Privacy Policy
Coffee Lovers Kft.
data processing notice
Coffee Lovers Kft (registered office: 6720 Szeged, Tisza Lajos körút 14, I. em. 4, tax number: 25856279-2-06, telephone number: 06703811178, e-mail: info@rockcandystickshop.com, represented independently by: Márton Gábor Nagy, managing director, name and contact details of data protection officer/contact person: ), as Data Controller, hereby informs you in summary and briefly of the data processing activities performed by it and other relevant facts.
The Controller draws the attention of data subjects to the fact that
- data subjects may exercise their rights (right of access, right to rectification, right to erasure and ‘to be forgotten’, right to blocking/restriction of data, right to object, right to data portability, right to withdraw consent, see the detailed descriptions of the rights at the end of the notice) by sending a request to the e-mail address info@rockcandystickshop.com, or by a statement sent to other contact details of the Controller, and they can file a complaint with the authority (for contact details see: NAIH, www.naih.hu), and if they consider that their rights have been violated, they can turn to the court with jurisdiction over their place of residence. The Controller draws the attention of the data subjects to the fact that special conditions or restrictions may apply to the exercise of their rights in connection with specific data processing, which factors the Controller must examine in the case of the exercise of data subjects’ rights. In the event that a data subject is unable to exercise his/her rights in relation to a specific processing, the Controller shall inform the data subject in writing (including by electronic means) of the factual and/or legal reasons for excluding/restricting the exercise of the right.
- the Controller shall, in particular, within the scope of its tasks related to IT protection ensure that:
- unauthorised persons are refused access to equipment used for data processing (hereinafter referred to as “data processing system”);
- unauthorised reading, copying, alteration or removal of data carriers is prevented;
- unauthorised input of personal data into the data processing system and the unauthorised knowledge, alteration or erasure of personal data stored therein is prevented;
- the use of data processing systems by unauthorised persons using data transmission equipment is prevented;
- persons authorised to use the data processing system have access only to the personal data specified in the access authorisation,
- it is possible to verify and establish to which recipients personal data were or may be transmitted or were or may be made available by means of data transmission equipment;
- it is possible to verify and establish subsequently which personal data were entered into the data processing system, at what time and by whom;
- the unauthorised knowledge, copying, alteration or erasure of personal data during transfers of personal data or during transportation of data media is prevented;
- the data processing system can be recovered in the event of a breakdown;
- the data processing system is functional, that a report is prepared of any errors that arise in its operation, and that the stored personal data cannot be changed even if the system malfunctions.
- more detailed explanations of each of the data processing operations defined in the table below are also available in paper-based format at the Controller’s registered office/site and the Controller will send them electronically to the data subject upon request.
- profiling does not take place for any processing operations.
- disclosure of data to a third party may take place in respect of a specific processing operation which is set out in the detailed notice for that specific processing operation.
- cookie information was stipulated separately.
- The Controller carries out other data processing regarding which the data subject can find more detailed information in a notice that is separate from this notice.
| Summary table of data processing related to one-time request for and provision of information | |||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Source |
| providing appropriate information to the data subject and communication accordingly | freely given consent or compliance with statutory obligations or is based on an agreement or a legitimate interest or vital interest | Any natural person, including a representative acting on behalf of an organisation, who contacts the Controller and requests/receives information from the Controller | See details in the data processing notice/description | until the purpose is achieved or a request for erasure is made, or within the time limit set by law, or within the limitation period or until cessation of the legitimate interest | Data Subjects |
| Summary table of data processed for continuous, regular contact with the data subject | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| keeping in touch with the data subject, answering and resolving questions, requests and other issues | freely given consent or compliance with statutory obligations or is based on an agreement or a legitimate interest or statutory obligation or vital interest | Any natural person, including a natural person acting on behalf of an organisation, who, is in constant or regular contact with the Controller beyond just a single request for information | See details in the data processing notice/description | until the purpose is achieved or a request for erasure is made, or within the time limit set by law, or within the limitation period or until cessation of the legitimate interest | done electronically and/or on paper, manually | Data Subjects |
| Summary table of data processing related to requests for offers made by the data subject and the offer submitted by the Controller | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| providing an appropriate offer to the data subject and communication | freely given consent, or Article 6 (1) (b) of the GDPR | Any natural person, including a natural person acting on behalf of an organisation, who, requests an offer from the Controller providing his or her personal data | See details in the data processing notice/description | during the validity period or if the offer is accepted, until the expiry of the legal relationship, or in the case of data processing on the basis of a legitimate interest, until its cessation | done electronically and/or on paper, typically electronically, manually | Data Subjects |
| Summary table of data processing related to entering into a contract | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| entering into and performance of the contract, monitoring performance, communication | Entering into a contract (GDPR Article 6 (1) (b) the processing of the data of the representative or contact person is based on a legitimate interest | Any natural person, as well as any natural person acting on behalf of and representing an organisation, who, by providing personal data, enters into a contract with the Controller on their own behalf, or appear in the contract as a representative or contact person | See details in the data processing notice/description | 8 years or the duration specified in the contract or cannot be discarded, so it cannot be erased | done electronically and/or on paper, manually | Data Subjects |
| Summary table of data processing for managing (booking) appointments | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| providing the data subject with an appointment and communication | based on freely given consent or, if required by law, is based on a legal obligation | Any natural person, including a natural person acting on behalf of an organisation, who, requests books/agrees on an appointment providing his or her personal data | See details in the data processing notice/description | until the purpose is achieved, or within the general limitation period or until the existence of a legitimate interest | done electronically and/or on paper, manually | data subjects |
| Summary table of data processing related to declarations of consent | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Source | |
| the verifiability of the legal basis for data processing and performance of the consent and communication. | freely given consent | Any natural person who gives a declaration of consent to the Controller to the processing of their data for any purpose | see details in the data processing notice | until withdrawal/cancellation of consent the declarations of consent are deleted after the expiry of the limitation period following the revocation | data subjects | |
| Summary table of data processing related to handling of complaints | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| identification of the data subject and the complaint, handling the complaint and communication | Starts with freely given consent, but under Article 6 (1) (c) of the GDPR, the processing is necessary for compliance with a legal obligation to which the controller is subject | Any natural person who submits a complaint regarding a service used, a product purchased and/or the conduct, activity or omission of the Controller | See details in the data processing notice/description | The Controller processes the record of the complaint and a copy of the response for 5 years from the date of their recording in accordance with the Consumer Protection Act | done electronically and/or on paper, manually | Data Subjects |
| Summary table of processing related to the registration of the data subject (customer and partner). | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| identification of and communication with the data subject, monitoring performance of the contract (where applicable) | based on contract or necessary for compliance with a legal obligation or based on a legitimate interest | Any natural person as well as representatives of non-natural persons who are or wish to be the Controller’s Partner/client | See details in the data processing notice/description | until erasure at the request of the data subject until erasure due to failure of data reconciliation, until erasure due to death of data subject, if required by the Controller’s interest, it lasts until the interest ceases. The Controller may declare the register to be of permanent value, therefore the data contained in it cannot be deleted | done electronically (paper based), manually | data subjects, possibly a partner |
| Summary table of data disclosure (to third parties) | |||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source | |
| Specific purpose | consent, compliance with legal obligation, agreement, legitimate interest | Any natural person, including a natural person acting on behalf of or representing an organisation, whose data the Controller discloses to a third party | See details in the data processing notice/description | Until the purpose is achieved or expires or until the time limit specified by law or cessation of legitimate interest | Done electronically and/or on paper, manually, in compliance with data security requirements and the principle of confidentiality | Data subjects, data processor, public register | |
| Summary table of processing in connection with registration on the https://coffeelovers.hu/; https://kavezom.hu/; https://coffeetry.hu/; https://rockcandystickshop.com/; https://erythritolshop.com/ websites | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| recording the data of the data subject, granting, exercising and checking his/her rights, discounts and access, facilitating use of the services, and communication | freely given consent | Any natural person who voluntarily registers on the Controller’s website by providing their personal data | see website and data processing notice | until erasure at the request of the data subject or until cessation of legitimate interest | electronically, input manually, recording in a registration system automatically | data subjects |
| Summary table of processing in connection with logging into the https://coffeelovers.hu/; https://kavezom.hu/; https://coffeetry.hu/https://rockcandystickshop.com/; https://erythritolshop.com/ websites | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| identification of, granting authorisations to and monitoring data subjects logging into the website | freely given consent | Any natural person who logs into the Controller’s website | See details in the data processing notice/description | until erasure at the request of the data subject, until cessation of legitimate interest | electronically, automatically, via a secret channel | data subjects |
| Summary table of data processing related to orders placed through the website (web store) | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| placing the order and communication | For consumers, the agreement, processing of the contact persons’ data is based on a legitimate interest | Any natural person, including a natural person acting on behalf of an organisation, who, orders a product (service) from the Controller | See details in the data processing notice/description | Until dismissal or for 8 years because it forms the basis of accounting records, | Electronically, processing is done manually | Data Subjects |
| Summary table of data processing related to sending newsletter | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| complete general or personalised and regular information of the recipient about the latest promotions, events and news of the Controller | based on freely given consent | Any natural person who wishes to be notified regularly of the Controller’s news, promotions and discounts and therefore subscribes to the newsletter by giving his/her personal data | See details in the data processing notice/description | Until cancelling of subscription | subscription is done electronically or on paper, manually sending electronically, automatically cancelling of subscription is done electronically or on paper, manually
| Data Subjects |
| Summary table of data processing related to measuring customer satisfaction | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| improving the quality of services, products, the Controller’s behaviour, investigating possible complaints and communication | Legitimate interest of the Controller but can also be consent | Any natural person who participates in customer satisfaction measurement as part of the Controller’s quality assurance process | See details in the data processing notice/description | Until the purpose is achieved, in case of a complaint for 5 years | done electronically and/or on paper, manually | own records of data subjects |
| Summary table of data processing related to social media marketing | ||||||
| Purpose | Legal basis | Data Subjects | Data category | Duration | Mode | Source |
| Controller’s marketing | Freely given consent | Natural persons who voluntarily follow, share, like the Controller’s social media site or the content appearing on it | See details in the data processing notice/description | Until erasure at the request of the data subject or until cessation of legitimate interest | Done electronically manually | Data Subjects |
Rights of the Data Subject
Right of access (GDPR Article 15)
The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information related to the circumstances of processing. Where personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. The Controller shall provide a copy of the personal data undergoing processing to the data subject, if the data subject requests.
Right to withdraw consent (GDPR Article 7)
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to rectification (GDPR Article 16)
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Right to object (GDPR Article 21)
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on GDPR Article 6(1) point (e) or (f).
The Controller shall no longer process the personal data unless the controller demonstrates legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
Right to restriction of processing (GDPR Article 18)
The data subject has the right to obtain from the Controller restriction of processing where any of the conditions listed in GDPR apply and in such case the Controller shall, with the exception of storage, not carry out any operations with the data.
Where the data subject has objected to processing; pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to erasure (‘right to be forgotten’) (GDPR Article 17)
The data subject has the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where the data processing has no purpose, the data subject withdrew consent and there is no other legal basis, in case of objection there are no overriding legitimate grounds for the processing or if the data have been unlawfully processed, and the data must be erased for compliance with a legal obligation. Where the Controller has made the personal data public and is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to data portability (GDPR Article 20)
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the statutory conditions are met.
Right to withdraw consent (GDPR Article 7)
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Supervisory authority contact details for complaints (GDPR Article 77)
Hungarian National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Tel: +36 (1) 391-1400
Fax: +36 (1) 391-1410
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
For the court competent according to your place of residence please go to: https://birosag.hu/birosag-kereso
Closed on: 17 February 2020
Gábor Márton Nagy
Managing Director
Coffee Lovers Kft.
