ELAS Ltd. privacy and data management policy
Purpose of the Rules
The purpose of this Policy is to set out the procedures applied by ELAS Ltd ("the Company") data protection and data management principles and the Company's data protection and data management policy , which the Company recognises as binding upon itself.
Act on the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg Convention of 28 January 1981 and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising and the recommendations of the ONLINE PRIVACY ALLIANCE.
The purpose of this Policy is to ensure that in all areas of the services provided by the Company, all individuals, regardless of their nationality or place of residence, are guaranteed that their rights and fundamental freedoms, in particular their right to privacy, are respected when their personal data are processed by automated means (data protection).
The data protection and data management registration numbers of ELAS Ltd:
Definitions of terms
Personal data: data that can be associated with a particular natural person (hereinafter referred to as 'the data subject'), in particular the name, the identification mark of the data subject and the knowledge of one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, in order to draw conclusions about the data subject. The personal data shall retain this quality during the processing for as long as the link with the data subject can be re-established;
Data file: the set of data managed in one register;
Data management: whatever the procedure used, any operation or set of operations which is performed upon the data, in particular the collection, recording, recording, organisation, storage, alteration, use, consultation, disclosure, transmission, alignment or combination, blocking, erasure and destruction of personal data and the prevention of their further use;
Data Controller: ELAS Kft. (registered office H-1162 Budapest, Diófa utca 130.);
Data processing: the performance of technical tasks related to processing operations, irrespective of the method and means used to carry out the operations and the place of application, provided that the technical task is performed on the data;
Data destruction: the complete physical destruction of the medium containing the data;
Data transmission: making the Personal Data available to a specified third party;
Disclosure: making the Personal Data available to anyone;
Data processor: the natural or legal person or unincorporated body which processes personal data on behalf of the controller;
Data deletion: rendering the data unrecognisable in such a way that it cannot be recovered;
Automated data file: a set of data to be processed automatically;
Machine processing: includes the following operations, if they are carried out in whole or in part by automated means: storage of data, logical or arithmetical operations on data, alteration, deletion, retrieval and dissemination of data;
User: a natural person who registers on any of the Company's websites.
Scope of personal data processed
- The following data may be provided at the User's choice: e-mail address, telephone number, name, place of residence/residence.
- Data technically recorded during the operation of the system: the data of the User's computer logging in, which are generated during the use of the service and which are recorded by the Data Controller's system as an automatic result of technical processes. The automatically recorded data are automatically logged by the system on logging in or logging out, without any specific declaration or action by the User. These data may not be linked to other Personal Data of the User, except in cases required by law. The Data may only be accessed by the Data Controller.
Legal basis, purpose and method of processing
- Data processing is carried out on the basis of the voluntary, duly informed declaration of the Users of the Internet content on the ELAS Ltd. website, which contains the express consent of the Users to the use of their Personal Data provided during the use of the website. The legal basis for the processing of the data is the voluntary consent of the data subject pursuant to Article 5(1)(a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information.
- The purpose of the data processing is to ensure the provision of the services available under the given URL on the ELAS Kft. website. The scope of the Personal Data to be provided for the use of these services is set out in the description of the relevant services.
- The purpose of the data automatically collected (see section 3.2) is to ensure the provision of services available through the Company's websites, the display of personalized content and advertisements, the production of statistics, the technical development of the IT system and the protection of users' rights. The Data Controller may use the data made available by the Users when using the service to form user groups and to display targeted content and/or advertisements on the Company's websites to the user groups.
- The Controller shall not use the Personal Data provided for purposes other than those described in these points. The disclosure of Personal Data to third parties or public authorities, unless otherwise required by law, shall only be possible with the prior express consent of the User.
- The Data Controller does not verify the Personal Data provided to it. The person providing the data is solely responsible for the correctness of the data provided. By providing an e-mail address, each User also assumes responsibility for ensuring that only he or she uses the e-mail address provided. In view of this responsibility, any liability for accessing the service from a given e-mail address rests solely with the user who registered the e-mail address.
Principles of data management
- Personal Data must be obtained and processed fairly and lawfully.
- Personal Data must be stored only for specified and legitimate purposes and must not be used for any other purpose.
- Personal Data must be proportionate to, and compatible with, the purpose for which it is stored and not excessive in relation to that purpose.
- The method of storage of Personal Data must be such as to permit identification of the User concerned only for the time necessary for the purpose for which it is stored.
- Adequate security measures must be taken to protect Personal Data stored in automated data files against accidental or unlawful destruction or accidental loss, and against unlawful access, alteration or disclosure.
Data protection principles applied by the company
- The Company uses the Personal Data necessary for the use of ELAS Ltd. services on the basis of the consent of the data subjects and only for the purposes for which they are collected.
- The Company, as the Data Controller, undertakes to process the Personal Data in its possession in accordance with the provisions of the Infotv. and the data protection principles set out in this Policy and not to transfer them to third parties. Exceptions to the provisions of this clause with regard to the transfer of data are the use of data in a statistically aggregated form, which may not contain the name of the user concerned or any other identifiable data in any form, and further exceptions are the cases of data transfer provided for in clause 10.3 of this Policy.
- In certain cases, the Company may make available to third parties the accessible data of the User concerned in response to a formal judicial or police request, legal proceedings for copyright, property or other infringements or reasonable suspicion of such infringements, or in case of prejudice to the interests of the Company, or in case of threat to the provision of its services, etc.
- ELAS Ltd's system may collect data about the activity of Users, which cannot be linked to the Personal Data provided by Users at the time of registration, nor to data generated by the use of other websites or services.
- The Company undertakes to publish a clear, prominent and unambiguous notice informing Users of the manner, purpose and principles of the collection, recording and processing of any of their Personal Data. In addition, in all cases where the collection, processing or recording of data is not required by law, the Company will draw the User's attention to the voluntary nature of the provision of the data. In the case of mandatory provision of data, the legal provision imposing the processing shall also be indicated. The data subject shall be informed of the purposes of the processing and of the persons who will process the Personal Data. The information on the processing shall also be provided where the law provides for the inclusion of data by transfer or linking from existing processing.
- In all cases where the Company intends to use the Personal Data provided for purposes other than those for which they were originally collected, the Company shall inform the User and obtain his/her prior explicit consent or provide him/her with the opportunity to prohibit such use.
- ELAS Ltd. as the Data Controller shall in any case comply with the restrictions laid down by law in the collection, recording and processing of data, and shall inform the data subject of its activities by electronic mail as requested. The Company undertakes not to impose any sanctions on any User who refuses to provide the optional data.
- ELAS Ltd. undertakes to ensure the security of Personal Data, to take technical and organisational measures and to establish procedures to ensure that Personal Data collected, stored and processed are protected and to prevent their destruction, unauthorised use and unauthorised alteration. It also undertakes to require any third parties to whom it may transfer or disclose Personal Data to comply with its obligations in this regard.
- If the Personal Data is not accurate and the accurate Personal Data is available to the Controller, the Controller shall correct the Personal Data.
- The Company as Data Controller shall delete Personal Data if (i) its processing is unlawful; (ii) the User requests the deletion of the Personal Data; (iii) the Personal Data is incomplete or inaccurate and this situation cannot be lawfully remedied, provided that deletion is not excluded by law; (iv) the purpose of the processing has ceased or the statutory period for storing the Personal Data has expired; (v) the deletion of the Personal Data has been ordered by a court or public authority.
- Instead of deletion, the Controller shall block the Personal Data if the data subject so requests or if, on the basis of the information available to him or her, it is likely that deletion would harm the data subject's legitimate interests. The Personal Data thus blocked may be processed only for as long as the processing purpose which precluded the erasure of the Personal Data persists.
- The rectification, blocking, flagging and erasure must be notified to the data subject and to all those to whom the Personal Data was previously disclosed for the purposes of the processing. The notification may be omitted by the Controller if this does not harm the legitimate interests of the User having regard to the purposes of the processing.
- If the Company, as the Data Controller, does not comply with the data subject's request for rectification, blocking or erasure, it shall inform the User in writing within 30 days of receipt of the request of the factual and legal grounds for refusing the request for rectification, blocking or erasure, and that the User may appeal against the decision of the Data Controller to the court or the National Authority for Data Protection and Freedom of Information.
Duration of processing
- The processing of the Personal Data provided by the User will be maintained until the User unsubscribes from the service with the given username. The date of deletion is 10 working days from the date of receipt of the User's unsubscription (request for deletion). In the event of unlawful or fraudulent use of Personal Data or in the event of a criminal offence or system attack committed by the User, the Data Controller is entitled to delete the data immediately upon termination of the User's registration, but in the event of suspicion of criminal offence or civil liability, the Data Controller is also entitled to retain the Personal Data for the duration of the proceedings to be conducted.
- The Personal Data provided by the User, even if the User does not unsubscribe from the service, may be processed by the Company as Data Controller until the User explicitly requests in writing that the processing of such data be terminated. The User's right to request the termination of the processing without unsubscribing from the service does not affect his/her right to request the service, however, he/she may not be able to use certain services (e.g. auction, ranking) without Personal Data. Personal Data will be deleted within 10 working days of receipt of the request.
- Data which are automatically, technically recorded during the operation of the system are stored in the system for a period of time from the moment they are generated that is reasonable to ensure the operation of the system. The Company shall ensure that such automatically recorded data cannot be linked to other Personal Data of the User, except in cases required by law. If the User has withdrawn his/her consent to the processing of his/her Personal Data or has unsubscribed from the service, his/her identity will no longer be identifiable from the technical data.
Processing of personal data
- A change in Personal Data or a request for the deletion of Personal Data may be communicated by means of an express written statement sent by letter through the internal mail system of the service. The sending of newsletters can be cancelled by changing the settings of the user interface on the site.
- Some Personal Data may also be changed by editing the page containing the personal profile.
- Once a request for deletion or modification of personal data has been fulfilled, the previous (deleted) data can no longer be restored.
- The Company may use a data processor to ensure the continuous and proper functioning of the website, to fulfil orders and to perform other activities closely related to the provision of webshop services.
- Name of the data processors used by the company:
|Magyar Posta Zrt||1138 Budapest, Dunavirág utca 2-6.||Parcel delivery|
|TNT Express Hungary Kft.||1185 Budapest, II. Logistics Centre||Parcel delivery|
Possibility of data transfer
- The Company, as Data Controller, is entitled and obliged to transfer to the competent authorities any Personal Data at its disposal and stored by it in accordance with the law, which it is obliged to transfer by law or by a final and binding obligation of a public authority. The Controller shall not be held liable for such transfers and the consequences thereof.
- If the Company transfers the operation or use of the content service on elas.hu, in whole or in part, to a third party, it may transfer the Personal Data it processes to such third party for further processing without requesting separate consent. This transfer of Data may only serve to ensure the continuity of the registration of Users already registered, but may not place the User in a more disadvantageous position than the data management and data security rules indicated in the current version of these Data Management Regulations.
- Certain personal data of Users may be transferred, for specific purposes and with the express and unambiguous consent of the User, as follows:
- the Company will collect the names, telephone numbers, country and email addresses of Users for the purposes of providing customer service assistance, confirming transactions and fraud monitoring to protect Users. The personal data thus transmitted will be processed in accordance with the company's own privacy and data management policies.
- The Company will only transmit the personal and order data of the Users recorded during registration for the delivery of the ordered parcels to the parcel delivery companies, which will process them in accordance with their own data protection and data management policies..
- The Company shall keep a transfer register for the purpose of monitoring the lawfulness of the transfer and informing the data subject, which shall include the date of transfer of the Personal Data processed by the Company, the legal basis and the recipient of the transfer, the scope of the Personal Data transferred and other data specified in the legislation providing for the processing.
Rights of users in relation to their personal data processed by the controller
- Users may request information about the processing of their personal data from the Company as the Data Controller at any time in writing, by registered or certified mail sent to the address of the Data Controller (H-1162 Budapest, Diófa utca 130.) or by e-mail sent to firstname.lastname@example.org. Requests for information sent by e-mail shall be considered as authentic by the Data Controller only if they are sent from the registered e-mail address of the User. The request for information may cover the User's data processed by the Controller, their source, the purpose, legal basis and duration of the processing, the names and addresses of any data processors, the activities related to the processing and, in the case of transfer of Personal Data, who has received or is receiving the User's data and for what purpose.
- The Data Controller is obliged to provide written information in response to a question regarding the processing of the data within the shortest possible period of time from receipt, but not later than 30 days. In the case of e-mail, the date of receipt shall be deemed to be the first working day following the date of sending.
- The rectification, blocking or deletion of the processed Personal Data shall be notified to the User concerned, as well as to all those to whom the data was previously transmitted for the purpose of processing. The notification may be omitted if this does not harm the legitimate interests of the data subject in relation to the purposes of the processing.
- The User may object to the processing of his/her Personal Data,
- Where the processing or transfer of Personal Data is necessary solely for compliance with a legal obligation to which the Controller is subject or for the purposes of the legitimate interests pursued by the Controller, the recipient of the Personal Data or a third party;
- If the Personal Data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
- in other cases provided for by law.
The Company, as the Data Controller, shall examine the objection within the shortest possible time from the date of its receipt, but not later than 15 days, shall decide on its validity and shall inform the User in writing of its decision.
If the Company determines that the data subject's objection is justified, it shall terminate the processing, including further Data Collection and Transfers, and block the Personal Data, and notify the objection and the action taken on the basis of the objection to all those to whom the Personal Data affected by the objection was previously disclosed and who are obliged to take measures to enforce the right to object. If the User does not agree with the decision of the Controller or if the Controller fails to comply with the time limit referred to in this point, the User may take legal action within 30 days of the notification of the decision or the last day of the time limit.
- The User's enforcement possibilities are governed by the Infotv. and the 2013. évi V. tv. (Ptk.), and may also seek the assistance of the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C; postal address: 1530 Budapest, Pf. 5.).