Privacy policy

 

1. The purpose of this data protection policy

The purpose of this data protection policy is to describe the management of the data handled on the website operated by the AmataSport Kft.  and to provide information on the management of privacy with respect to the data protection policy.

Further, the purpose of this policy is also to ensure that interested parties are properly informed about the products provided through this website through various channels, as well as to promote the continuing relationship between customers and the AmataSport Kft. concerning data processing.

 

2. Data controller information

Company full name: AmataSport Ipari és Kereskedelmi Korlátolt Felelősségű Társaság

Company short name: AmataSport Kft.

Corporate registration number: 07-09-023859

Head office address: 8000 Székesfehérvár, Surányi utca 47, Hungary

Tax number: 24360652-2-07

 

3. The legal background of the data processing policy

This policy is applicable in accordance with the following laws and regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Act CXII of 2011 on information self-determination and freedom of information
Act V of 2013 of the Civil Code
Act CVIII of 2001 in regard to certain issues of electronic commerce services and information society services
Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers
Act CLV of 1997 on consumer protection
Act XIX of 1998 on Criminal Proceedings
Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity
Act C of 2000 on Accounting

 

4. Key concepts in regard to this policy

- Data sets: All compiled data will be processed through a single data register.

- Data handling: With regards to any operation or set of operations that is performed on data, regardless of the procedure applied; in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking, erasing and destroying the data, as well as preventing their further use; taking photos and making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples and iris scans).

- Data controller: with regards to the natural or legal person, or organisation having no legal personality, which, within the framework laid down in an Act or in a binding legal act of the European Union, alone or jointly with others, determines the purposes of data processing, makes decisions concerning data processing (including the means used) and implements such decisions or has them implemented by a processor.

- Technical/data processing means the totality of data processing operations performed by the processor acting on behalf of, or instructed by, the controller

- Data processor means a natural or legal person, or an organisation not having legal personality which, within the framework and under the conditions laid down in an Act or in a binding legal act of the European Union, acting according to a mandate or instructions given by the controller, processes personal data

- Data transfer: with regards to providing access to the data for a designated third party.

- Data erasure: with regards to rendering the data unrecognisable in such a way that its restoration is no longer possible.

- Personal data breach: with regards to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised transfer or disclosure of, or unauthorised access to, personal data transferred, stored or otherwise processed.

- Data subject: means a natural person identified or identifiable based on any information;

- Third Party: with regards to any natural or legal person, or any entity without legal personality, who is not the data subject, the data controller or the data processor.

- Consent: with regard to any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which they, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to them.

- Sensitive data: with regard to all data falling in the special categories of personal data that are revealing with regards to racial or ethnic origin, political opinion, religious belief or worldview, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sexual orientation;

- Data disclosure: with regards to means allowing data to become accessible.

- Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

- Personal data: personal data means any data relating to the data subject.

 

5. Guidelines and principles of data processing

The principle of lawfulness and fairness: data is processed fairly according to EU and Hungarian legislation in force;
Limitation to the intended purpose: data processing is exclusively limited to the intended purpose and personal data is only processed to the extent of necessity;
Accurate and up-to-date personal data: to ensure the accuracy and completeness of the data in the course of data management, to ensure the prompt deletion or correction of inaccurate personal data;
The principle of the data subject’s consent and volunteering of data: the processing of personal data is based on the unambiguous and advanced consent of the data subject and is subject to an appropriate legal basis;
A high level of data protection: according to the most current state of science and technology the data controller ensures by technological and organisational measures the appropriate safety, protection and confidential custody of personal data, including protection from unauthorised data processing and the protection from damage or destruction;
Principle of limited data storage: the data controller shall process data up until the fulfillment of the purpose of the data processing or according to the relevant legal acts or until the withdrawal declaration of the data subject

 

6. Purpose of data management

Personal data shall be processed only for clearly specified and legitimate purposes, in order to exercise certain rights and fulfil obligations.

The data controller shall process personal data for the following purposes and activities:

a) purchases on the www.amata-power.com website, issuing an invoice, performing contracts and orders;
b) customer relationship management;
c) direct marketing, analyzing customer habits based on newsletter sign-ups and providing customer-focused and targeted customer service, direct marketing profiling and customer profile creation;
d) customer service, handling complaints;
e) fulfilling accounting obligations;
f) data processing authorised by an act;

 

The data controller ensures compliance with the purpose of data management at all stages of the data management. Further, the data controller shall not personally not handle sensitive data.

 

7. The legal basis of data processing and voluntary consent

In every case the unilateral consent of the data subject gives the legal basis of data processing according to Article 6 Section (1) point a) of the GDPR.

On the other hand, it is necessary to consider Article 6 Section (1) point b) of the GDPR to oblige the fulfillment of the contract on the legal basis of data processing. The legal basis of said data processing is with regard to the contract signed by one or more parties.

The consent extends to all data processing activities made for the same purpose(s).

The provision of data is in every case voluntary and based only on the unambiguous consent of the data subject. The data subject is authorised to gain access to all personal data which is related to them and processed by the data controller. Additionally, the data subject can require information about this data.

In addition to this, the data controller shall also manage data on the basis of statutory requests and may transfer personal data of the data subject in accordance with legal requirements.

 

8. The scope of processed data

The data controller shall process the following data:

8.1. For registration on the website: first name, surname, e-mail address, default contact language and the password given by the user (stored in an encrypted manner).

8.2. For online purchases made on the website: first name, surname, e-mail address, company name,  delivery address (country, city, street, house/flat number, postal code), phone number.

8.3. Registration without purchases: first name, surname, e-mail address, company name, delivery address (country, city, street, house/flat number, postal code), phone number.

8.4. The scope of personal data acquired during customer services: e-mail address, name, address (country, city, street, house/flat number, postal code), phone number.

8.5. Personal information provided during complaint handling:

a) The customer’s name and address
b) The location, date and time, and means of submission of the complaint
c) The detailed description of the customer’s complaint, the files and documents provided by the customer and the record of other related evidence.
d) A statement by the data controller of his/her position on the customer's complaint provided that it is possible to immediately investigate the complaint.
e) The signatures of the person accepting the complaint and the customer (except when the complaint was submitted by email or telephone)
f) Date, time and location of the report
g) The unique identification number of the complaint

 

The source of data processed by the data controller originates in every case from the data subject.

 

9. Data storage

The provided data will be stored until withdrawal of the consent of the person concerned.

In the case of the data subject not declaring a related consent statement, the data controller will erase the data after 5 years of the time of purchase according to the 6:22. § of Act V of 2013 on the Civil Code.

Exceptions to this are accounting documents which must be stored for 8 years after purchase according to the 169. § Section (2)  f the Act C of 2000 on Accounting.

Furthermore, according to Article 6 Section (1) point c) of the GDPR and the 17/A.§   of Act CLV of 1997 on consumer protection, the complaint report, the transcripts, the response and their copies must be stored for 5 years according to the 17/A § (7) of Act CLV of 1997 on consumer protection.

The personal data during data processing keeps its secure quality until its relationship with the data subject can be restored. This relationship with the data subject can be considered as restorable when the data controller possesses all the technical requirements which are needed for the restoration.

 

10.Rights related to data processing

10.1.The right to erase data

The erasure of data from the data controller’s database can be requested any time by the data subject or by the withdrawal of the consenting declaration.

Reasons for erasure are most especially the conditions from Section 17 paragraph (1) of the GDPR, highlighting the case when personal data is no longer required because they have already been collected or processed through other sources

Deleting the registration on the website will also immediately delete the personal information. However, deleting the registration will not cancel the subscription to the newsletter.

Any subscriptions created by the data controller can be cancelled by a link on the website. In the event of the cancelling of a subscription the data controller shall erase the data subject’s personal data from the database. In this case the registration on the website remains.

If the data subject submits any declaration concerning the erasure of personal data, the data controller must immediately inform the data subject of its receipt by electronic means  according to Section 19 of the GDPR. If the data subject’s request also includes the provided e-mail address then the data controller shall erase the email address also after the information has been sent to the data subject.

The data controller may refuse the deletion if the data remains relevant with regard to the right to freedom of expression and information or the law authorises its processing. Also applicable is if data management is required for the filing, enforcement or defence of legal claims. The data controller shall always inform the data subject of the refusal of the request for deletion and shall indicate the reason for the refusal.

Once the request of personal data erasure is fulfilled, previously held data cannot be restored.

The data controller shall further delete any data related to the data subject, unless there is another legitimate reason for further data processing.

 

10.2. The right to data rectification with regard to data management

Upon the data subject’s request, the data controller can further clarify or rectify the personal data, or supplement it with further information provided by the data subject. This may be done through a consent statement signed by the data subject or via another means of consent. In this case, the purpose of data management remains intact. The data controller shall comply with the request for rectification without delay.

 

10.3. Right to the restriction of data processing

The data subject is authorised to request the data controller to restrict the processing their data.

This can occur in the following instances:

a) The data subject contests the accuracy of personal data. In this case the restriction applies to the time period which enables the data processor to verify the accuracy of personal data.
b) The data processing is unlawful and the data subject objects to the erasure of data and instead requests the restriction of their use/application/processing.
c) The data controller’s purpose of data processing has terminated but the data subject requires it for the submitting, enforcement or protection of legal claims.

 

10.4. The procedure of data rectification, erasure or restriction

All requests for data rectification, erasure or restriction of processing is investigated by the data controller who acts according to the request. If the data controller dismisses the request, it shall notify the data subject by writing without delay of the dismissal, as well as of its legal and factual basis, and the rights to which the data subject is entitled under the relevant acts, as well as the method of enforcing them. The data subject may also exercise his or her right to rectify, erase or restrict the processing of personal data processed by or on behalf of the data controller, with the assistance of the National Authority for Data Protection and Freedom of Information.

 

10.5. The rights for objection to data processing

The data subject is authorised to object at any time to personal data being processed by the data controller. Objection can be due to direct business gain and the related handling of profiling based on a legal purpose.

 

10.6. The right to data portability

The data subject shall have the right to receive personal data relating to him or her which has been made available to the data controller in a structured, widely used, machine-readable format. In addition to this, the data subject is authorised to forward this data to another data controller without being hindered by the data controller from which the data was previously held.

The data subject can send their above-mentioned request or a withdrawal of consent to data processing via email at privacy@amata-power.com or to the following postal address 8000 Székesfehérvár, Surányi utca 47.

 

11. Profiling

The data controller can profile with the consent of the data subject. Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject (concerning the natural person’s health, personal preferences, interests, behaviour, location or movements) in particular to analyse or predict aspects of behavior.

The purpose of profiling is so that the data controller may provide customised and personalised offers according to the user’s needs and interests. Offers can be sent and/or illustrated by the data controller via the newsletter, email or through the website.

Nevertheless, the data controller cannot currently apply decisions based solely on using automatic procedures.

 

12. Data processing by means of registration via social media

In the event of registration via a Google account, the email address, date of birth and gender of the user shall be transferred to the data controller by the external service provider.

In the event of registration via a Facebook account, the user name, email address, date of birth and gender of the user shall be transferred to the data controller by the external service provider.

In the event of registration via a PayPal account, the PayPal identification number, email address, contact telephone number, name and gender of the user shall be transferred to the data controller by the external service provider.

Registration via social media shall always be voluntary and optional. Forwarding data via social media only occurs when the user opts to click on the provided icon and a pop-up window shall subsequently open.

The transferred data and passwords will not be accessed or stored by the data controller. The user can be informed via the aforementioned social media websites about the methods of data submission via social media and the subsequent sourcing, processing, handling and the legal basis of this. In such cases, the data management is carried out on the social media sites and so the duration, method of data management and the possibilities of deleting and modifying the data are subject to the regulations of the given social media sites.

 

13. Measures of data protection

The data controller will not disclose data of the data subject to a third party. Data transfer can only occur when the data subject has given their prior consent or in the event that it is required by law. The data controller will not transfer personal data to third countries or to other international organisations.

The data controller will ensure the security of the data by taking the necessary technical and organisational measures and configuring procedural rules to retain the processed and stored data in a safe and confidential manner. The data controller will also prevent unauthorised destruction, unauthorised use and unauthorised rectification of the data.

The data controller will ensure that data cannot be accessed, released to the public, forwarded, transferred, rectified or erased by any unauthorised person.

The data controller will do its utmost in order to keep data safe and undamaged.

 

14. Use of cookies and further data management

The data controller collects further anonymous data from website visitors for statistical purposes which are processed for the purpose of the website’s operation, protection and the improvement of the website’s operation.

The website uses cookies and web-analytical services.

The purpose of cookie use is to analyse the use of the user interface, to help the user in browsing and to improve user experience in order to make employment of the website more enjoyable and productive.

The web-analytics provider does not handle personal information and merely has access to browsing-related information that is not personally identifiable.

With the unambiguous consent via the website, the data subject consents and allows that the information collected and processed by cookies can be processed by Google Analytics, Google Adwords.

The scope of data processed by cookies is as follows: utilised IP addresses, types of browsers used, features of the operation systems used for browsing (type, language), exact time and date of visits, addresses of the previously visited web page, used function or service on the visited website and the elapsed time spent on the website.

The cookies used cannot be used to personally identify the visitor.

The user can disable the storage and use of cookies via their browser settings. Cookies can be deleted by the data subject from their own computer system or they can be disabled in the browser. Options vary browser to browser but they are often available in the settings directory or alternatively in the privacy directory.

As a result of the user disabling cookies, the browsing content will not be personalised and the user will not be able to use all provided functions of the website and the user may not be able to benefit from certain services or they may be of limited operation. Further, any advertisements shown may not be relevant to the user. The data controller shall not take any responsibility for the above issues

The data controller shall execute ‘remarketing advertisements’ through the advertising systems of Facebook and Google AdWords. These providers may collect or retrieve data from the data controller’s website and other online sites using cookies, web beacons and similar technologies.  They shall then use this information to provide analytic services and to target ads: these may appear on other websites within the Facebook and Google partner networks. Remarketing lists do not include the visitor's personal information and are not personally identifiable.

 

15. Newsletter

According to the 6. § paragraph (5) of the Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity, the user may expressly consent in advance to be regularly contacted by the service provider with advertising offers and other information at the contact details provided at registration. The data controller may electronically deliver direct marketing messages for newsletter subscribers about sales offers, useful content, current news and business offers. To subscribe to the newsletter, an email address is required for the delivery of correspondences. The data controller does not take any responsibility for damages deriving from false, unauthorised or incorrectly submitted data.

The data controller shall process only the following data in the case of newsletter subscription: the date of subscription, IP address at the time of subscription, confirmation, newsletter read receipts and clicks on newsletter links and websites. The data subject may withdraw their consent to the newsletter data management by clicking the link provided in the newsletter. If the withdrawal of consent does not occur, the data controller shall erase the entirety of the related personal subscription data after a period of two years from the last time the newsletter was opened. In some cases, data processing - with a lack of consent - lays on the legal basis of the 6 § of the Act CXII of 2011 on the right to informational self-determination and on the freedom of information.

 

16. Data processors

The data controller is authorised to engage data processors to process and transfer the data subject’s personal data on their behalf. Transferring said data occurs only to a necessary limit, in order to facilitate the required data processing.

The data controller, in order to facilitate their operation, engages the following data processors with regards to their services:

 

1. Company name: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

Head office address: 2351 Alsónémedi GLS Európa u. 2.

Corporate registration number: 13-09-111755

Tax number: 12369410-2-44

Scope of forwarded/transferred data: the purchaser’s name, contact telephone number, email address, postal code, delivery address, door-bell number, dispatch comments for the courier.

The purpose of data transfer: delivery of goods

 

2. Company name: DHL Express Magyarország Kft.

Head office address: 1185 Budapest, BUD Nemzetközi repülőtér, terminál 1., DHL Express épület 302.

Corporate registration number: 01-09-060665

Tax number: 10210798-2-44

Scope of forwarded/transferred data: the purchaser’s name, contact telephone number, email address, postal code, delivery address, door-bell number, dispatch comments for the courier.

The purpose of data transfer: delivery of goods.

 

3. Name of the authorised company foru accounting services: DW Solution Bt.

Head office address: 1125 Budapest, Tündér lépcső 7/B.

Corporate registration number: 01-06-788110

Tax number: 24977124-1-43

Scope of forwarded/transferred data: buyer’s name, billing address, name of products purchased, quantity and unit price of purchased goods

The purpose of data transfer: accounting services

 

4. Operator of the website

Company name: Shopify International Limited

Head office address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland

Electronic postal address: privacy@shopify.com

Scope of forwarded/transferred data: IP address, the purchaser’s name, email address, postal code, delivery address.

 

5. Data storage service:

Company name: Shopify International Limited

Head office address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland

Electronic postal address: privacy@shopify.com

Scope of forwarded/transferred data: IP address, the purchaser’s name, phone number, email address, postal code, delivery address.

 

6. Mailing system

Company name: Shopify International Limited

Head office address: 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland

Electronic postal address: privacy@shopify.com

Scope of forwarded/transferred data: IP address, the purchaser’s name, phone number, email address, postal code, delivery address.

 

7. Newsletter service provider

Company name: The Rocket Science Group LLC

Head office address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA

Electronic postal address: privacy@mailchimp.com

Scope of forwarded/transferred data: IP address, the purchaser’s name, email address.

 

The data controller shall only engage data processors who provide adequate guarantees for compliance with the data management requirements of the GDPR and for the implementation of appropriate technical and organisational measures to ensure the protection of the rights of data subjects. Data processors handle personal data that we transmit in their own name, in accordance with their own privacy policies.

The data controller is authorised or obliged to provide further data transfer if it is authorised or obliged by law or the data subject has provided their specific consent.

 

17. Personal data breaches

A personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised transfer or disclosure of, or unauthorised access to, personal data. This also applies to personal data which may have been transferred, stored or otherwise processed without authorisation. The data controller shall record in the controller’s record the circumstances of any personal data breaches that occurred in the context of processing the data subject’s personal data, as well as the subsequent effects thereof and the measures taken to address them

A personal data breach shall not be reported to the user if it is judged likely that the breach does not pose a risk to the rights of the data subject.

A data protection incident is likely to present a high risk if it has consequences that significantly affect the enforcement of a fundamental right of the data subject. In such a case, the data controller shall inform the data subject of the incident without undue delay, in a clear and unambiguous manner.

The data controller shall be exempted from the obligation of informing the data subject according to the following if:

a) the data controller had implemented appropriate technical and organisational protection measures before the personal data breach, and those measures were applied to the personal data affected by the personal data breach, in particular those, such as encryption, that render the personal data unintelligible to any person who is not authorised to access them,
b) after having become aware of the personal data breach, the data controller has taken subsequent measures that ensure that the consequences materially influencing the enforcement of a fundamental right of the data subject are not likely to occur,
c) informing the data subject directly according to paragraph (1) requires disproportionate efforts by the data controller, and therefore the controller provides the data subjects with adequate information on the personal data breach by way of public communication accessible to anyone, or …
d) communication is excluded if this measure is indispensable for ensuring the efficient and effective conduct of inquiries, in particular criminal proceedings, carried out by or with the participation of the data controller. The subjects of said inquiries may include the efficient and effective prevention and detection of criminal offences, the execution of penalties and measures applied against the perpetrators of criminal offences, the efficient and effective protection of the state’s external and internal security, in particular national defence and national security or the protection of the fundamental rights of third parties.

 

Nevertheless, the data controller shall, without undue delay but not later than within seventy-two hours after having become aware of it, notify the personal data breach to the National Authority for Data Protection and Freedom of Information.

 

18. Relationship between the data subject and the data management

The data subject can send any queries or requests related to personal or processed data to the data controller electronically via email at privacy@amata-power.com e or via post to the following address: 8000 Székesfehérvár, Surányi utca 47. The data controller can only provide information or take measures related to the data processing after verifying the identity of the person submitting the request

The data controller shall, without undue delay but not later than within 1 month after receiving the request, notify the data subject about the measures taken.

Where appropriate, considering the complexity and number of requests, this time limit may be extended by a further 2 months. The requesting party shall be informed by the data controller about the delay within 1 month of the date of receiving the request including the reasons for the delay. If the request was electronically submitted by the data subject, the information shall be also provided electronically.

If the data controller does not take any measures concerning the request, then it shall, without undue delay but not later than within 1 month after receiving the request, notify the data subject about the reasons for this and the fact that the data subject is authorised to submit a complaint to the National Authority for Data Protection and Freedom of Information, as well as about the available legal remedies.

 

19. Available legal remedies

The data subject is authorised to submit a complaint (notification) about the data management to the National Authority for Data Protection and Freedom of Information (post office box: 9., H-1363, Budapest, Hungary; contact telephone number: + 36 1 391 14 00; email address: ugyfelszolgalat@naih.hu; website: www.naih.hu) referring to an alleged infringement of their personal data or of an imminent threat of such an infringement, or if the data subject is not satisfied with the data management service.

The data subject can turn to court to enforce his or her rights.. The data subject may also bring the action before the regional court having territorial jurisdiction over his or her domicile or place of residence, according to his or her choice.

 

20. Review of mandatory data processing

Unless it is required by law, local government decree or mandatory European Union law to determine the duration or periodic review of mandatory data processing, the data controller shall review, at least every three years, the necessary protocols and data processors employed for the purpose of trustworthy data management.

 

The data controller shall document the circumstances and the results of the review, and shall retain this documentation for ten years following the review and it shall make the documentation available to the National Authority for Data Protection and Freedom of Information at its request.