clarification, the data subject may bring an action against the controller before a court within 15 days of the date on which the clarification was provided, but no later than the time limit for the provision of clarification. The controller may also bring legal proceedings against the data subject.
18. However, the data may not be transferred to the data recipient if the controller has consented to the objection or the court has ruled that the objection is justified.
19. The court shall rule on the matter out of turn. The controller shall prove that the processing is in compliance with the law. In cases under Article 21(5) and (6) of the GDPR, the data recipient shall prove the lawfulness of the transfer of data to him or her.
20. The action may also be brought, at the option of the data subject, before the court of the place of residence or domicile of the data subject. A person who does not otherwise have legal capacity may be a party to the proceedings. The Data Protection Authority may intervene in the proceedings in order to ensure that the data subject is successful. If the court upholds the application, the data controller shall be obliged to provide the information, rectify, block or erase the data, annul the decision taken by automated data processing, take into account the right of the data subject to object, or provide the data requested by the data subject as defined in Article 21 of the Data Protection Act.
21. The data controller shall also be obliged to delete the data if the data subject does not apply to the court within the time limit specified in Article 21(5) or (6) of the GDPR.

The court may order the publication of its judgment, with the publication of the data controller’s identification data, if the interests of data protection and the rights of a larger number of data subjects protected by this Act so require.

22. The controller shall also be liable to the data subject for any damage caused by the processor. The controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of the processing. No compensation shall be payable in so far as the damage resulted from the intentional or grossly negligent conduct of the data subject.

VIII:

 Enforcement options:

If you have any questions or comments, please contact the Service Provider at info@bmeshop.hu. The User may exercise his/her enforcement rights before the courts in accordance with the Data Protection Act and the Civil Code. Legal remedies and complaints may be lodged with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Address: 1055 Budapest, Falk Miksa u. 9-11.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu

URL http://naih.hu