DATA MANAGEMENT AND PRIVACY POLICY

AGB Produkciós Iroda Ltd., the owner of SUP Bázis, as the data controller specified below, issues this Data Management and Privacy Policy in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and the Council, hereinafter: GDPR) to inform data subjects in advance and facilitate the exercise of their rights concerning the processing of personal data of users of the website www.supbazis.hu.

DATA CONTROLLER

The data controller operating the website www.supbazis.hu (hereinafter: Website):

Company Name: AGB Produkciós Iroda Ltd.

Registered Address: 3388 Poroszló, Napsugár út 16, Hungary

Company Registration Number: 10 09 040969

Court of Registration: Egri Törvényszék (Eger Court of Justice)

Tax Number: HU14519202

Phone Number: +36 30 420 5199

Email Address: supbazis@gmail.com

Website: www.supbazis.hu

Representative: Ildikó Kocsis, Business Manager (hereinafter: Data Controller)

PRINCIPLES OF DATA PROCESSING

The Data Controller processes personal data lawfully, fairly, and transparently for the data subject. Personal data is collected only for specified, explicit, and legitimate purposes and is processed in a manner compatible with these purposes. The Data Controller ensures that the processed data is appropriate, relevant, accurate, and up-to-date. Furthermore, the Data Controller guarantees the enforcement of data subjects’ rights and takes necessary measures to ensure lawful data processing at all stages while maintaining the integrity and confidentiality of personal data.

DATA PROCESSING ACTIVITIES

1. Data Processing on the Website

Personal data is collected and processed on the Website only for the performance of a contract (including necessary steps prior to contract formation) or based on the data subject’s consent, as detailed below.

1.1 Processing Data for Order Fulfillment

When a visitor (customer) places an order for products available on the Website, they follow the steps defined in the Terms and Conditions. The customer selects the desired product, which is then placed in their shopping cart. To fulfill the order, the following personal data is collected:

Processed personal data: Name, phone number, email address, home address

Legal basis for processing: Performance of a contract

Retention period: If a contract is formed between the data subject and the Data Controller, personal data will be retained for five years from contract termination, unless a longer warranty or liability period is required by law. Any data unrelated to claims enforcement will be deleted once the processing purpose ceases or upon the data subject’s request.

1.2 Processing Data for Incomplete Orders

If a visitor adds one or more products to their shopping cart but leaves the Website without completing the purchase, the Data Controller will send two reminder emails to the provided email address (at the 2nd and 24th hour after abandonment) to clarify whether the interruption was intentional.

Processed personal data: Email address

Legal basis for processing: Performance of a contract

Retention period: If an order is completed following the reminder emails, data will be retained for five years from contract termination, unless otherwise required by law. If no contract is formed, data will be deleted after processing purposes cease or upon request.

1.3 Newsletter Subscription

Visitors can subscribe to the Data Controller’s newsletters by providing their email addresses. Consent can be withdrawn at any time, and each newsletter contains an unsubscribe link.

Processed personal data: Email address

Legal basis for processing: Consent of the data subject

Retention period: Until consent is withdrawn

2. Data Transfers

Personal data provided through the Website is only transferred to the data processors named in this policy. Beyond this, personal data may only be shared with third parties (e.g., authorities) if required by mandatory EU or Hungarian legal regulations, and in such cases, it will be done in accordance with the specific legal provisions.

3. Use of Cookies

The Website uses cookies, which are small data files temporarily stored on the visitor’s device. Cookies serve multiple purposes, including essential operation (“process cookies”), analytics and statistical tracking (“usage cookies”), and advertisement-related personalization.

4. Logging

The Website does not log user activities.

5. Accounting

Legal basis for processing: Compliance with legal obligations related to bookkeeping and taxation

Processed personal data: Name, home address

Retention period: In accordance with accounting laws, currently eight years from the end of the financial year in which the invoice was issued.

6. Invoice Issuance

Legal basis for processing: Compliance with legal obligations related to accounting and taxation

Processed personal data: Name, home address

Retention period: In accordance with accounting laws, currently eight years from the end of the financial year in which the invoice was issued.

DATA PROCESSORS

To ensure the proper operation of the Website and high-quality service for orders placed through the Website, the Data Controller engages the following data processors. These entities process data according to GDPR requirements and under contractual agreements with the Data Controller.

1. Website Development and Hosting

Company Name: AURUM PROTECTOR Kft.

Registered Address: 1119 Budapest, Andor utca 21, C building, Hungary

Data Processing Activities: Receiving and managing orders, collecting and storing necessary order information, forwarding data to accounting and invoicing systems, sending confirmation emails, and handling email lists for newsletters.

2. Accounting

Company Name: Cég-Center Country Kft.

Registered Address: 3390 Füzesabony, Herbária utca 11, Hungary

Company Registration Number: 10-09-038299

Data Processing Activities: Bookkeeping and accounting tasks as required by tax and financial regulations.

3. Invoice Issuance

Company Name: KBOSS.hu Kft.

Registered Address: 1031 Budapest, Záhony utca 7, Hungary

Company Registration Number: 01-09-303201

Data Processing Activities: Issuing invoices in compliance with tax and accounting regulations.

4. Newsletter Services

Company Name: Aut O’Mattic A8C Ireland Ltd. (MailPoet Plugin in WordPress)

Registered Address: Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland

Data Processing Activities: Managing email addresses of users subscribed to newsletters.

5. Product Support

Company Name: Google Ireland Limited

Registered Address: Gordon House, Barrow Street, Dublin 4, Ireland

Company Name: Facebook Ireland Limited

Registered Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Data Processing Activities: Using cookies to track browsing and purchase behaviors for product recommendations and purchase assistance.

6. Parcel Delivery

Company Name: GLS General Logistics Systems Hungary Ltd.
Registered Office: 2351 Alsónémedi, GLS Europa Street 2.
Company Registration Number: 13 09 111755

Company Name: TNT Express Hungary Ltd.
Registered Office: 1097 Budapest, Ecseri Road 14-16.
Company Registration Number: 01-09-068137

Data Processing Activities: Processing users’ names, addresses, phone numbers, and email addresses for the purpose of delivery.

DATA SECURITY

The Data Controller ensures the security of data by taking the necessary technical and organizational measures and establishing the procedures to ensure compliance with data security requirements.

The Data Controller keeps the data in accordance with the applicable legislation, ensuring that only those employees and other individuals acting on behalf of the Data Controller, who need to know the data to fulfill their duties, are allowed to access it. All individuals acting on behalf of the Data Controller are only authorized to access the data necessary to perform their job functions. These individuals are obliged to treat the data confidentially.

When determining and applying measures for data security, the Data Controller considers the current level of technological development. The Data Controller selects the data processing solution that provides a higher level of protection for personal data, unless this would result in disproportionate difficulty.

Copyrights:

The content of the website (texts, images, animations, videos) is the property of AGB Production Office Ltd. and is protected by copyright. No part of the website’s content may be used without the consent of the owner.

Protection of IT Records

The Data Controller, in relation to IT security tasks, ensures, in particular:

• Measures to protect against unauthorized access, including the protection of software and hardware tools, and physical security (access control, network security).
• Measures to ensure the recovery of data records, including regular backups and separate, secure handling of copies (mirroring, backup).
• Protection of data records from viruses (virus protection).
• Physical protection of data records and devices that store them, including protection from fire, water damage, lightning strikes, and other natural disasters, and the recoverability of damages resulting from such events (archiving, fire protection).

Protection of Paper-based Records

The Data Controller takes the necessary measures for the protection of paper-based records, especially regarding physical security and fire protection. Employees and others acting on behalf of the Data Controller are obliged to securely store any data carriers containing personal data, regardless of how the data is recorded, and protect them from unauthorized access, alteration, transmission, disclosure, deletion, destruction, as well as from accidental destruction or damage.

INFORMATION ABOUT THE RIGHTS OF DATA SUBJECTS AND EXERCISING THEIR RIGHTS

1. Rights of Data Subjects

1.1 Right to Information and Access to Personal Data

The data subject has the right to receive information from the Data Controller regarding the processing of their personal data, including, in particular, the purposes of data processing, the categories of data, possible recipients, the retention period, and, if the personal data was not collected from the data subject, the source of the data.

1.2 Right to Rectification

The data subject has the right to request the correction of inaccurate data without undue delay.

1.3 Right to Erasure (Right to be Forgotten)

The data subject has the right to withdraw their consent to data processing at any time and request the erasure of their personal data. The Data Controller is obliged to erase personal data without undue delay if:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
• The data subject withdraws their consent, and there is no other legal basis for the processing.
• The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.
• The personal data has been processed unlawfully.
• The personal data must be erased to comply with a legal obligation under EU or Member State law.
• The personal data was collected in connection with offering information society services directly to children.

The erasure may be denied if:

• The data is needed for the exercise of freedom of expression and information or
• The processing is authorized by law; or
• It is necessary for the establishment, exercise, or defense of legal claims.

The data subject will be informed in all cases of the refusal of the erasure request, with reasons given. Once personal data has been erased, it cannot be restored.

1.4 Right to Restriction of Processing

The data subject can request the restriction of processing if:

• The accuracy of the data is contested.
• The processing is unlawful, but the data subject objects to the erasure of the data.
• The processing purpose has been fulfilled, but the data subject requires the personal data for the establishment, exercise, or defense of legal claims.

If processing is restricted, the personal data can only be stored and not further processed, unless the data subject consents, or for legal claims or the protection of the rights of other individuals, or for important public interest.

1.5 Right to Data Portability

The data subject has the right to receive personal data that is processed based on consent or a contract, in a structured, commonly used, and machine-readable format and/or transfer it to another data controller, where technically feasible.

1.6 Right to Object

If data processing is based on legitimate interest or for the performance of a task carried out in the public interest or in the exercise of official authority, the data subject can object at any time, on grounds relating to their particular situation, to the processing of their personal data. In this case, the Data Controller may no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing, overriding the interests, rights, and freedoms of the data subject, or the processing is for the establishment, exercise, or defense of legal claims.

If personal data is being processed for direct marketing purposes, the data subject has the right to object to such processing at any time.

2. Exercising the Data Subject’s Rights

2.1 The data subject can contact the Data Controller’s staff at the email address supbazis@gmail.com or send a letter to the Data Controller’s postal address at 1031 Budapest, Nánási Street 2, with any requests, questions, or comments regarding the personal data processing.

2.2 The Data Controller will facilitate the exercise of the data subject’s rights and will respond to the request within one month of receiving it. If necessary, considering the complexity and number of requests, this period may be extended by an additional two months. The data subject will be notified about the extension within one month of receiving the request.

2.3 If the Data Controller does not take action on the data subject’s request, they will notify the data subject about the reasons for not acting on the request, and the data subject has the right to lodge a complaint with a supervisory authority or seek judicial remedy.

2.4 If the request is unreasonable or excessive, the Data Controller may charge a reasonable fee or refuse to act upon the request.

2.5 The data subject can directly contact the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet Avenue 22/c, phone: +36-1-391-1400, email: ugyfelszolgalat@naih.hu, website: www.naih.hu) or seek legal remedies in court. The court proceedings fall under the jurisdiction of the regional court.

Poroszló, October 2, 2024.