1. Aim, scope and amendment of the Notice
1.1. The purpose of this Privacy Notice (hereinafter referred to as the “Notice”) is to provide you with information in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the “Regulation”) and Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Freedom of Information Act”) on the processing of personal data provided by you to us in the context of the Ethnographic Museum’s webshop operated on the etnoshop.hu website (hereinafter referred to as the “Webshop”) and your related rights.
1.2. The scope of this Notice is limited to the processing of personal data provided by you on the etnoshop.hu website in the context of the Webshop.
1.3. This Notice and any amendments thereto shall be effective from the date of publication on the etnoshop.hu website.
Personal data: any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law.
Consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify, by a statement or by an act expressing their unambiguous consent, that they give their consent to the processing of personal data concerning them.
Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data subject: any specific natural person identified or identifiable on the basis of personal data.
Customer: the data subject who has provided personal data for the purpose of placing an order through the etnoshop.hu website of the Museum of Ethnography, the Webshop.
3. The Controller and its contact details
3.1. Name of the Controller: Museum of Ethnography
Registered office of the Controller: H-1055 Budapest, Kossuth Lajos tér 12.
Email of the Controller: email@example.com
Controller’s phone number: +36 70 465 4080
3.2. The Controller processes your personal data. You, as the natural person identified in connection with the data processing, are the data subject of the data processing.
4. Legal basis of data processing
4.1. The legal basis for the processing of data by the Controller in the context of the Webshop is on the one hand your consent and on the other hand, the fact that the processing is necessary for the conclusion of a contract in the context of the Webshop and the performance of the contract concluded, and in relation to invoicing, the fact that the processing is necessary for the performance of a legal obligation applicable to the Controller.
4.2. If you give your explicit consent to the processing of your personal data when registering on the etnoshop.hu website, the legal basis for processing based on consent is fulfilled. If you place an order on the etnoshop.hu website, the legal basis connected to the conclusion and performance of the contract is also realised in addition to consent.
5. Data processing related to registration and ordering
5.1. By registering on the website and by ticking the checkbox, you accept the provisions of the Privacy Notice in force from time to time and expressly consent to the processing of your personal data by the Controller in the context of the Webshop. Thus, the legal basis for the processing is Article 6(1)(a) of the Regulation. If you place an order through the Webshop, in that case the processing of your data is subject to an additional legal basis: the processing is necessary for the conclusion of a contract within the framework of the Webshop and the performance of the contract concluded [Article 6(1)(b) of the Regulation].
5.2. The purpose of data processing is to create a user account for the registering person for the purpose of the shopping process on the etnoshop.hu website. Furthermore, the purpose of data processing is to operate the Webshop, to ensure the provision of the services offered by the Webshop, to manage the database related to the operation of the Webshop, to fulfil customer orders, to collect the consideration for the orders. In this scope:
(a) processing customers’ orders and financial transactions;
(b) sending order confirmations to customers;
(c) record any entitlement to benefits available to registered customers;
(d) responding to customer requests, questions and complaints;
(e) managing user accounts.
5.3. The scope of data processed in the context of the Webshop:
(a) last name and first name;
(b) email address;
(c) phone number;
(d) address details (country, city, postcode, street, house number, floor, door).
5.4. The personal data you provide during registration or placing the order will be processed until your consent is withdrawn or your personal account is deleted. The personal data provided by the customer will be processed by the Controller as long as the user’s account is active, unless the customer requests the deletion of their data or withdraws their consent to the processing of their personal data. You can submit your request by sending an email to firstname.lastname@example.org.
6. Data processing in relation to invoicing
6.1. If you perform a financial consideration in connection with an order in the Webshop, the Museum of Ethnography will issue an invoice for the countervalue of the order.
6.2. The data processing is necessary for compliance with a legal obligation to which the Controller is subject [Article 6(1)(c) of the Regulation]. Relevant legislation: Section 159 (obligation to issue invoices), Section 169 (mandatory content of invoices) of Act CXXVII of 2007 on Value Added Tax (VAT Act), Sections 166 to 169 (accounting documents, strict accounting documents, obligation to keep documents) of Act C of 2000 on Accounting (Accounting Act).
6.3. The purpose of data processing is to support and certify the order and its fulfilment.
6.4. Scope of the data processed: name, address and date of purchase of a natural person; name, registration number, registered office, tax number and date of purchase of a sole entrepreneur.
6.5. The period of data processing is 8 years pursuant to Section 169(2) of Act C of 2000 on Accounting. On the basis of a request for erasure by the data subject, the contractual data of the data subject may be erased after the expiry of the limitation period under civil law.
7. Data processors, data transmission
7.1. By accepting this Privacy Notice, the Customer acknowledges that the following personal data provided by the Customer and stored by the Museum of Ethnography as the data controller in the user database of etnoshop.hu – as a payment acceptance site – will be transferred to OTP Mobil Kft. (H-1093 Budapest, Közraktár u. 30-32.) as the data processor. The scope of the data transmitted by the data controller is the following: the Customer’s email address, telephone number, invoicing address details, delivery address details.
The nature and purpose of the data processing activities carried out by the data processor can be found in the SimplePay Privacy Notice at the following link: https://simplepay.hu/vasarlo-aff
7.2. The personal data provided by the Customers in the context of the Webshop is processed by an agent performing the accounting obligations of the Museum of Ethnography. The personal data provided during registration is stored by the etnoshop.hu software on a server owned by the Museum of Ethnography and is not available to third parties.
7.3. By registering and placing the order, the Customer expressly consents to the processing of their data by the persons indicated in Sections 7.1. and 7.2.
7.4. The Museum of Ethnography will not disclose the Customer’s personal data to third parties, except as provided for in Sections 7.1. and 7.2., unless required to do so by law or by a final court or administrative decision.
8. Data security measures
8.1. In particular, the Controller shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or damage and inaccessibility resulting from changes in the technology used. The Controller undertakes to take into account the state of the art in the determination and application of data security measures. The Controller will choose among several possible processing solutions the one that ensures a higher level of protection of personal data, unless this would impose a disproportionate burden on the Controller.
8.2. The Controller shall protect the personal data provided to it during transmission and after their receipt.
9. Rights of the data subject
9.1. The Regulation defines a “data subject” as a natural person who can be identified, directly or indirectly, on the basis of information and personal data relating to them.
9.2. As a data subject, you may contact the Controller at any time to exercise the following rights.
(a) You have the right to be informed about the information on data processing and to request a copy of your processed data (right to information, right of access – Article 15 of the Regulation, Section 15 of the Information Act).
(b) You have the right to request the rectification of inaccurate data or the correction of incomplete data (right to rectification – Article 16 of the Regulation, Section 17 of the Information Act).
(c) You have the right to request the erasure of your personal data and the right to have your request for erasure transmitted to another controller if your personal data have been disclosed (right to erasure – Article 17 of the Regulation, Section 17(2) of the Information Act).
(d) You have the right to request restriction of processing (right to restriction of processing – Article 18 of the Regulation).
(e) You have the right to obtain personal data concerning you in a structured, commonly used and machine-readable format and to request the transfer of such data to another controller (right to data portability – Article 20 of the Regulation).
(f) You have the right to object to the processing of your personal data (right to object – Article 21 of the Regulation, Section 21 of the Information Act).
(g) You have the right to withdraw your consent at any time in the case of processing based on consent. Withdrawal of consent does not affect the lawfulness of the processing in the previous period (right to withdraw consent – Article 7(3) of the Regulation).
(h) You have the right to lodge a complaint with the supervisory authority if you consider that the processing is in breach of a provision of the law (right to lodge a complaint with a supervisory authority – Article 77 of the Regulation).
9.3. Any application pursuant to Section 9.2 shall be sent to the email address email@example.com or by post to the postal address of the Museum of Ethnography H-1055 Budapest, Kossuth Lajos tér 12..
9.4. Please note that before executing a request for the enforcement of rights, the Controller shall identify the person who made the request. If the Controller has reasonable doubts as to the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the natural person.
9.5. You may lodge a complaint with the National Authority for Data Protection and Freedom of Information.
9.6. If the Controller fails to comply with your (the data subject’s) request, it shall, within 25 days of receipt of the request, communicate the factual and legal grounds for refusal in writing or, with your consent, by electronic means. If the request is rejected, the Controller will inform you of the possibility of judicial remedy and of recourse to the Authority.
9.7. If you disagree with the decision of the Controller or if the Controller fails to comply with the time limit, you may, within 30 days of the notification of the decision or the last day of the time limit, turn to court. The action may be brought before the court having jurisdiction according to the registered office of the Controller or your place of residence or stay, at your choice.
10. Closing provisions
10.1. The Controller shall keep records for the purpose of monitoring the measures taken in relation to the personal data breach and informing the data subjects, which shall include the scope of the personal data concerned, the number and type of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the law requiring the processing.
10.2. For issues not covered by this Privacy Notice, Regulation (EU) 2016/678 of the European Parliament and of the Council, Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information, Act V of 2013 on the Civil Code and other applicable laws shall apply.
Budapest, 04. 21. 2022