Privacy Policy

1. Name of the Controller

Name of the Controller:  WinnerBidder Zrt. (hereinafter referred to as ‘Controller’ or the ‘Company’)
Company Registration No. of the Controller: Cg. 01-10-049722 (Metropolitan Tribunal of Budapest)
Registered office of the Controller: 1133 Budapest, Kárpát utca 7/B.
Representative of the Controller: Péter Zoltán Vitay CEO
 

2.  Rules for data processing

This Privacy Policy is effective from 20.04.2018 until withdrawal.
The terms and phrases defined in this Policy are identical to those explained and defined in Article 4 of the General Data Protection Regulation (hereinafter referred to as ‘GDPR’) and to the interpretative provisions of Section 3 of the Information Act to take effect from 25 May 2018 as completed in certain sections thereof. Therefore, accordingly:
’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
’consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
’controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
’processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
’processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
’personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the personal data transmitted, stored or otherwise processed.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The Controller shall keep available this Policy at its website. Acceptance of the Data Policy (i.e. tick in the appropriate checkbox) shall be considered knowledge thereof and consent to data processing. Therefore, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
Personal data may be collected by the Controller only for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes and shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The employees of the Controller who carry out data processing and the employees of the entities which participate in or are engaged in a data processing operation by order of the Controller shall keep the personal data they have become aware of as trade secret. In the course of their work, the Controller’s employees shall ensure that no unauthorized person may inspect the personal data and that personal data are stored and placed so that unauthorized person can have access to, become aware of, alter or destruct them.
If a person subject to this Policy becomes aware of the fact that the personal data processed by the Controller are incorrect, incomplete or untimely, he or she shall rectify them or initiate their rectification by the employee responsible for data recording.
 

3. Enforcement of the data subjects’ rights

The data subject may ask for information about processing; and may request rectification; erasure of his or her personal data by e-mail to [email protected]; and shall be entitled to data portability.

3.1. Right to information
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
  • the purposes of the processing;
  • the categories of the personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular the recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • whether the data subject has the right to request from the Controller rectification or erasure of his or her personal data or restriction of processing of personal data concerning him or her or to object to such processing; and the right to lodge a complaint with a supervisory authority;
  • any available information where the personal data are not collected from the data subject; and
  • information about the logic used in automated decision-making, as well as the significance and the envisaged consequences of such processing for the data subject.
The Controller shall provide information on action taken on a request under the right to information to the data subject without undue delay and in any event within one month of receipt of the request.  That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.  The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
As a rule, information shall be provided free of charge and the Controller may charge costs only in the cases defined in Article 12 (5) and Article 15 (3) of the GDPR. 
If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her.  Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (right to rectification)

3.2. Right to rectification
The Company shall rectify inaccurate personal data without undue delay if the data subject requests it.
The personal data in question may be restricted for the period the Company verifies accuracy of the personal data under section 3.4 of this Policy.

3.3. Right to object
The data subject shall have the right to object to processing of personal data by a statement to the Company in the event the legal basis for data processing is: 
  • the public interest within the meaning of Article 6 (1) e) of the GDPR, or
  • the legitimate interests within the meaning of Article 6 (1) f) of the GDPR [the conditions for application of legitimate interests as a legal basis are set out in section 5 of this Policy].
If the right to object is exercised, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.  The Company’s CEO shall have the right to determine whether data are processed on compelling legitimate grounds. He shall inform the data subject on his related position in form of an opinion. 

3.4. Right to restriction of processing
Data processing may be restricted where one of the following applies:
  • the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject requests restriction of use of personal data instead of their erasure;
  • the Controller no longer needs the personal data, but they are required by the data subject for the establishment of legal claims;
  • the data subject has objected to processing of personal data pursuant to Article 21 of the GDPR, for the period the consideration of the objection is made.
The head of the processing organizational unit shall suspend data processing for the period the objection of the data subject to processing of his or her personal data is considered, but for not more than 5 days, review whether the objection is well-founded, make a decision and inform the applicant of such decision.
If the objection is justified, the head of the organizational unit shall restrict the data, i.e. the data may only be stored within processing until:
  • the data subject consents to data processing;
  • processing of the personal data is necessary to enforce legal claims;
  • processing of the personal data becomes necessary to protect the rights of other natural or legal persons; or
  • law requires data processing on grounds of public interest.
If restriction of data processing has been requested by the data subject, he or she shall be informed by the manager of the relevant organizational unit before the restriction of processing is lifted.

3.5. Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
OR
f) the personal data have been collected in relation to the offer of information society services.

3.6. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
  • the legal basis for processing is the consent of the data subject or the processing was necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [Article 6(1)a) or b) and Article 9(2)a)] and
  • the processing is carried out by automated means.
The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.  The Controller shall inform the data subject about those recipients if the data subject requests it.
The Controller shall be obliged to compensate for damages caused to others as an outcome of the illegitimate processing of the data of the data subject or a breach of data security requirements, and for the restitution due to the breach of personal rights caused by the Controller or the processor it employs. The Controller shall be exempt from liability for damages and payment of the restitution should it be able to prove that the damages were caused by circumstances beyond its immediate control.
The data subject may submit a complaint on the Controller’s processing procedure to NAIH:
Name:  Nemzeti Adatvédelmi és Információszabadság Hatóság (’NAIH’) /Hungarian National Authority for Data Protection and Freedom of Information
Registered office: 1024 Budapest, Szilágyi Erzsébet fasor 22/C.
Website: www.naih.hu
The data subject may – at his or her discretion – enforce his or her claim by means of judicial proceedings. The action shall be assessed within the scope of the jurisdiction of the tribunal. The action may be launched – at the data subject’s discretion – before the tribunal competent at the data subject’s residence or location.


4. Processing during use of the Controller’s website

4.1. Cookies
The Company’s website uses a software to analyze and record the data of the frequency of visits to the website. The Company’s website receives the following automatically generated information of its visitors: IP (Internet Protocol) address of the visitor, date and time of the visit, data of the visited sites, name of the browser program used.
purpose of processing: survey of website visitors' habits, promotion of contact with the Company
scope of the controlled data: IP (Internet Protocol) address of the visitor, date and time of the visit, data of the visited sites, name of the browser program used
legal basis for processing: consent of the data subject within the meaning of Article 6(1)a) of the GDPR 
period of data storage: one year from data recording
means of processing: electronic.

4.2. Registration
Visitors may register at the Company’s website. By completing the form the visitor may provide the relevant contact data. However, the data subject is allowed to send the data only if he or she accepts the Company’s Privacy Policy by ticking a checkbox, otherwise he or she will be unable to finalize the registration.
During or at any time after registration the data subject may provide the delivery and invoicing data and his or her telephone number, in which case the data subject will be able to order products at the website without providing additional data after the registration. If an order is placed, the delivery address will be forwarded to the courier as processor. The exact data of the processor are contained in this Policy.
The telephone number is necessary for the advice of receipt. The e-mail address is necessary for online communication. The delivery data are necessary for enabling the courier to deliver the product ordered to the address requested by the data subject. The invoicing data are necessary for issue of the invoice.
The period of data processing lasts until the time the registration is deleted so that if the data subject makes a purchase in the system after the registration, the Company shall keep the accounting records for at least 8 years pursuant to Section 169(2) of Act C of 2000 on Accounting. After lapse of 8 years, the Company will automatically erase the personal data of the data subject who has placed no order for a new service with the Company within the period of one year after the date of the last order.
purpose of processing: promotion of contacting the Company, registration
scope of the controlled data: name and e-mail address of the data subject or, if it is not necessary to provide those data, the delivery address, invoicing address and telephone number of the data subject
legal basis for processing: consent of the data subject within the meaning of Article 6(1)a) of the GDPR
period of data storage: until the time the registration is deleted so that if the registered user makes a purchase in the system after the registration, the Company shall keep the accounting records for at least 8 years pursuant to Section 169(2) of Act C of 2000 on Accounting. After lapse of 8 years, the Company will automatically erase the personal data of the data subject who has placed no order for a new service with the Company within the period of one year after the date of the last order.
means of processing: electronic.
For card payment the data of bank card and card payment transactions are processed by PayPal.
scope of the controlled data: for card payment the ID of the payer, the amount, date and time of the transaction to PayPal
legal basis for data transfer: consent of the data subject within the meaning of Article 6(1)a) of the GDPR.

4.3. Processing of buyer’s data
Visitors to the website shall be allowed to order and purchase the Company’s products by registration. Before the selected product is ordered, i.e. the contract between the buyer and the Company is concluded, the buyer shall provide the relevant data necessary for delivery of the product(s) ordered and for invoicing. 
The delivery address will be forwarded to the courier as processor. The exact data of the processor are contained in this Policy.
The telephone number is necessary for the advice of receipt.  The e-mail address is necessary for online communication. The delivery data are necessary for enabling the courier to deliver the product ordered to the address requested by the data subject. The invoicing data are necessary for issue of the invoice.
purpose of processing: making purchases and placing orders through the Company’s website, issue of invoices, compliance with accounting obligations, recording buyers, fulfilment of orders, analysis of buyers’ habits
scope of the controlled data: name, e-mail address and telephone number of the data subject, delivery and invoicing data
legal basis for processing: consent of the data subject within the meaning of Article 6(1)a) of the GDPR and Section 169(2) of Act C of 2000 on Accounting (’Accounting Act’)
period of data storage: until erasure at the request of the data subject and, for the data indicated on the invoice, eight years pursuant to Section 169(2) of the Accounting Act
means of processing: electronic.
For card payment the data of bank card and card payment transactions are processed by PayPal.
scope of the controlled data: for card payment the ID of the payer, the amount, date and time of the transaction to PayPal
legal basis for data transfer: consent of the data subject within the meaning of Article 6(1)a) of the GDPR.

4.4. Data processing related to complaints
Pursuant to Act CLV of 1997 (’CP Act’), the buyer shall be entitled to lodge a complaint to the Company verbally, electronically or in writing. Electronic complaints shall be sent by e-mail to [email protected]
purpose of processing: investigation and management of buyers’ complaints
scope of the controlled data: name, home address and e-mail address of the data subject and the other data of the complaint defined in Section 17/a.(5) of the CP Act
legal basis for processing: consent of the data subject within the meaning of Article 6(1)a) of the GDPR and Section 17/a.(5) of the CP Act
period of data storage: until the purpose is achieved; if the data subject has not lodged another claim after sending of the answer, the Controller will erase the data after lapse of 5 years of sending of the answer and, if further claims are enforced, the data will be erased after lapse of the limitation period
means of processing: electronic.

4.5. Data processing related to newsletters
The Company will send newsletters at the request of the data subject and, accordingly, newsletters will be received only by the users who have registered for such service at the Company’s website or who have expressly consented to sending of newsletters (in writing). If the data subject may subscribe for newsletters at the website, he or she must accept the Privacy Policy at the place where the subscription is made. It can be done by ticking a checkbox. The Company provides an opportunity to unsubscribe at the bottom of each newsletter.
purpose of processing: providing information about the Company’s most important news
scope of the controlled data: name and e-mail address of the data subject
legal basis for processing: consent of the data subject within the meaning of Article 6(1)a) of the GDPR.
period of data storage: until the end of operation of the newsletter service or immediately after the request of erasure if the data subject requests erasure of his or her data (unsubscribes from newsletters)
means of processing: electronic.


6.  Processors

The Company employs the following processor for performing tasks of technical nature only during processing of the personal data:
name of the processor: GoDaddy Inc. (GoDaddy.com)
address: 14455 N. Hayden Rd., Ste. 226 Scottsdale, AZ 85260 USA
purpose of processing: hosting
server location: United Kingdom (EU)
The servers of the Processor are located in the area of the European Union and the Processor registered in a third country (USA) undertakes to comply with the GDPR and is a party to the EU-U.S. Privacy Shield cooperation. The Processor shall carry out processing based on the Company’s instructions and shall not be authorized to make any decision effectively affecting the processing of the data; shall be exclusively authorized to process the personal data it acquired knowledge of in accordance with the instructions issued by the Company; shall not be authorized to process data for its own purposes and shall store and keep the personal data in compliance with the instructions issued by the Company.

 

7. Amendment to the Policy


The Controller reserves the right to amend this Policy. In the event such amendment affects use of the personal data provided by the data subject, he or she shall inform the user of the changes in form of an information letter by e-mail.  In the event the details of processing are also changed as a result of amendment to the Policy, the Controller will request the data subject’s consent specifically.



8. Issues not specified in this Policy


In the issues not specified in this Policy the provisions of the GDPR and, in the cases permitted thereby, the provisions of the Information Act shall secondarily apply.