Privacy Notice

1. The data controller’s data:

Name of the Entrepreneur         László Marcell sole proprietor

Seat:                                               2017 Pócsmegyer, Pipacs u. 4.

Tax number:                        77559911-1-33

Registration number:                 39779499

Phone number:                            0670/531-7881

Email address:                     info@lagaallo.com

2. The purpose of the Privacy Notice

The data controller recognizes the content of this legal notice as binding upon himself. The purpose of this Privacy Notice is to inform clients, partners and customers regarding the processing of their personal data. The data controller shall process personal data exclusively in line with the effective legal regulations, strictly complying with the data processing and data protection rules, having regard to the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation.

The data controller shall take all technical and organizational measures to ensure that the personal data of his partners are processed in a manner prescribed by Regulation 2016/679 of the European Parliament and of the Council.

The data controller has developed his daily activities, internal regulations, records, sample documents and information sheets in compliance with the above.

The privacy principles arising in connection with the processing activities of the controller are always available at the registered office and website of the controller. The data controller reserves the right to amend this notice at any time. Of course, he will notify his audience of any changes in due time.

The data controller is committed to protect the personal data of his clients and partners and considers it as a priority to respect his customers’ right to information self-determination. The data controller shall process personal data in a confidential manner, and shall take every security, technical and organisational measures that guarantee the safety of the data. The data controller describes his data processing practices below.

3. The personal/material scope and term of the Privacy Notice

The personal scope of application of this Privacy Notice covers the data controller, as well as any natural person whose data is included in the data processing activities covered by this Notice, and furthermore, all persons whose rights or legitimate interests are affected by the data processing.

The material scope of application of the Notice covers all data processing arising during the activities of the data controller.

This Notice shall take effect on the day of its approval, and shall remain in effect until further notice, for an indefinite period of time.

4. Key definitions:

Personal data means any information relating to an identified or identifiable natural person. A natural person is deemed to be identifiable if he/she can be identified directly or indirectly, especially by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.

Sensitive data means all data belonging to the special categories of personal data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data having the purpose of uniquely identifying a natural person, data concerning health or personal data concerning a natural person’s sex life or sexual orientation.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or destruction.

Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Joint controllers: where two or more data controllers jointly determine the purposes and means of processing, they shall be joint controllers.

Third party: a natural or legal person, public authority, agency or body other than the data subject, data controller, processor and persons who, under the direct authority of the data controller or processor, are authorised to process personal data.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

5. Lawful processing at the data controller:

Processing of personal data shall be carried out only in the following cases:

1. if the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the individual or another natural person;
5. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

The data controller shall examine the lawfulness of data processing at all stages of his activities, and he shall process only such data for which and until he can justify its purpose and legal basis. In the event of the termination of a legal basis, processing may only be continued if the data controller can justify another legal basis.

Generally, legal bases shall be justified in a written form; even in the case of a legal basis implied by conduct, it shall be examined if it can be clearly justified subsequently. In case of doubt, taking into account the aspects of reasonableness and efficiency, efforts should be taken to confirm data processing implied by conduct in writing.

In the case of processing based on consent, the data subject gives his/her consent to the processing of his/her personal data. There are no constraints regarding the form of the consent, but subsequent provability requires a paper-based or electronic written consent.

Processing based on the legal basis of “compliance with a legal obligation” is independent from the consent of the data subject, as the data processing is determined by law.

Regardless of the mandatory nature of data processing, the natural person data subject shall be notified before the processing starts of the fact that processing is mandatory and unavoidable; furthermore, clear and detailed information shall be provided to the data subject before the processing starts of any significant fact related to the processing of his or her data.

Under the General Data Protection Regulation (GDPR), the processing of personal data is also possible in the case where processing is necessary for the performance of a contract to which the data subject is party or the processing or recording of data is necessary in order to take steps at the request of the data subject prior to entering into a contract. Under the “performance of a contract” legal basis, the data controller may process personal data for the purpose of concluding, performing or terminating a contract.

6. Processing of personal data at the data controller:

The data controller is engaged with the online selling of products. His main activity is the distribution of self-developed children’s books, audiobooks and other related products (T-shirts, bags, etc.). Sales are made through his own webshop and distribution partners. The data controller uses the services of print-on-demand service providers to print supplementary products. The data controller gets in contact with the personal data of natural persons during the performance of these activities. He performs the following data processing activities:

1. The products (e-books, audiobooks, other products) distributed by the data controller can be purchased on the data controller’s website (lagaallo.hu, www.lagaallo.com). When making a purchase, the data subject shall provide his/her personal data (name, email address, telephone number, billing name, address/registered office) and then he/she can buy the given product. The legal basis for processing personal data provided for this purpose shall be the performance of a contractual obligation (Article 6, section 1 (b) of the General Data Protection Regulation). The data controller shall issue an invoice of the price of the purchased product for the data subject. The invoice shall contain the customer’s name and address. Issuing an invoice is the data controller’s statutory obligation. Therefore, the legal basis for processing the personal data on the invoice is the performance of a legal obligation (Article 6, section 1 (c) of the General Data Protection Regulation). The personal data recorded in this way shall be stored by the data controller for 5 years, in compliance with his statutory retention obligation.

1. In carrying out his activities, the data controller shall process his partners’ and customers’ email addresses and telephone numbers for fulfilling his contractual obligations (Article 6, section 1 (b) of the General Data Protection Regulation) or under their individual consent (Article 6, section 1 (a) of the General Data Protection Regulation).

1. During his work, the data controller may also be in a contractual relationship with subcontractors, suppliers and service providers, which also provides a basis for the processing of personal data. In this case, the legal basis for the processing shall be (in the case of a private individual or sole proprietor) the performance of a contractual obligation (Article 6, section 1 (b) of the General Data Protection Regulation), while as regards the personal data of a contact person of a legal entity, it shall be the data subject’s explicit informed consent (Article 6, section 1 (a) of the General Data Protection Regulation).

1. The data controller presents his activity and products primarily on his own websites (lagaallo.hu, www.lagaallo.com). The websites use cookies during their operation, which also collect personal data from the visitors. The legal basis for processing shall be the data subject’s consent (Article 6, section 1 (a) of the General Data Protection Regulation).

1. On the websites, visitors may get in contact with the data controller by using a contact form. On the form, the inquirer shall enter his/her name and email address. The purpose of the processing of personal data in this case is communication with the visitor of the site or anyone interested in the services of the data controller. If no purchase is made following such communication, the inquirer’s personal data shall be deleted immediately but within 3 business days at the latest. The data controller shall process the personal data for the purpose of entering into a contract, i.e. under this legal basis (Article 6, section 1 (b) of the General Data Protection Regulation). By filling in the form, the data subject shall declare that he/she has become familiar with the data controller’s Privacy Notice and acknowledged its contents.

1. It is also possible to subscribe to the data controller’s newsletter, providing a name and email address. When subscribing to the newsletter, the data subject shall declare that he/she has become familiar with the contents of the data controller’s Privacy Notice, as well as whether he/she gives consent to the processing of his/her personal data for marketing purposes. The data subject shall be entitled to the rights described in the Privacy Notice, and he/she may exercise these rights in the manner and at the places stated therein. Accordingly, the legal basis for the processing of personal data in the course of sending the newsletter shall be the explicit and informed written consent of the subscriber (Article 6, section 1 (a) of the General Data Protection Regulation).

1. On the websites, there are reviews from some previous partners/clients in connection with the services provided and the products distributed by the data controller. These reviews are displayed with names. The reviewer’s full name (or any other personal data) and the review shall only be displayed on the website if he/she has given a written informed consent to this (Article 6, section 1 (a) of the General Data Protection Regulation).

1. For the purpose of presenting his activity and services, as well as for marketing purposes, the data controller also operates a Facebook, Instagram and Pinterest page, as well as a YouTube channel. The data of the page followers are processed there, as well. The legal basis for processing shall be the data subject’s consent (Article 6, section 1 (a) of the General Data Protection Regulation).

1. When handling complaints related to the data controller’s activity, the purpose of data processing shall be to make the report of the complaint possible, identify the data subject and his/her complaint, as well as to register the data required to be recorded by law, and to investigate the complaint, and any communication related to its resolution.

In the event of any complaint made, its handling, including the processing of personal data is mandatory under Act CLV of 1997 on Consumer Protection. Accordingly, the legal basis for processing the personal data shall be the performance of a legal obligation (Article 6, section 1 (c) of the General Data Protection Regulation).

Controller shall maintain a record of the processing activities described above. The record also contains the time limits for deleting the personal data. The record constitutes an annex to this Privacy Notice.

7. Data processors related to the data controller:

Where processing is to be carried out on behalf of the data controller, the controller shall use only data processors providing sufficient guarantees to meet the requirements of the General Data Protection Regulation, or implementing appropriate technical and organisational measures in such a manner that will ensure the protection of the rights of the data subjects.

The data controller hereby declares that in his work he only contacts such data processors that have sufficient guarantees to meet the requirements of the GDPR regulation and to implement appropriate technical and organisational measures in such a manner that will ensure the protection of the rights of the data subjects. The data processors’ related statements are available.

By becoming familiar with and acknowledging this Privacy Notice, data subjects accept that the data controller will forward their personal data to the data processors and joint controllers listed below.

• The accounting firm engaged by the data controller is a data processor:

ProdAcc 2015 Könyvelő és Tanácsadó Kft.

Representative: Ildikó Szín

E-mail: ildiko.szin@gmail.com

Phone number: 0630/942-0910

• The data controller’s partner in connection with issuing the invoices:

Octonull Kft.

H-1133 Budapest, Árbóc utca 6., 3rd floor

Company registration no.: 01-09-1981177

Tax no.: 25073364-2-41

Community tax number: HU25073364

https://www.billingo.hu/

• The data controller’s data processor related to payment by card, who is also a data controller on its own:

PayPal (Europe) S.à.r.l. et Cie, S.C.A.

22-24 Boulevard Royal L-2449, Luxembourg

https://www.paypal.com/

Transferwise
6th Floor of The Tea Building, 56 Shoreditch High Street, London E1 6JJ United Kingdom
https://transferwise.com

Paylike ApS
Company registration number: 36683279
P.O. Pedersens Vej 14
Skejby
8200 Aarhus N
Denmark

https://paylike.io/

The legal basis for the processing of personal data shall be the performance of the contract, then compliance with the statutory retention obligation.

• The data controller’s sales partners shall also be considered data processors or joint controllers:

Amazon.com, Inc.P.O. Box 81226Seattle, WA 98108-1226https://www.amazon.com

• The company hosting the data controller’s websites shall also be considered a data processor:

ATW Internet Kft
1138 Budapest, Esztergomi út 66. fszt. 1.
Phone no.: (1) 6000 289
Fax no.: (1) 6000 329
E-mail: info@atw.hu

https://atw.hu/

RACKFOREST KFT.

Address: 1132 Budapest

Victor Hugo u. 18-22

Tax no.: 14671858-2-41

Phone: +36 70362 4785

E-mail: info@rackforest.com

• The company hosting the data controller’s mail system is also a data processor:

ATW Internet Kft
1138 Budapest, Esztergomi út 66. fszt. 1.
Phone no.: (1) 6000 289
Fax no.: (1) 6000 329
E-mail: info@atw.hu

https://atw.hu/

• The website developer shall also be considered a data processor:

Thomas Kemendi

53426 Königsfeld, Waldorferstr 10

Tax identification number: 01/083/30084

kemendi.thomas@gmail.com

• A further processor in connection with sending out the newsletter:

MailChimp
675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA
http://mailchimp.com

• Data processor as a result of using the Google Analytics service by the data controller’s website:

Google Ireland Limited

Gordon House, Barrow Street, Dublin 4, Ireland

• Data processor and joint controller partner as a result of using a Facebook and Instagram page and embedding the social plug-in into the website:

Facebook Ireland Ltd.

4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland

The contracted data processor and data controller partners shall only process the partners’ personal data based on the data controller’s instructions (except when applying legal requirements), while undertaking a confidentiality obligation.

8. Data processing related to the contracts concluded by the data controller:

Customer contracts:

The products (e-books, audiobooks, other products) distributed by the data controller can be purchased on the data controller’s website (www.lagaallo.hu, www.lagaallo.com). When making a purchase, the data subject shall provide his/her personal data (name, email address, telephone number, billing name, address/registered office) and then he/she can buy the given product. The legal basis for processing personal data provided for this purpose shall be the performance of a contractual obligation (Article 6, section 1 (b) of the General Data Protection Regulation). The data controller shall issue an invoice of the price of the purchased product for the data subject. The invoice shall contain the customer’s name and address. Issuing an invoice is the data controller’s statutory obligation. Therefore, the legal basis for processing the personal data on the invoice is the performance of a legal obligation (Article 6, section 1 (c) of the General Data Protection Regulation). As regards the retention of personal data indicated on the invoice, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Lump-Sum Tax of Small Taxpayers and the Small Enterprise Tax, i.e. he shall store them for 5 years.

Supplier contracts:

The data controller may also process the contact details (name, email address, telephone number) of his suppliers, and may also be in contact with service provider and subcontractor companies. Personal data may also be processed in these cases in order to communicate with the partners (personal data of the contact person or the private individual/sole proprietor). The legal basis for processing the personal data shall be the performance of his contractual obligations (Article 6, section 1 (b) of the General Data Protection Regulation) or the contact person’s consent (Article 6, section 1 (a) of the General Data Protection Regulation).

The data controller shall have the contact persons of the companies fill in a consent form, in which he informs them on their rights regarding personal data and asks their consent in order to be able to process their data. In such cases, the legal basis for the processing of personal data shall be the data subject’s explicit written and informed consent to the processing (Article 6, section 1 (a) of the General Data Protection Regulation). If the contract with the partner has terminated, and the statutory retention obligation does not apply to the retention of data/documents, either, then the telephone numbers and email addresses shall be deleted. As regards the retention of personal data indicated on the invoice, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Lump-Sum Tax of Small Taxpayers and the Small Enterprise Tax, i.e. he shall store them for 5 years.

9. Invoices issued to customers and the processing of personal data contained therein:

The data controller shall issue an invoice of the price of the products it sells. The invoice contains the name, address, and possibly the tax identification number of the data subject. Issuing an invoice is the data controller’s statutory obligation. Therefore, the legal basis for processing the personal data on the invoice is the performance of a legal obligation (Article 6, section 1 (c) of the General Data Protection Regulation). As regards the retention of personal data indicated on the invoice, the data controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemized Lump-Sum Tax of Small Taxpayers and the Small Enterprise Tax, i.e. he shall store them for 5 years.

10. Children’s data, processing of special categories of personal data:

On the data controller’s website, in connection with purchasing the products, using the contact form, subscribing to the newsletter and consenting to the use of cookies by the website, the data subject shall declare that he/she is 16 years of age or older. Persons under the age of 16 shall not make purchases this way, shall not contact the data controller this way, shall not sign up for the newsletter or consent to the data collection by the cookies used by the website, as under Article 8(1) of the GDPR, his/her declaration containing the consent to the data processing will only be valid if authorised by his/her legal guardian. The data controller is not able to verify the consenting person’s age and eligibility, and therefore, the data subject shall warrant that his/her data are truthful.

The data controller shall not record any sensitive data that have come or have been brought to his notice. If such data entered any of the data controller’s systems without the data controller’s knowledge, he shall immediately delete them from the system after detecting this.

11. Procedure used to retain email addresses and telephone numbers:

During his activity, the data controller also gets to know the email address and telephone number of his partners and clients. The data entered into his system in this way are primarily processed in order to meet his contractual obligations (Article 6, section 1 (b) of the General Data Protection Regulation). If the contract with the partner has terminated, and the statutory retention obligation does not apply to the retention of data/documents, either, then the telephone numbers and email addresses shall be deleted. In some cases, the data controller has still a legitimate interest in retaining the data; in such cases, he asks for the data subject’s explicit written consent to the retention of his/her personal data (Article 6, section 1 (a) of the General Data Protection Regulation).

12. The data controller’s websites:

The data controller presents his activity and products primarily on his own websites (www.lagaallo.hu, www.lagaallo.com). The websites provide information to visitors of the data controller’s contact details, the price of the products and also provide an opportunity for communication.

The data controller’s websites use cookies during operation. The legal basis for processing the personal data collected by the cookies shall be the visitor’s consent (Article 6, section 1 (a) of the General Data Protection Regulation).

Cookies:

The functions of the cookies include the following:

• they collect information on the visitors and their devices;
• they remember visitors’ custom settings, which will (may) be used;
• they make the use of websites easier;
• they ensure a quality user experience.

To ensure customized service, the website places a small data package, a so-called cookie on the user’s computer, which is read during a later visit. If the browser retrieves a previously saved cookie, then the service provider managing the cookie will be able to link the user’s current visit to the earlier ones, but only in terms of its own content.

Essential session cookies:

The purpose of these cookies is to ensure that visitors are able to fully and seamlessly browse the websites, use their functions and the services available there. The validity of cookies of this type expires at the end of the session (browsing). By closing the browser, these cookies are automatically deleted from the computer or other device used for browsing.

The data subject’s choice regarding cookies:

Web browser cookies:

In the settings of the browser, the data subject may either accept or reject new cookies and delete existing ones. He/she can also set the browser to display a notification each time a new cookie is placed on the computer or other device. You can learn more about managing cookies in the “Help” function of the browser.

If the visitor decides to disable some or all of the cookies, he/she will not be able to use all functions of the websites.

Third-party cookies (analytics):

The data controller’s websites also use the cookies of Google Analytics, a third party. By using the web analytics/statistical service of Google Analytics, the data controller collects information as regards how visitors use the websites. The data will be used with the purpose of developing the websites and improving user experience. These cookies will also remain on the visitor’s computer or other device used for browsing (in its browser) until their expiry or until the user deletes them.

When websites or apps use Google Analytics with other Google advertising products, such as Google Ads, they may collect other advertising IDs. Users can disable this feature or change their cookie settings in Ads Settings.

Google Analytics collects users’ IP addresses to protect the security of the service and to give website owners a sense of which country, state, or city their visitors are coming from (also known as “IP geolocation”). Google Analytics offers the ability to mask collected IP addresses, but website owners will be able to see users’ IP addresses even if they are not using Google Analytics.

In Google Analytics, the IP address transmitted by the visitor’s browser is not reconciled with other Google data. You may prevent cookies from being stored by properly configuring your browser software, but in this case, the visitor may not be able to use all the features of the web pages.

In addition, visitors may prevent Google from collecting data created by the cookies and concerning the user’s use of the website (including their IP address), as well as the processing of these data by Google if they download and install the browser plugin found at the link below.

Current link: http://www.google.com/policies/privacy/ads/.

Google acts as the data processor for Google Analytics and thus for the data controller.

Under the provisions of the General data Protection Regulation (GDPR), Google Analytics shall be a data processor, since Google Analytics collects and processes data on behalf of its clients (such as the data controller), according to the instructions of these clients. Google may only use the data according to the terms of the contracts concluded with Google Analytics clients, as well as to the preferences set by the clients on the user interface of its products.

Google Analytics collects internal cookies, data related to the device/browser, IP addresses, as well as activities performed on the website/in the app. It collects these data because based on these, it can measure and record in statistical reports the actions performed by users on websites and/or in apps using Google Analytics. Clients may customize cookies and the scope of data collected through functions such as cookie settings, User-ID, Data Import and Measurement Protocol.

In the case of clients using Google Analytics for Apps SDK, Google collects an app-instance ID. This is a number generated randomly by the system when the user installs an app for the first time.

Google Analytics uses IP addresses to infer the geographical location of visitors, as well as to protect the service and its clients. Clients can turn on the feature called IP masking. When using this feature, Google Analytics will use only a portion of the IP address collected, instead of the entire IP address. Furthermore, clients may override IP addresses with the IP override function.

Google uses data processed in Google Analytics to provide its clients with the Google Analytics measurement service. With the IDs such as cookies and app instance IDs, it measures how users interact with clients’ websites and/or applications. It uses IP addresses to keep the service secure and to give website owners an overview of where in the world their users are coming from.

Facebook pixel (Facebook cookie):

Facebook Pixel is a code that is used to report conversions on the website, to build targeted audiences, and to give the site owner detailed analytics about how visitors use the website. With the help of the Facebook pixel, personalized offers and ads can be displayed on Facebook for the visitors of the website. The data controller’s website uses the Facebook pixel.

Using social plugins:

The data controller’s website also uses the embedded content of social networking sites. In these cases, the data controller and the operator of the social networking site shall be joint controllers. The legal basis for the processing shall be the consent of the data subject, which is given by accepting the notice on data collection through cookies and consenting to collecting his/her data.

On the data controller’s website, in connection with accepting the use of cookies, the data subject shall declare that he/she is 16 years of age or older. Persons under the age of 16 shall not make a statement regarding the acceptance or rejection of cookies used by the website, as under Article 8(1) of the GDPR, his/her declaration containing the consent to the data processing will only be valid if authorised by his/her legal guardian. The data controller is not able to verify the consenting person’s age and eligibility, and therefore, the data subject shall warrant that his/her data are truthful.

The contact form used on the website:

On the data controller’s websites, visitors may contact the data controller. They can use the contact form to indicate their interest in the data controller’s services. On the contact form, visitors are required to provide their email address. By filling in the form, the data subject shall declare that he/she has become familiar with the data controller’s Privacy Notice. Data provided for such purpose shall only be processed by the data controller for the purpose of communication. Following such communication, the data controller shall delete the inquirer’s personal data immediately but within 3 business days at the latest. Processing shall take place for the purpose of entering into a contract, i.e. under this legal basis (Article 6, section 1 (b) of the General Data Protection Regulation).

On the data controller’s website, in connection with using the customer contact form, the data subject shall declare that he/she is 16 years of age or older. Persons under the age of 16 shall not contact the data controller using the customer contact form, as under Article 8(1) of the GDPR, his/her declaration containing the consent to the data processing will only be valid if authorised by his/her legal guardian. The data controller is not able to verify the consenting person’s age and eligibility, and therefore, the data subject shall warrant that his/her data are truthful.

Processing of personal data related to the purchase of products:

The products (e-books, audiobooks, other products) distributed by the data controller can be purchased on the data controller’s websites (www.lagaallo.hu, www.lagaallo.com). When making a purchase, the data subject shall provide his/her personal data (name, email address, telephone number, billing name, address/registered office) and then he/she can buy the given product. The legal basis for processing personal data provided for this purpose shall be the performance of a contractual obligation (Article 6, section 1 (b) of the General Data Protection Regulation). The data controller shall issue an invoice of the price of the purchased product for the data subject. The invoice shall contain the customer’s name and address. Issuing an invoice is the data controller’s statutory obligation. Therefore, the legal basis for processing the personal data on the invoice is the performance of a legal obligation (Article 6, section 1 (c) of the General Data Protection Regulation). The personal data recorded in this way shall be stored by the data controller for 5 years, in compliance with his statutory retention obligation.

On the data controller’s website, in connection with purchasing the products, the data subject shall declare that he/she is 16 years of age or older. Persons under the age of 16 shall not make purchases this way, as under Article 8(1) of the GDPR, his/her declaration containing the consent to the data processing will only be valid if authorised by his/her legal guardian. The data controller is not able to verify the consenting person’s age and eligibility, and therefore, the data subject shall warrant that his/her data are truthful.

13. Subscribing to the newsletter:

It is also possible to subscribe to the data controller’s newsletter. When subscribing to the newsletter, the data subject shall declare that he/she has become familiar with the contents of the data controller’s Privacy Notice, as well as whether he/she gives consent to the processing of his/her personal data for marketing purposes (for the purpose of sending newsletters). The data subject shall be entitled to the rights described in the Privacy Notice, and he/she may exercise these rights in the manner and at the places stated therein. Accordingly, the legal basis for the processing of personal data in the course of sending the newsletter shall be the explicit and informed written consent of the subscriber (Article 6, section 1 (a) of the General Data Protection Regulation).

The purpose of data processing related to sending the newsletter is to provide comprehensive general or personalised information to the recipient about updates on the website and the latest news, in accordance with the relevant and applicable legislation. Subscribing to the newsletter and/or receiving mails for DM purposes is based on voluntary consent, and the data controller naturally provides the opportunity for the data subject to withdraw his/her consent at any time and unsubscribe from the newsletter.

On the data controller’s website, in connection with subscribing to the newsletter, the data subject shall declare that he/she is 16 years of age or older. Persons under the age of 16 shall not subscribe to the newsletter, as under Article 8(1) of the GDPR, his/her declaration containing the consent to the data processing will only be valid if authorised by his/her legal guardian. The data controller is not able to verify the consenting person’s age and eligibility, and therefore, the data subject shall warrant that his/her data are truthful.

14. The data controller’s social media pages

The data controller also operates a Facebook page where personal data are processed. The data controller uses his Facebook page, too, to promote his activity and present his products. The data controller uses this page for marketing purposes.

Link to the data controller’s Facebook page:

https://www.facebook.com/lagaallo/

The data controller also provides comprehensive personal support through Facebook. If you ask him a question on Facebook, he will try to reply as soon as possible. He shall use the data made available to him on the Facebook page only to answer your question and not for further advertising purposes.

The purpose of using the Facebook page: advertising on a social networking site, providing information. Facebook may also use the data for its own purposes, including the data subject’s profiling and targeting with ads.

If you want to contact the data controller through Facebook, you must log in. For this, Facebook also asks for personal data, in addition to storing and processing them. The data controller has no control over the type, extent and processing of these data, and he will not receive any personal data from the operator of Facebook. Learn more in this regard on the site of Facebook.

The data controller processes the personal data of the followers of the Facebook page under their consent (Article 6, section 1 (a) of the General Data Protection Regulation), and he considers the consent to be given if the person likes or follows his page or posts, and/or if he/she writes a comment to them.

The data controller is also present on the Instagram social networking site with the following profile:

https://www.instagram.com/lagaallo/

On the Instagram page, the followers’ personal data is processed. The processing takes place under the legal basis of consent given by following the page (Article 6, section 1 (a) of the General Data Protection Regulation).

The data controller also operates a YouTube channel and a Pinterest page on the same legal basis:

https://www.youtube.com/channel/UCX7ZsriSZnF8Cn150_JCoHQ?view_as=subscriber

https://hu.pinterest.com/Lagaallo/

15. Security of processing:

The data controller undertakes to ensure the security of personal data, as well as to take the technical and organisational measures and maintain the procedural rules that guarantee the protection of the data recorded, stored and processed, and furthermore, to prevent their destruction, unauthorised use or unauthorised alteration. He also undertakes to call on each third party to which it forwards or transfers the data to comply with the data security requirements.

The data controller shall ensure that no unauthorised person could access, disclose, forward, modify or delete the processed data. The data processed may only be known by the data controller and the data processor(s) used, and they shall not transfer the data to unauthorised third parties.

The data controller shall take great care of the security of the personal data of his partners, customers and clients. He shall act in full compliance with the statutory requirements, and he also requires all his partners to do so. The protection of personal data also includes physical data protection (storing documents in a lockable room, in lockable cabinets), as well as IT security.

The data controller stores the personal data provided by the data subject primarily on the servers of the data processor(s) mentioned in this Privacy Notice, equipped with standard security systems, partly on his own IT devices, and in the case of paper-based media, at his registered office, properly locked.

The data subjects shall acknowledge and accept that if they provide their personal data, the security of the data cannot be fully guaranteed on the internet and in the computer system. If an unauthorised access to data occurs despite the data controller’s efforts, those set out in this notice shall be followed.

16. Data subject rights:

• Transparent information:

The purpose of this Privacy Notice is also to provide clear, concise, transparent and easily understandable information about the processing activity applied at the data controller.

• Right of access:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

• the purpose of the processing;
• the categories of personal data concerned;
• the recipients to whom the personal data have been disclosed;
• the envisaged period for which the personal data will be stored.

You may request information of the above details from the data controller at the following address/email address:

László Marcell sole proprietor (sole proprietor), H-2017 Pócsmegyer, Pipacs u. 4.

E-mail: info@lagaallo.com

The data controller hereby informs you that he will respond to your inquiry within 30 days. Information requests sent by data subjects by post will be answered by post, while requests sent via email will be answered by email.

• Right to rectification:

The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her.

You may request information of the above details from the data controller at the following address/email address:

László Marcell sole proprietor 2017 Pócsmegyer, Pipacs u. 4.

E-mail: info@lagaallo.com

The data controller hereby informs you that he will respond to your inquiry within 30 days. Information requests sent by data subjects by post will be answered by post, while requests sent via email will be answered by email.

• The right to erasure:

The data subject shall have the right to request from the controller the erasure of personal data concerning him or her. Based on such request, the controller shall have the obligation to erase personal data where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected;
• the data subject withdraws his/her previously given consent, and where there is no other legal ground for the processing;
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law.

You may request information of the above details from the data controller at the following address/email address:

László Marcell sole proprietor 2017 Pócsmegyer, Pipacs u. 4.

E-mail: info@lagaallo.com

The data controller hereby informs you that he will respond to your inquiry within 30 days. Information requests sent by data subjects by post will be answered by post, while requests sent via email will be answered by email.

• Right to restriction of processing:

The data subject shall have the right to request from the controller restriction of processing, primarily if:

• the accuracy of the data is contested by the data subject;
• the data subject considers the processing unlawful but does not request the erasure of data for whatever reason.

You may request information of the above details from the data controller at the following address/email address:

László Marcell sole proprietor 2017 Pócsmegyer, Pipacs u. 4.

E-mail: info@lagaallo.com

The data controller hereby informs you that he will respond to your inquiry within 30 days. Information requests sent by data subjects by post will be answered by post, while requests sent via email will be answered by email.

• Your right to data portability:

The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

You may request information of the above details from the data controller at the following address/email address:

László Marcell sole proprietor 2017 Pócsmegyer, Pipacs u. 4.

E-mail: info@lagaallo.com

The data controller hereby informs you that he will respond to your inquiry within 30 days. Information requests sent by data subjects by post will be answered by post, while requests sent via email will be answered by email.

• Right to object:

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, in the manner specified in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

You may request information of the above details from the data controller at the following address/email address:

László Marcell sole proprietor 2017 Pócsmegyer, Pipacs u. 4.

E-mail: info@lagaallo.com

The data controller hereby informs you that he will respond to your inquiry within 30 days. Information requests sent by data subjects by post will be answered by post, while requests sent via email will be answered by email.

• Data subject rights in the event of automated decision-making

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her. Automated decision-making means any process or methodology in which a technical automation evaluates the data subject’s personal characteristics, and which produces legal effects concerning him or her or significantly affects him or her. The data controller does not apply any IT automation also suitable for profiling, which would have significant effects on the data subject rights.

You may request information of the above details from the data controller at the following address/email address:

László Marcell sole proprietor 2017 Pócsmegyer, Pipacs u. 4.

E-mail: info@lagaallo.com

The data controller hereby informs you that he will respond to your inquiry within 30 days. Information requests sent by data subjects by post will be answered by post, while requests sent via email will be answered by email.

The controller undertakes to provide information on any request received in connection with the above rights to each recipient to whom the personal data have been disclosed, unless this proves impossible. Furthermore, he undertakes to notify the data subjects of the handling of the above requests and of the related decision within no later than 30 days.

17. Personal data breach:

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In the event of a personal data breach, the breach of data security must be of a level that could pose a serious risk, i.e. the breach has to be of a degree that entails:

• the destruction,
• loss,
• alteration,
• unauthorised disclosure of, or
• access to personal data.

It is considered a breach if any of the above occurs, which does not exclude the possibility that several of these events may occur at the same time. This does not only include willful misconduct but also breaches occurring due to negligence. Thus, a personal data breach occurs as a result of accidental or unlawful actions.

Examples of personal data breaches include the following:

• illegal transfer of personal data on documents, portable devices, data carriers or IT systems (e.g. mail system);

• unauthorised access to IT systems or applications that process personal data;

• damage to or loss of a part or whole of a database containing personal data;

• a part or whole of the IT system becoming unusable due to a virus or other malicious software, etc.

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, pecuniary or non-pecuniary damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

In the event of a possible personal data breach (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons), the data controller shall immediately notify the National Authority for Data Protection and Freedom of Information. As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information must be provided in phases without undue further delay.

For the notification of personal data breaches, the National Authority for Data Protection and Freedom of Information operates a system on its website dedicated to this purpose, through which notifications can be made electronically.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. The controller shall record all data related to the breaches, including their reasons, the events and the scope of personal data concerned. In addition, the record must contain the effects and consequences of the breaches, as well as the remedial actions taken and also the data controller’s conclusions (for example: why does he think that the breach is not subject to the notification obligation, or if the notification is made with a delay, what was the reason for the delay).

A breach should not be notified to the supervisory authority if it is unlikely to result in a risk to the rights and freedoms of natural persons.

If the personal data breach is likely to result in a high risk to the rights and freedoms of the data controller’s partners, customers or clients, he shall immediately communicate this fact to the partner concerned. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the most important information and measures.

The communication to the data subject referred to above shall not be required if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it;

• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

• it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

18. Information on relevant legislation:

• Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information (Privacy Act);
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
• Act V of 2013 on the Civil Code (Civil Code);
• Act CXLVII of 2012 on the Itemized Lump-Sum Tax of Small Taxpayers and the Small Enterprise Tax.

19. Right to initiate court action:

In the event of the infringement of his or her rights, the data subject may go to court against the controller. The court will hear the case promptly.

20. Data protection authority procedure:

Complaints may be lodged to the National Authority for Data Protection and Freedom of Information:

Name:                         National Authority for Data Protection and Freedom of Information

Seat:                            1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mail address:    1530 Budapest, Pf.: 5.

Phone no.:                  0613911400

Fax no.:              0613911410

E-mail:                ugyfelszolgalat@naih.hu

Website:            http://www.naih.hu

21. Miscellaneous

The data controller shall provide information on any processing activity not listed in this notice at the time of recording the data. In such cases, the provisions of applicable legislation shall prevail.

The controller hereby inform his clients that the court, the prosecutor, the investigating authority, the minor offence authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the Central Bank of Hungary, and/or other bodies authorised by law may request the controller to provide them with information, to disclose or transfer data or to make documents available to them. The controller shall disclose personal data to the authorities – if the authority has indicated the exact purpose and the scope of data – only to the extent that is essential for achieving the purpose of the inquiry.

The website of the Data Protection Authority contains further information on the data protection rights referred to in this Privacy Notice.

Pócsmegyer, ………………………………… 2020

László Marcell

sole proprietor

ANNEX NO. 1