For the websites and webshop of iSauna Design Gyártó, Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (iSauna Design Manufacturing, Trading and Services Limited Liability Company)
iSauna Design Kft. (company registration number: 08-09-032918; registered office: H-9174 Dunaszeg Liget utca 11.) informs users below about the data processing on its websites (www.szaunagyartas.hu, www.kulteriszaunahaz.hu, www.isaunahome.hu) in accordance with the Regulation No. 2016/679 issued by the European Parliament and the Council on the General Data Protection Regulation (hereinafter referred to as the GDPR).
In drafting the provisions of the Privacy Statement, the Company has taken particular account of the provisions of the Regulation No. 2016/679 issued by the European Parliament and the Council (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”), of the Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Infotv.”), the Act V of 2013 on the Civil Code (hereinafter referred to as the “Civil Code”) and the Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (hereinafter referred to as the “Grtv.”), the Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services, Information Society Services, the Act C of 2000 on Accounting (regarding the issue and retention of supporting documents), the Act CXIX of 1995 on the Processing of Name and Address Data for the Purposes of Research and Direct Marketing, the Act VI of 1998 on the Proclamation of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, signed in Strasbourg on 28 January 1981, and of the recommendations of the “ONLINE PRIVACY ALLIANCE”.
This Privacy Statement may be amended unilaterally by the company iSauna Design Kft. at any time and is published on the Websites listed here in the following: www.szaunagyartas.hu, www.kulteriszaunahaz.hu and www.isaunahome.hu. This Privacy Statement shall enter into force upon its publication.
1. Definitions
1.1. Data Set: the set of data managed in a single register;
1.2. Data Management: regardless of the procedure used, any operation or set of operations performed on Personal Data, in particular the collection, recording, organisation, structuring, storage, adaptation, alteration, use, retrieval, consultation, utilization, disclosure, transmission, dissemination or otherwise provision, disclosure, alignment or combination, restriction, erasure and destruction of Personal Data.
1.3. Data Manager: the person who alone or jointly with others, determines the purposes and means of the Data Management.
The Data Manager for the Services referred to in the present Privacy Statement is the following company: • iSauna Design Kft. (company registration number: 13-09-161868; registered office: HU-2045 Törökbálint, Tópark utca 1. A. ép.), hereinafter referred to as the “Data Manager”). The Data Manager is a business organisation registered in Hungary, which operates and develops its own websites and related social media platforms, as well as webshops.
1.4. Personal Data or Data: any kind of data or information by which a natural person User can be identified in a direct as well as indirect manner.
1.5. Data Processor: the service provider who processes Personal Data on behalf of the Data Manager.
1.6. Website(s): the websites operated by the Data Manager and the social media platforms associated with the said websites.
1.7. Service(s): the Services provided by the Data Manager.
1.8. User: the natural person who, in the course of and in connection with the use of the Services, provides the data listed under the Article 2 indicated here in the following.
1.9. Employee: a natural person who is employed or otherwise engaged in an employment relationship with the Data Manager.
1.10. Potential Employee: the natural person who applies for the position advertised by the Data Manager.
1.11. External Service Provider: third-party service provider partners used by the Data Manager, to whom Personal Data are or may be transferred in order to provide their services or who may transfer Personal Data to the Data Manager. External service providers are also those service providers which do not cooperate with the Data Manager, but by accessing the websites of the Services, collect data about the Users, which may be used to identify the User, either individually or in combination with other data.
1.12. Statement: the present Privacy Statement of the Data Manager.
1.13. Destruction of Data: the complete physical destruction of the storage medium containing the data;
1.14. Data Transmission: if the data is made available to a specified third party; Disclosure: if the data is made available to anyone;
1.15. Data Erasure: making data unrecognizable in such a way that it cannot be recovered;
1.16. Automated Set of Data: a set of data to be processed automatically;
1.17. Automated or Machine Processing: it includes the following operations if they are carried out wholly or partly by automated means: storage of data, logical or arithmetical operations on data, alteration, deletion, retrieval, and dissemination of data.
1.18. System: the totality of the technical solutions operating the pages and services of the Data Manager and its partners accessible via the Internet.
2. Scope of the processed Users’ Personal Data
2.1. When the User visits the interface of a Website, the IP address of the User is automatically recorded by the Data Manager’s System.
2.2. On the basis of the User’s choice, the Data Manager may process the following data in connection with the use of the Services made available through the Websites: name, place of residence, place of stay, phone number, e-mail address, facial image, customer identification number registered with the Data Manager, content of the phone conversation with the Data Manager.
2.3. If the User sends a message (e.g. per e-mail or in form of a reader’s letter) to a Service, or calls the Service, the Data Manager will record the User’s address, e-mail address, phone number, the time of the call and will manage the said data to the extent and for the duration required for the Service provision.
2.4. The Data Manager processes the following personal data about the speakers and participants of the events organised by it: name, professional title (Dr., Prof., etc.), e-mail address, position, phone number, secondary phone number, name of the company it is associated with, sectoral and activity interests, membership rights entitling to discounts, biographical data of the speakers.
2.5. The Data Manager processes the following Personal Data in the context of the ad-hoc prize draws conducted by it: name, date of birth, address, e-mail address, phone number, occupation, pension fund membership and the name of the pension fund concerned, Personal Data indicated in the advertisement of the prize draw.
2.6. For what concerns the Service performed by the Webshop, the Data Manager may process the following Personal Data: name, residence, domicile, phone number, e-mail address, as well as all the Personal Data relating to the invoicing name and address provided by the User for invoicing purposes, and the Personal Data relating to the products chosen for the selected purchase and payment method.
2.7. The Data Manager may process the name, phone number and e-mail address of the legal or authorised representative of the contracting party and the contractual contact person in the context of contracts.
2.8. Notwithstanding what stated above, a service provider technically related to the performance of the Services may carry out data management activities on one of the Websites without informing the Data Manager. An activity of this kind shall not constitute Data Management by the Data Manager. The Data Manager will use its best efforts to prevent and filter such Data Management.
3. What personal data do we process and for how long and what do we use it for and under which kind of authority does this occur?
The legal bases for our Data Management are stated here in the following:
a) under Article 6(1)(a) of the GDPR, the voluntary informed consent of the User to the Data Management (hereinafter referred to as the Consent);
b) under Article 6(1)(b) of the GDPR, the Data Management is required for the performance of a contract in which the User as the data subject is one of the contracting parties (hereinafter referred to as the Performance of the Contract);
c) under Article 6(1)(c) of the GDPR, the Data Management is required for the fulfilment of the legal obligation applicable to the Data Manager (such as for example the fulfilment of accounting or bookkeeping obligation – hereinafter referred to as the Compliance with Legal Obligations)
(d) according to Article 6(1)(f) of the GDPR, the Data Management is required for the protection of the legitimate interests of the Data Manager or of a third party (hereinafter referred to as the Legitimate Interest)
e) The Data Management permit provided by Section 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter referred to as the Elkertv.), according to which the Users’ natural person identification data (name, birth name, mother’s birth name, place and date of birth) and residential address can be managed without the User’s consent, for the purposes of entering into a contract for the provision of an information society service, defining its content, amending it, monitoring its fulfilment, invoicing the resulting fees and enforcing the related claims. In addition, it is possible to manage the User’s following natural person identification data and residential address without the User’s consent, together with the data on the date, duration, and location of the use of the service for the purpose of invoicing the fees resulting from the contract for the provision of the information society service (hereinafter referred to as the Elkertv.)
The legal basis for the Data Management is set out below, separately for each category of data and each purpose of Data Management, with reference to the above-mentioned list.
3.1. For all data processing related to the general use of websites operated by iSauna Design Kft.
| A | B | C | D | E | F |
| Data subject | Data category | Data source | Purpose of data management | The legal basis of data management | Duration of data management |
| Registered user | Identifier of the transaction carried out | Data subject’s | Contract creation, content definition, modification, and performance Invoicing of fees resulting from the contract Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Elkertv. Section 13/A. For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | Until the existence of a legal obligation or legitimate interest. |
| Amount of the transaction carried out | Data subject’s | Contract creation, content definition, modification, and performance Invoicing of fees resulting from the contract Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Elkertv. Section 13/A. For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For the purpose according to Column D Point (b): Fulfilment of a Legal Obligation under Article 6(1)(c) of the GDPR – Issue of an invoice For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | For contract performance and invoicing for a period of 8 years from the date of cancellation of registration by the User (reason: invoicing information). | |
| Execution of the subject of the transaction (product or service purchased) | Data subject’s | Contract creation, content definition, modification, and performance Invoicing of fees resulting from the contract Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Elkertv. Section 13/A. For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For the purpose according to Column D Point (b): Fulfilment of a Legal Obligation under Article 6(1)(c) of the GDPR – Issue of an invoice For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | For contract performance and invoicing for 8 years from the date of cancellation of registration by the User (reason: invoicing information). | |
| Delivery address | Data subject’s | Contract creation, content definition, modification, and performance Claims and rights enforcement, fraud prevention and management | For a purpose according to Column D Point (a): Elkertv. Section 13/A. For a purpose according to Column D Point (a): Performance of a Contract under Article 6(1)(b) of the GDPR For purposes according to Column D Point (b): Article 6(1)(f) of the GDPR – Legitimate interest | Until the existence of a legal obligation or legitimate interest. | |
| Invoicing name and address | Data subject’s | Contract creation, content definition, modification, and performance Invoicing of fees resulting from the contract Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Elkertv. Section 13/A. For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For the purpose according to Column D Point (b): Fulfilment of a Legal Obligation under Article 6(1)(c) of the GDPR – Issuing an invoice For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | For contract performance and invoicing for a period of 8 years from the date of cancellation of registration by the User (reason: invoicing information). | |
| GPS coordinates, if they enabled by the user | Collected from a mobile device | Profiling – display of behavioural advertising, understanding customer preferences | Consent under Article 6(1)(a) GDPR | Until the withdrawal of the consent. |
The data marked with * are mandatory. Without them the use will not be possible. Consequently, they are a prerequisite for the conclusion of the contract.
The User may object to the data management based on the above legitimate interest by sending an e-mail to iSauna Design Kft. at the following e-mail address: info@szaunagyartas.hu.
The Data Manager is the company iSauna Design Kft.
4. Service-specific personal data managed for certain services of the websites and webshop operated by iSauna Design Kft.
4.1. Credit card registration for some services of the websites and webshop operated by iSauna Design Kft.
| A | B | C | D | E | F |
| Data subject | Data category | Data source | Purpose of data management | The legal basis of data management | Duration of data management |
| The registered user | Name on credit card* | Data subject’s | a) Contract creation, definition, modification, and performance b) User identification c) Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | Until the existence of a legal obligation or legitimate interest. |
| Credit card number* | Data subject’s | a) Contract creation, definition, modification, and performance b) User identification c) Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | Until the existence of a legal obligation or legitimate interest. | |
| Credit card expiry date* | Data subject’s | a) Contract creation, definition, modification, and performance b) User identification c) Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | Until the existence of a legal obligation or legitimate interest. | |
| Name of the credit card issuing bank | Data subject’s | a) Contract creation, definition, modification, and performance b) User identification c) Claims and rights enforcement, fraud prevention, and management | For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | Until the existence of a legal obligation or legitimate interest. | |
| CVV/CVC code of the credit card* | Data subject’s | a) Contract creation, definition, modification, and performance b) User identification c) Claims and rights enforcement, fraud prevention and management | For purposes according to Column D Point (a) and (b): Performance of a Contract under Article 6(1)(b) of the GDPR For purposes according to Column D Point (c): Article 6(1)(f) of the GDPR – Legitimate interest | Until the existence of a legal obligation or legitimate interest. | |
| name of the credit card | data subject’s | a) Contarct creation, definition, modification and performance | Performance of a Contract under Article 6(1)(b) of the GDPR | Until the existence of a legal obligation or legitimate interest. |
The information marked with * is mandatory. Without it the credit card registration will not be possible.
The User may object to the data management based on the above legitimate interest by sending an e-mail to iSauna Design Kft. at the following e-mail address: info@szaunagyartas.hu.
The Data Manager is the company iSauna Design Kft.
5. What kind of data do we collect about you automatically, why do we profile your data, and how might this affect you?
By what means and what data do we collect about you automatically?
When using the Websites and the Webshop operated by the company iSauna Design Kft., we use small programs called cookies and similar technologies placed on Users’ mobile devices to support their identification and our recognition of the User’s data.
When visiting the Website and using the Services, cookies are placed on the User’s browser and HTML-based emails in accordance with this Privacy Statement.
Generally speaking, a cookie is a small file made up of letters and numbers which is sent to a User’s device starting from our server. The said cookie enables the recognition of when the User last logged in to the Website; the main purpose of the cookie is to allow the User to make personalized offers and advertisements available to the User. This personalizes the User’s experience during the use of the Website and expresses the personal requirements of the User.
5.2. The purpose of the cookies used by the Service Provider:
a) Security: promotion and implementation of security, and assistance offered to the Service Provider in detecting any infringing conduct.
b) Preferences, features, and services: Cookies are able to tell the Service Provider which language the User prefers, what the User’s communication preferences are, and can offer support to the User when the User has to fill in forms on the Website, by facilitating them.
c) Advertising: the Service Provider may use cookies to show the User relevant advertisements on and off the Website. Cookies may also be used to show whether Users who have seen an advertisement on the Website subsequently visit the advertiser’s website. Similarly, the Service Provider’s business partners may also use cookies to determine whether and in which manner their advertisements have been served by the Service Provider on the Website and to send the Service Provider information about how the User behaves in relation to the advertisements. The Service Provider may also cooperate with a partner which displays advertising to the User on or off the Website after the User’s visit on the partner’s website.
d) Performance, analytics, and research: Such cookies help the Service Provider to understand in which manner the Website is performing in different places. The Service Provider may also use cookies which evaluate, improve, research the Website, products, features, services, including when the User accesses the Website from other websites or devices, such as the User’s computer or mobile device.
5.3. Types of cookies used by the Service Provider:
a) Analytical, tracking cookies;
b) Session cookies, which only work for as long as the session (usually a particular visit to the Website or a browser session) lasts;
c) Persistent cookies: The support the recognition of the User as an existing User, by facilitating the return to the Website without having to log in again. After the log-in made by the User, the persistent cookie remains in the User’s browser and the Website can read it as soon as the User returns to the Website.
Adobe Flash is another technology with a functionality which is equivalent to the one offered by the cookies. Adobe Flash can store data on the User’s device. However, not all browsers allow you the removal of Adobe Flash cookies. The User can restrict or block Adobe Flash cookies via the Adobe website. If the User restricts/blocks these, some features of the Website may not be available.
5.4. Cookies applied by third parties:
Trusted partners help the Service Provider to display advertisements on and off the Website, and analytics providers such as Google Analytics, Quantcast, Nielsen, ComScore may also place cookies on the User’s device.
Users can opt out of Google cookies on the Google ads opt-out page.
You can also block cookies from other third party service providers at http://www.networkadvertising.org/choices/.
5.5. Control and management of cookies:
Most browsers allow Users to control the use of cookies through their settings. However, if the User restricts the use of cookies on the Website, this may degrade the User experience as it will no longer be personalised to the User which is the reason why the User can also choose to stop saving personalised settings, such as login information.
If the User does not want the Service Provider to use cookies when visiting the Website, the User can opt out of the use of certain cookies in the settings menu. In order for the Service Provider to become aware that the user has blocked the use of certain cookies, the Service Provider places a blocking cookie on the User’s device, so the Service Provider will know that it cannot place cookies during the next visit of the User to the website. If the User does not want to receive cookies, the User may change the browser settings on his/her computer. If the User uses the Website without changing the browser settings, the Service Provider shall start from the assumption that the User consents to the transmission of any kinds of cookies on the Website. However, the Website will not work properly without cookies.
To get additional information about cookies, by including the types, handling and deletion of cookies, visit the following websites: wikipedi.org, www.allaboutcookies.org or www.aboutcookies.org.
Users can also control and enable cookies at the following links: https:www.aboutads.info/choices and https://www.youronlinechoices.eu.
6. Who handles your personal data and who can access to it?
The Data Manager
The Data Manager of your data other than the data specified in this Privacy Statement is the company iSauna Design Kft., whose contact details and company data are as follows:
iSauna Design Kft.
Company Registration No.: 13-09-161868
VAT Number: 24386106-2-43
Registered Office: HU-2045 Törökbálint, Tópark utca 1. A. ép.
Postal Address: HU-9174 Dunaszeg, Liget út 11.
Represented by: Márk Balázs, Managing Director (contact details: +36 70 310 8090, balazs.mark@szaunagyartas.hu)
Email address: info@szaunagyartas.hu
Phone number: +36 23 428 914
On the part of iSauna Design Kft., your data will be accessed by the company’s employees to the extent strictly necessary for the performance of their work. Access rights to your personal data are set out in strict internal policies.
Data Processors
For the purposes of processing your data, iSauna Design Kft. may, by written contract, engage a data processor in accordance with the applicable legal provisions and may transfer your data to any data processor so engaged to the extent necessary. The data necessary for contacting you (name, mail address, email address, phone number) and any future polling and market research information you provide will be managed together (not separated or anonymized).
7. Who is the data protection officer of iSauna Design Kft. and what are his/her contact details?
iSauna Design Kft. is not required by law to appoint or employ a data protection officer.
8. What are your rights regarding the processing of your personal data and how do we ensure that you can exercise them?
a) Right of access: You can ask for information about what kind of data we process, for what purpose, for how long we do it, to whom we disclose it, and where the data comes from.
b) Right of rectification: If your data changes or is incorrectly recorded, you can ask us to correct, rectify or clarify it.
c) Right to erasure: You can ask us to erase the data managed by us in the cases specified by the law.
d) Right to restriction of data management: You can ask us to restrict the data management in the cases specified by the law.
e) Right to data portability: You may request the portability of your data, by exercising your right to request that we disclose your data to you in the categories specified by the law or, upon your specific request and authorisation, to transfer it directly to another service provider designated by you.
If you make such a request, we will act in accordance with the law and inform you within the term of one month of the action we have taken on your request.
f) Right to withdraw consent: If we manage your data on the basis of your consent, you have the right to withdraw your consent at any time, whereby this applies without any prejudice to the lawfulness of our Data Management prior to the date of withdrawal of your consent.
g) Right to complain: In the event of a breach of your rights in relation to our data management, you have the right to lodge a complaint with the competent supervisory authority in Hungary: National Authority for Data Protection and Freedom of Information; website: http://naih.hu; Postal address: H-1530 Budapest, P. O. Box: 5. Email address: ugyfelszolgalat@naih.hu; Phone number: +36 (1) 391-1400
In addition to the above-mentioned aspects, you may also bring an action against the company iSauna Design Kft. Itself before the Budapest Metropolitan Tribunal Court for breach of personal data protection.
h) Right to object:
– If we manage your data on the basis of legitimate interests according to the above-mentioned description, you may object separately to this data management on the basis of legitimate interests.
– You can also object to data management for profiling purposes.
If you object, we will no longer manage this personal data.
9. How do we ensure the security of your data?
We have a data protection procedure to safeguard the data and information we manage and process. This procedure is binding on all our employees and known and used by them.
We regularly educate and train our employees on data and information security requirements.
The personal data is stored on our own central server, to which only a very limited number of staff have access. We test and verify our IT systems from time to time, recurringly and regularly, to establish and maintain data and IT security.
The office workstations are password-protected, the use of foreign media is restricted and only allowed under secure conditions and after verification.
Regular and continuous protection against malicious software is provided for all systems and system components of the Company.
In the design, development, testing, and operation of programs, applications, and devices, security functions are given priority and separation.
Access keys to the information system (e.g. passwords) are stored and transmitted in encrypted form, and data affecting the security of the system (e.g. passwords, privileges, logs) are protected.
10. What do we do if a data protection incident occurs?
In accordance with the law, we shall report the data protection incident to the supervisory authority within a term of 72 hours of becoming aware of it. Furthermore, we shall keep records of data protection incidents. In the cases specified by the law, we shall also inform the involved Users.
11. When and how do we change this Privacy Statement?
If the scope of the data managed or the other circumstances of data management change, this Privacy Statement will be amended in accordance with the GDPR within a term of 30 days and will be published on the websites www.szaunagyartas.hu, www.kulteriszaunahaz.hu, www.isaunahome.hu and on the webshop. Please always read the amendments to the Privacy Statement carefully as they contain important information about the management of your personal data.
Budapest, 24 May 2018