Privacy

Privacy notice

The purpose of the data management information

The purpose of this data management information sheet is for DRA-CONS Kft., as a data controller (hereinafter referred to as "Data Controller") to describe the data protection rules, procedures and protection measures applied and operating in the Data Controller's organization for data considered personal data.

In this document, the Data Controller also informs its customers, partners, as well as all natural and legal persons who have any - legally interpretable - relationship with the Data Controller and who are affected during its personal handling, about the rules for handling the personal data handled by it, and about the applied protection measures procedures and the method of data management.

The Data Controller considers the rules, provisions and obligations described in this Data Management Information Sheet to be legally binding on itself and applies them during its operation, and declares that the data protection rules and procedures described and applied in this document comply with the applicable national and European Union data protection legislation. The data controller also declares that it considers the right to informational self-determination important, especially with regard to personal data, and will take all available organizational, operational, regulatory and technological measures within its scope in order to observe and enforce these rights.

This data management information sheet governs the data management of the following pages: www.greenx.hu The version of the Data Management Information Sheet that is in effect at all times is available on the website's access pages. The Data Controller may change the Data Management Information at any time, in addition to the obligation to publish and inform the Data Subjects. Amendments to the prospectus will take effect upon publication at the above address.

Data of the Data Controller

Company details and contact details of the Data Controller:

Name: DRA-CONS Kft. Headquarters: 1171 Budapest, Laffert utca 3. Company registration number: 01 09 338051
Name of the registering court: Tax number: 22763073242 Central telephone number: 06 70 791 7426 Central e-mail: info@greenx.hu

The Data Controller keeps the data protection requests (e-mail) received in the section "Usage and retention period of managed data" for the specified period of time applicable to this data management. After this, they are irrevocably deleted.

Data Protection Officer of the Data Controller

Name: DRA-CONS Kft. E-mail address: info@greenx.hu

Concept definitions

"personal data": any information relating to an identified or identifiable natural person ("Data Subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;

"data management": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying;

"data controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;

"data processor": the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;

"recipient": the natural or legal person, public authority, agency or any other body to whom or to which the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the management of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of data management;

"third party": the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who, under the direct control of the data controller or data processor, are authorized to process personal data they got;

"consent of the data subject": the voluntary, specific and well-informed and clear declaration of the will of the data subject, by which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of personal data concerning him;

"profiling": any form of automated processing of personal data in which personal data is used to evaluate certain personal characteristics of a natural person, in particular work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement used to analyze or predict related characteristics;

"pseudonymisation": the processing of personal data in such a way that, without the use of additional information, it is no longer possible to determine which specific natural person the personal data refers to, provided that such additional information is stored separately and is ensured by technical and organizational measures that this personal data cannot be linked to identified or identifiable natural persons;

"registry system": the file of personal data in any way – centralized, decentralized or divided according to functional or geographical aspects – which is accessible based on specific criteria;

"data protection incident": a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled;

Principles for handling personal data

Personal data:

1. its handling must be carried out legally and fairly, as well as in a transparent manner for the data subject ("legality, fair procedure and transparency");
2. be collected only for specific, clear and legitimate purposes, and they should not be handled in a way that is incompatible with these purposes; Article 9 - Guarantees and deviations regarding data management for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes"> in accordance with Article 89 (1) is not considered incompatible with the original purpose for the purpose of archiving in the public interest, scientific and historical further data processing for research or statistical purposes ("target binding");
3. they must be appropriate and relevant for the purposes of data management and must be limited to what is necessary ("data economy");
4. they must be accurate and, where necessary, up-to-date; all reasonable measures must be taken to promptly delete or correct personal data that is inaccurate for the purposes of data processing ("accuracy");
5. its storage must take place in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management; personal data may be stored for a longer period only if the personal data will be processed in accordance with Article 89 (1) of the EU General Data Protection Regulation for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, in this regulation taking into account the implementation of the appropriate technical and organizational measures required to protect the rights and freedoms of the data subjects ("restricted storage");
6. must be handled in such a way that adequate security of personal data is ensured through the application of appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage of data ("integrity and confidentiality").

The data controller is responsible for compliance with paragraph (1) and must be able to demonstrate this compliance ("accountability").

Data controller's data management and the managed personal data

Data requested and/or recorded during registration and purchase:

• Password: mandatory data, required for secure access to user accounts.
• Name: mandatory data, data required for maintaining contact, fulfilling orders and issuing regular invoices.
• Company name: data to be provided in the case of orders by companies, necessary for maintaining contact, fulfilling orders and issuing regular invoices.
• E-mail address: mandatory data, data required for user identification, contact, and order fulfillment. The e-mail address is not required to contain personal data.
• Telephone number: mandatory data, necessary for maintaining contact and fulfilling orders.
• Invoicing name and address: mandatory data, data necessary for maintaining contact, fulfilling orders and issuing regular invoices.
• Delivery name and address: data to be entered in the case of home deliveries, required for delivery of the ordered products.
• Date of purchase/registration: recorded data used to perform technical operations.
• The IP address used during purchase/registration: recorded data used to perform technical operations.

The scope of those affected: Persons registered in the webshop and persons purchasing in the webshop.

Duration of data management, deadline for deletion of data: The data will be deleted immediately at the express request of the customer. Based on Article 19 of the GDPR, the data controller informs the data subject electronically of the deletion of any personal data provided by the data subject. If the data subject's deletion request also covers the e-mail address he/she has provided, the data controller will also delete the e-mail address after the information has been provided. Except in the case of accounting documents, as this data must be kept for 8 years based on § 169 (2) of Act C of 2000 on accounting.

Management of data related to newsletters

XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity. Pursuant to § 6 of the Act, the User may expressly and in advance consent to the Service Provider's advertising offers and other mailings being sought at the contact details provided during registration, the user of the web store may, bearing in mind the provisions of this information, consent to the Service Provider handling his/her personal data necessary for the sending of advertising offers.

The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from the sending of offers without limitation or justification, free of charge, which the Service Provider will respect and will not send any more advertising messages to the user's e-mail address. Users can unsubscribe from advertisements by clicking on the unsubscribe link in the e-mail message.

Data recorded in connection with the management of newsletters: e-mail address, name, date and time of subscription, date and time of sending newsletters, date and time of opening newsletters and clicking on links in newsletters.

The legal basis for data management: the Data Subject's opt-in consent.

Retention period of the data managed in data management: the data will be retained until the request for deletion of personal data.

Customer relationship, other relationship-related data management

Customers and other users of the web store can contact the Service Provider via the contact details on the contact page of the web store in case of questions arising in relation to the web store or the Service Provider's services and products offered in the web store. The exchange of messages can take place in person, by telephone, by e-mail, or via the contact form of the online store, or through other contacts of the Service Provider, such as Facebook. During the contact, the data protection guidelines set out in this document also apply to the personal data provided by the Data Subject for the Service Provider, the service provider keeps the personal data obtained during the contact for a maximum of two years, after which the data is deleted.



The person of the possible data controllers entitled to access the data, the recipients of the personal data: Personal data can be handled by the data controller's sales, marketing and order fulfillment employees in compliance with the above principles.

Description of the rights of data subjects in relation to data processing: The data subject may request from the data controller access to personal data relating to him, their correction, deletion or limitation of processing, and he may object to the processing of such personal data, and the data subject has the right to data portability, as well as consent at any time for withdrawal.

Access to personal data, their deletion, modification or limitation of processing, portability of data, objection to data processing can be initiated by the data subject in the following ways: by post to the following address: 1171. Budapest, Laffert utca 3. by e-mail to the following via e-mail: info@greenx.hutelephone : 06 20 298 1895

Legal basis for data management:

1. Article 6 (1) point b) of the GDPR,
2. CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. Act (hereinafter: Elker Law) 13/A. Section (3): For the purpose of providing the service, the service provider may process the personal data that is technically absolutely necessary for the provision of the service. If the other conditions are the same, the service provider must choose and in any case operate the tools used in the provision of services related to the information society in such a way that personal data is only processed if this is absolutely necessary for the provision of the service and the fulfillment of other objectives defined in this law necessary, but also in this case only to the extent and for the necessary time.
3. In case of enforcement of claims arising from the contract, Act V of 2013 on the Civil Code 6:21. and § 22, the statute of limitations is five years.
4. In the case of issuing an invoice in accordance with the accounting legislation, the validity period of the receipt is eight years: The accounting receipt directly and indirectly supporting the accounting (including ledger accounts, analytical and detailed records) must be readable for at least 8 years, based on the reference to the accounting records to preserve in a retrievable manner.

Data management is necessary for the fulfillment of the resulting contract during orders made using the online store. In order to fulfill the orders, the customer must provide personal data, without which the orders cannot be fulfilled.

The data processors used

Data processors performing home delivery of products:

Name and contact information of data processors: Data processor 1. name, seat, contact details: GLS General Logistics Systems Hungary Kft. - 2351 Alsónémedi, GLS Európa utca 2. Web address https://gls-group.eu Data processor 2. name, seat, contact details : PICK PACK POINT - SPRINTER Courier Service Limited Liability Company, 1097 Budapest, Táblás utca 39. e-mail: pickpackpont@sprinter.hu



Activity provided by the data processor: Delivery of products, transport

The fact of the data management, the scope of the managed data: Delivery name, delivery address, telephone number, e-mail address.

Scope of stakeholders: All stakeholders requesting home delivery.

Purpose of data management: Delivery of the ordered products to your home.

Duration of data management, deadline for data deletion: It lasts until the home delivery is completed.

Legal basis for data processing: see the paragraph entitled "Legal basis for data processing" above.

Online payment

Name and contact information of data processors: Data processor 1. name, location, contact information: OTP Mobil Szolgáltató Kft. (Headquarters: 1143 Budapest, Hungária krt. 17-19.; Cg. 01-09-174466; tax number: 24386106-2-42)


Activity performed by the data processor: Online payment services

The fact of the data management, the scope of the managed data: Billing name, billing address, e-mail address.

Scope of stakeholders: All stakeholders using online payment options.

Purpose of data management: Online payment processing, transaction confirmation and fraud monitoring for the protection of users. The nature and purpose of the data processing activity carried out by the data processor can be found in the SimplePay Data Management Information Sheet, at the link below:http://simplepay.hu/vasarlo-aff

Duration of data management, deadline for data deletion: Lasts until the online payment is completed.

Legal basis for data processing: see the paragraph entitled "Legal basis for data processing" above, as well as CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. Act 13/A. (3) of §

Data processor 2. name, seat, contact details: Barion Payment Zrt., an institution under the supervision of the Magyar Nemzeti Bank, license number: H-EN-I-1064/2013."Activity provided by the data processor: Online payment services The fact of data management, the scope of the data handled : Invoicing name, billing address, e-mail address. Scope of stakeholders: All stakeholders using online payment options. Purpose of data management: Conducting online payments, confirming transactions and fraud monitoring to protect users. The nature and purpose of the data processing activity carried out by the data processor in the Data Management Information. Duration of data management, deadline for data deletion: Lasts until the online payment is completed. Legal basis for data processing: see the paragraph entitled "Legal basis of data processing" above, as well as CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. Act 13/A. (3) of §



Hosting provider

Name and contact information of the data processor:
Shopmasters-Informatika Kft. Headquarters: 2200 Monor, Ady Endre u. 24. Email: tarhley (at) shopstart.hu Phone: +36 30 414-7763

Activity provided by data processor: Storage service

The fact of the data management, the scope of the managed data: Storage of all personal data provided by the data subject.

Scope of stakeholders: All stakeholders who use the online store.

Purpose of data management: Making the online store available and operating it properly. The data processor does not use the personal data for its own purposes, they are processed in the most necessary cases at the request of the data controller.

Duration of data management, deadline for data deletion: Data management lasts until the termination of the agreement between the data manager and the storage provider, or until the deletion request addressed to the storage provider by the data subject.

Legal basis for data processing: see the paragraph entitled "Legal basis for data processing" above, as well as CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. Act 13/A. (3) of §

Management of cookies

It's the job of cookies

A cookie is a small data package that is created during Internet browsing by the server containing the visited website using the client's web browser, during the first visit, if this is enabled in the browser. Cookies are stored on the user's computer in a predetermined location that varies by browser type. During subsequent visits, the browser returns the stored cookie to the web server, along with various information about the client. With the help of cookies, the server has the possibility to identify the given user, to collect various information about him and to analyze them.

The main functions of cookies:

• collect information about Data Subjects and their devices;
• they note the individual settings of the persons concerned, which are (may) be used, e.g. when using online transactions, so you don't have to type them in again;
• facilitate, simplify, make the use of the given website more convenient and smooth;
• they make it unnecessary to re-enter data that has already been entered;
• they generally improve the user experience.

By using cookies, the Data Controller carries out data management, the main objectives of which are:

• user identification
• identification of each session
• identification of devices used for access
• storage of certain specified data
• storing and transmitting tracking and location information
• storage and transmission of data required for analytical measurements

The legal basis for data management: the use of cookies and session cookies necessary for the technical operation of the webshop, which do not contain personal data, is automatic, in other cases based on the Data Subject's opt-in consent.

The purpose of data management is: operation of the website, making purchases possible, measuring visitor traffic.

Possible consequences of not providing data: without the cookies necessary for the operation of the basic operations of the online store, some functions of the online store cannot be accessed.

Data managed in data management: session ID

The expiration date of the cookies: php session cookies expire 24 minutes after the end of the session, the expiration date of the cookie that does not contain personal data belonging to the list of the last viewed products is 6 months.

Analytical cookies placed by third parties - analytical cookies

The Data Controller also uses third-party cookies from Google Analytics on its website. By using the Google Analytics service for statistical purposes, the Data Controller's server collects information about how visitors use the website. The data is used for the purpose of developing the website and improving the user experience. These cookies also remain on the visitor's computer or other device used for browsing, in their browser, until they expire, or until the visitor deletes them.

The legal basis for data management: the Data Subject's opt-in consent.

The purpose of the data management is to measure the visitor traffic of the online store, to monitor and measure SEO and marketing activities.

Possible consequences of the failure to provide data: the failure to use analytical cookies has no impact on the functioning of the functions of the online store.

The data managed in data management: the IP address of the visitor, the source of the visit, the data of his browser and operating system, the subpages visited by the visitor.

Expiry date of cookies: 2 years.


Option to disable cookies and set cookie-related rules

The Data Subject has the option to set rules for certain types of cookies, e.g. to avoid the use of cookies, to disable cookies, etc., with the appropriate settings of the browser used. Information on the options for setting the selective or general prohibition of cookies can be found in the "Help" menu of the given browser. With the help of these cookies: The "Help" function in the menu bar of most browsers provides information on how to use cookies in the browser:

• generally disable;
• set the way to accept cookies (automatic acceptance, ask for them one by one, etc.);
• disable individually;
• delete individually or in groups;
• perform other cookie-related operations.

The physical storage locations of the data

The data controller stores the personal data in its integrated IT system. The elements of the system are located in the following geographical and physical locations:

- The headquarters of the company of the data controller; - The physical location of the server room of the server provider used by the hosting provider;

The IT storage method and logical security of the data

The data manager and the data processor implement appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the variable probability and severity of the risk to the rights and freedoms of natural persons. , to guarantee a level of data security appropriate to the degree of risk. The data controller primarily handles personal data on a properly constructed and protected IT system. During the operation of the IT system, it ensures the appropriate level of the basic information security attributes of the data stored, processed and transmitted on it, such as the managed data:

• its integrity, the originality and immutability of the data are guaranteed;
• about its confidentiality (Confidentiality), only those entitled to it have access to an extent that does not exceed their rights;
• availability, the data is accessible and available to the right holders, during the expected availability period. The necessary IT infrastructure is available ready for operation.

Data controller for the processed data:

• organizational, operational,
• physical security,
• information security

protects it with a structured system of protection measures. The data controller develops and operates the system of protection measures and the protection levels of the individual protection measures in proportion to the risks arising as a result of threats to the data to be protected. From a data protection point of view, the protective measures are primarily aimed at protection against accidental or intentional deletion, unauthorized access, intentional and bad faith disclosure, accidental disclosure, data loss, data destruction.

Rights of Data Subjects

The Data Subject's right of access

The Data Subject has the right to receive feedback from the data controller as to whether his personal data is being processed, and if such data processing is underway, he is entitled to receive access to the personal data and the following information:

• the purposes of data management;
• categories of Personal Data Subject;
• the recipients or categories of recipients to whom or to whom the personal data has been or will be communicated, including in particular recipients in third countries and international organizations;
• the planned period of storage of personal data;
• the Data Subject's right to rectification, deletion or limitation of data processing, as well as to object to data processing;
• the right to file a complaint with the supervisory authority;
• if the data were not collected from the Data Subject, all available information about their source;
• the fact of automated decision-making, including profiling, as well as comprehensible information about the applied logic and the significance of such data management and the expected consequences for the Data Subject.

The Data Controller provides the Data Subject with 1 copy of the personal data that is the subject of data management. For additional copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject submitted the request electronically, the Data Controller will provide the information in a widely used electronic format, unless the Data Subject requests otherwise, within a maximum of 30 days from the date of submission.

Right to rectification

The Data Subject is entitled to request that the Data Controller correct inaccurate personal data relating to him without undue delay, and he is also entitled to request the addition of incomplete personal data, taking into account the purpose of the data management.

Right to erasure

The Data Subject has the right to request that the Data Controller delete the personal data concerning him without undue delay, and the Data Controller is obliged to delete the personal data concerning the Data Subject without undue delay if one of the following reasons exists:

• personal data are no longer needed for the purpose for which they were collected or otherwise processed;
• the Data Subject withdraws his consent, which is the basis of the data management, and there is no other legal basis for the data management;
• the Data Subject objects to data processing and there is no overriding legal reason for data processing;
• personal data has been processed unlawfully;
• the personal data must be deleted in order to fulfill the legal obligation prescribed by EU or member state law applicable to the Data Controller;
• the collection of personal data took place in connection with the offering of services related to the information society.

Data deletion cannot be initiated if data management is necessary:

• for the purpose of exercising the right to freedom of expression and information;
• for the purpose of fulfilling the obligation under the EU or Member State law applicable to the Data Controller requiring the processing of personal data, or for the execution of a task performed in the public interest or in the context of the exercise of a public authority vested in the Data Controller;
• on the basis of public interest in the field of public health;

The right to restrict data processing

At the Data Subject's request, the Data Controller restricts data processing if one of the following conditions is met:

• the Data Subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the Data Controller to check the accuracy of the personal data;
• the data processing is illegal and the Data Subject opposes the deletion of the data and instead requests the restriction of its use;
• The Data Controller no longer needs the personal data for the purpose of data management, but the Data Subject requires them to present, enforce or defend legal claims; obsession
• the Data Subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the Data Controller's legitimate reasons take precedence over the Data Subject's legitimate reasons.

If data management is subject to restrictions, personal data may only be processed with the consent of the Data Subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a member state.

Right to protest

The Data Subject has the right to object to the processing of his personal data at any time for reasons related to his own situation, including profiling based on the aforementioned provisions. In this case, the Data Controller may no longer process the personal data, unless the Data Controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests and rights of the Data Subject, or that are related to the submission, enforcement or defense of legal claims.

Automated decision-making in individual cases, including profiling

The Data Subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have legal effects on him or affect him to a similar extent.

Right of withdrawal

The Data Subject has the right to withdraw his consent regarding his personal data at any time.

Remedies

In the event of a violation of their rights, the Data Subject may request information, remedy, or file a complaint at the contact details of the Data Protection Officer specified in this document. If these are ineffective, the Data Subject is entitled to go to court or contact the National Data Protection and Freedom of Information Authority.

National Data Protection and Freedom of Information Authority (NAIH) contact information

Name: National Data Protection and Freedom of Information Authority (NAIH) Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Mailing address: 1530 Budapest, Pf.: 5. Tel: +36 (1) 391-1400 Fax: +36 (1) 391-1410 E-mail: ugyfelszolgalat@naih.hu Website: http://www.naih. en

Data protection incident

If a data protection incident occurs and it likely involves a high risk for the rights of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay. In the event of a data protection incident, the service provider provides information to those affected during the incident, giving the date of the data protection incident, the scope of the affected data, the consequences following and/or likely from the incident, the measures taken or planned to remedy the data protection incident, and the contact information of the data protection officer for the purpose of providing further information. .

Other provisions

For archival, scientific and historical research or statistical purposes based on public interest; for the presentation, enforcement and defense of legal claims.

When requested by the authorities or authorized by law, the Service Provider is obliged to provide information, communicate and transfer data, and make documents available. 5. In these cases, the Service Provider only releases personal data to the requester - if he has specified the exact purpose and the scope of the data - to the extent and to the extent that is absolutely necessary to achieve the purpose of the request.

We provide information on data management not listed in this information when the data is collected.

Data transfer declaration for OTP SimplePay online bank card payment
I understand that my personal data stored in the user database of https://www.greenx.hu by the data controller of the Greenx online store - DRA-CONS Kft. (1171. Budapest Laffert u. 3.) will be transferred to OTP Mobil Kft., as a data processor. The range of data transmitted by the data controller is as follows: name, e-mail address, telephone number, billing address data and delivery address data.http://simplepay.hu/vasarlo-aff