Cart 0

Data processing notice regarding the use of the webshop and online presence

The Data Controller Decoration & Design Kft. (registered office: 2310 Szigetszentmiklós, Kántor u. 5., represented by: Barna Ferenc and Boris Malovík, managing directors, e-mail: info@decorand.com) hereby informs you about the processing of data provided during the use of the webshop and online presence:

Name of data processing: Webshop registration      
What is the purpose of data processing? The main purpose of webshop registration is to record data of data subjects – buyers and service users – for the purpose of customer identification, faster fulfilment of orders, invoicing, delivery, handover and receipt of products, and provision of services.      
Who are the data subjects? Every natural person who provides their personal data during webshop registration.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
username identification, verification of authorisation, ensuring access voluntary consent (GDPR Article 6(1)(a))    
password identification, verification of authorisation, ensuring access      
name of contact person identification, provision of discounts and authorisations      
e-mail address of contact person communication, sending of invoices      
phone number of contact person communication      
name, registered office, delivery address, tax number and card number of the company on behalf of which the contact person acts identification, provision of discounts and authorisations, invoicing      
personal data in uploaded documents identification, verification of authorisation      
date of acceptance of webshop registration, general terms and conditions, and privacy notice future evidentiary purposes      
How long does data processing last? Data processing lasts until deletion at the request of the data subject.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  ISolutions Informatikai Zrt. 2040 Budaörs, Baross utca 89. server services  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Webshop login      
What is the purpose of data processing? The main purpose of webshop login is customer identification, faster fulfilment of orders, invoicing, delivery, handover and receipt of products, and provision of services.      
Who are the data subjects? Every natural person who provided their personal data during webshop registration and subsequently logs into the webshop.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
username identification, verification of authorisation, ensuring access voluntary consent (GDPR Article 6(1)(a))    
password identification, verification of authorisation, ensuring access      
How long does data processing last? Data processing lasts until deletion at the request of the data subject.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  ISolutions Informatikai Zrt. 2040 Budaörs, Baross utca 89. server services  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Order      
What is the purpose of data processing? The main purpose of orders placed through the webshop is to record and fulfil buyer and service user requirements regarding products, services, quantities, prices, fees, and payment and delivery methods.      
Who are the data subjects? Every natural person who provided their personal data when placing an order through the webshop.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
name of contact person identification performance of a contract (GDPR Article 6(1)(b))    
name, registered office and tax number of the company in the name and on behalf of which the contact person acts identification, provision of discounts and authorisations, invoicing      
delivery address of the company in the name and on behalf of which the contact person acts performance      
name, quantity, price, fee and order number of the products and services ordered by the company in the name and on behalf of which the contact person acts identification, performance      
delivery and payment method requested by the company in the name and on behalf of which the contact person acts identification, performance      
date of order future evidentiary purposes      
How long does data processing last? Pursuant to Section 6:22 of Act V of 2013 on the Civil Code (Civil Code), the general limitation period for claims arising from contracts is 5 years; therefore, data processing for this purpose lasts at most until this period expires.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  ISolutions Informatikai Zrt. 2040 Budaörs, Baross utca 89. server services  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Invoicing      
What is the purpose of data processing? Evidencing sales, enforcing payment claims, and tracking revenue.      
Who are the data subjects? Every natural person whose personal data appears on the payment document.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
name, registered office, delivery number, tax number and card number of the company on behalf of which the contact person acts evidencing sales, enforcement of payment claims

performance of a contract (GDPR Article 6(1)(b))

compliance with a legal obligation (GDPR Article 6(1)(c)) pursuant to tax and accounting legislation – in particular Section 169(2) of Act C of 2000 on Accounting

    
e-mail address of contact person sending of invoices      
How long does data processing last? Pursuant to Section 169(2) of Act C of 2000 on Accounting, accounting documents – including data underlying invoices – must be retained; therefore, data processing for this purpose lasts 8 years.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  ISolutions Informatikai Zrt. 2040 Budaörs, Baross utca 89. server services  
  Vision Software Kft. 1149 Budapest, Pósa Lajos utca 51. online invoicing and enterprise management software  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Delivery, personal collection      
What is the purpose of data processing? The main purpose of delivery is the receipt of products on time and by the delivery method chosen by the buyer.      
Who are the data subjects? Every natural person whose personal data was recorded in connection with the handover and receipt of products.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
name, delivery address and chosen collection method of the company in the name and on behalf of which the contact person acts receipt of products on time and in accordance with the delivery method chosen by the buyer performance of a contract (GDPR Article 6(1)(b))    
How long does data processing last? Pursuant to Section 6:22 of Act V of 2013 on the Civil Code (Civil Code), the general limitation period for claims arising from contracts is 5 years; therefore, data processing for this purpose lasts at most until this period expires.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  ISolutions Informatikai Zrt. 2040 Budaörs, Baross utca 89. server services  
  Express One Hungary Kft. 1239 Budapest, Európa utca 12. delivery and parcel sending service  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Online card payment, bank transfer, cash payment      
What is the purpose of data processing? Fulfilment of the payment obligation associated with the order.      
Who are the data subjects? Every natural person whose personal data becomes known in connection with the payment obligation for products and services.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
name of the company in the name and on behalf of which the contact person acts and which fulfils the payment obligation arising from the order, the amount paid and the date of payment Fulfilment of the payment obligation associated with the order. performance of a contract (GDPR Article 6(1)(b))    
How long does data processing last? Pursuant to Section 6:22 of Act V of 2013 on the Civil Code (Civil Code), the general limitation period for claims arising from contracts is 5 years; therefore, data processing for this purpose lasts at most until this period expires.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  OTP NYRt. 1051 Budapest, Nádor utca 16. online card payment service provider, banking service provider  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Complaint handling      
What is the purpose of data processing? Managing the complaint handling process and customer relations.      
Who are the data subjects? Every natural person whose personal data becomes known in connection with the complaint submission.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
Name of contact person Identification performance of a contract (GDPR Article 6(1)(b))    
Name and registered office of the company in the name and on behalf of which the contact person acts Identification      
E-mail address, phone number and postal address of the contact person Communication      
The subject and content of the complaint may also contain other personal data Managing the complaint handling process and customer relations.      
How long does data processing last? Pursuant to Section 6:22 of Act V of 2013 on the Civil Code (Civil Code), the general limitation period for claims arising from contracts is 5 years; therefore, data processing for this purpose lasts at most until this period expires.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

No data is transferred to any data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
         
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Handling of quality complaints      
What is the purpose of data processing? Handling quality complaints and managing matters related to defective performance.      
Who are the data subjects? Every natural person whose personal data becomes known in connection with the handling of quality complaints.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
Name of contact person Identification compliance with a legal obligation (GDPR Article 6(1)(c))    
Name and registered office of the company in the name and on behalf of which the contact person acts Identification      
E-mail address, phone number and postal address of the contact person Communication      
Name of the product subject to quality complaint, its purchase price, date of performance, description of the defect, and the claim to be enforced Handling quality complaints, managing matters related to defective performance, customer relations      
How long does data processing last?

Pursuant to Section 6:163(1) of the Civil Code, the entitled party's warranty claim expires within one year from the date of performance.

Pursuant to Section 6:22(1) of the Civil Code – unless otherwise provided by law – claims expire within five years. The Data Controller is obliged, as a general rule, to retain personal data until the expiry of the limitation period. 

In view of the above, the Data Controller applies a five-year data retention period for personal data that comes to its knowledge in the course of handling quality complaints, in line with the limitation period for claims. 

      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

No data is transferred to any data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
         
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Product recall      
What is the purpose of data processing? Notifying customers of the safety-related recall (partial or full) of a product they purchased.      
Who are the data subjects? Every natural person whose personal data becomes known in connection with the product recall.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
Name of contact person Identification compliance with a legal obligation (GDPR Article 6(1)(c))    
Name and registered office of the company in the name and on behalf of which the contact person acts Identification      
E-mail address, phone number and postal address of the contact person Communication      
Name of the product subject to product recall Eliminating and avoiding safety risks through product recall.      
How long does data processing last? Pursuant to Section 6:558(3) of the Civil Code, the manufacturer bears product liability for 10 years from the date the product was placed on the market. Pursuant to Section 4(6)(a) of the Product Safety Act, the importer and distributor are obliged to facilitate the monitoring of the safety of the products they distribute and to cooperate with manufacturers and authorities to avoid risks. In this context, they are obliged to ensure that the manufacturer can monitor the safety of the distributed product. The Data Controller retains data for 10 years from the date the product was placed on the market by the manufacturer.      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

In the event of a product recall, data is transferred to the manufacturer as data processor(s).

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
         
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Newsletter subscription and sending      
What is the purpose of data processing? The main purpose of processing data related to newsletter sending is the regular informing of the recipient (subscribed data subject) about the latest promotions, events and news of the Data Controller (and its Partners), essentially regular advertising.      
Who are the data subjects? Every natural person who wishes to be regularly informed about the Data Controller's news, promotions and discounts, and therefore subscribes to the newsletter service by providing their personal data.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
name of contact person identification Voluntary consent (GDPR Article 6(1)(a) and Section 6(1) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities)    
name of the company on behalf of which the contact person acts identification      
e-mail address identification and sending of newsletter      
technical data: date of subscription and unsubscription future evidentiary purposes      
How long does data processing last?

Data processing lasts until deletion at the request of the data subject (unsubscription), or until deletion due to the e-mail address becoming unreachable.

The Data Controller processes (solely stores) the date of subscription and unsubscription for 5 years following unsubscription from the newsletter, for the purpose of being able to prove the lawfulness of newsletter sending.

      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor.

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  The Rocket Sience Group, LLC 675 Ponce de Leon Ave NE,
Suite 5000
Atlanta, GA 30308
USA		 e-mail sending service  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Contact initiated by e-mail      
What is the purpose of data processing? Contact initiated by the data subject via e-mail and response from the Data Controller.      
Who are the data subjects? Every natural person who is or can be identified by the data provided by e-mail.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
name of contact person identification, salutation Voluntary consent (GDPR Article 6(1)(a))    
name of the company on behalf of which the contact person acts identification      
e-mail address communication      
subject communication      
message, to the extent it contains personal data communication      
technical data: date of submission future evidentiary purposes      
How long does data processing last?

Data processing lasts until deletion at the request of the data subject (unsubscription), or until deletion due to the e-mail address becoming unreachable.

If the e-mail contact is for the purpose of requesting a quote, or arises in connection with the performance of an existing agreement, the processing of data of a representative or contact person of a non-natural person partner is based on the Data Controller's legitimate interest in maintaining contact (GDPR Article 6(1)(f)). In this case, the retention period is 5 years following the termination of the legal relationship (civil law limitation period).

      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor.

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  The Rocket Sience Group, LLC 675 Ponce de Leon Ave NE,
Suite 5000
Atlanta, GA 30308
USA		 e-mail sending service  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Contact initiated by phone      
What is the purpose of data processing? Contact initiated by the data subject via phone call and response from the Data Controller.      
Who are the data subjects? Every natural person who is or can be identified by the data provided via phone call.      
Who/what is the source of the data? Data subjects      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
name of contact person identification, salutation Voluntary consent (GDPR Article 6(1)(a))    
name of the company on behalf of which the contact person acts identification      
phone number communication      
subject communication      
message, to the extent it contains personal data communication      
technical data: date of submission future evidentiary purposes      
How long does data processing last?

Until deletion at the request of the data subject (unsubscription).

If the phone contact is for the purpose of requesting a quote, or arises in connection with the performance of an existing agreement, the processing of data of a representative or contact person of a non-natural person partner is based on the Data Controller's legitimate interest in maintaining contact (GDPR Article 6(1)(f)). In this case, the retention period is 5 years following the termination of the legal relationship (civil law limitation period).

      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

Data is transferred to the data processor.

      
Is there a data processor engaged? Company name Registered office Place of service provision Service
  The Rocket Sience Group, LLC 675 Ponce de Leon Ave NE,
Suite 5000
Atlanta, GA 30308
USA		 e-mail sending service  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      
Name of data processing: Contact initiated via social media      
What is the purpose of data processing? Facilitating contact initiated by the data subject via social media and response from the Data Controller.      
Who are the data subjects? Every natural person who is or can be identified by the data provided on social media.      
Who/what is the source of the data?

Data subjects

The Data Controller processes only those of the data subject's data specified below that are genuinely necessary for the given contact and/or other interaction.

      
What are the categories and scope of processed data? What is the purpose of each data category and scope? What is the legal basis for data processing?    
public name of contact person identification, salutation Voluntary consent (GDPR Article 6(1)(a))    
public e-mail address of contact person communication      
subject subject of message      
message, to the extent it contains personal data communication      
other interactions on social media (following, liking, sharing, etc.) use of the given social media function      
technical data: date of submission future evidentiary purposes      
How long does data processing last?

Until deletion at the request of the data subject.

If the social media contact is for the purpose of requesting a quote, or arises in connection with the performance of an existing agreement, the processing of data of a representative or contact person of a non-natural person partner is based on the Data Controller's legitimate interest in maintaining contact (GDPR Article 6(1)(f)). In this case, the retention period is 5 years following the termination of the legal relationship (civil law limitation period).

      
Is data disclosed (access granted, transferred, transmitted) to third parties?

Data may be transferred to authorities, courts, legal representatives, data protection officers, or persons or bodies conducting due diligence on the Data Controller.

The operators of social media platforms and the Data Controller are considered joint controllers.

      
  Company name Registered office Place of service provision Service
  Meta Ireland Limited 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland social media  
  Google LLC 600 Amphitheatre Parkway, Mountain View, California 94043, USA. social media  
Is there automated decision-making? Does not occur.      
Is there profiling? Does not occur.      
What data security measures does the Data Controller implement?

The Data Controller ensures in particular:

  • that access to equipment used for data processing (hereinafter: the data processing system) is denied to unauthorised persons,

  • the prevention of unauthorised reading, copying, modification or removal of data carriers,

  • the prevention of unauthorised entry of personal data into the data processing system, and the prevention of unauthorised access to, modification of or deletion of personal data stored therein,

  • the prevention of unauthorised use of data processing systems via data transmission equipment,

  • that persons authorised to use the data processing system can only access personal data specified in their access authorisation,

  • that it can be verified and established to which recipients personal data has been or may be transmitted, or made or may be made available, via data transmission equipment,

  • that it can subsequently be verified and established which personal data was entered into the data processing system, at what time, and by whom,

  • the prevention of unauthorised access to, copying, modification or deletion of personal data during their transmission or during the transport of data carriers,

  • that the data processing system can be restored in the event of a malfunction.

  • that the data processing system remains operational, that errors occurring during its operation are reported, and that stored personal data cannot be altered even through faulty operation of the system.

      
What rights does the data subject have and how can they be exercised? The following table shows the relationship between the rights of the data subject and the legal basis/bases specified above in connection with data processing, so that it is clear to the data subject which rights are available under the applicable legal basis. Following the table, the data subject receives an explanation of the content of the rights and how to exercise them.      

The Data Subject is obliged to promptly notify the Data Controller of any changes to the data provided during registration, ordering, or communication. The Data Controller shall not be liable for any damages, disadvantages, or incorrect performance resulting from the failure to keep such data up to date.

Cookie management

Detailed information about the cookies used on the website is provided in the cookie notice and settings interface available on the website; a general overview is provided below.

Cookies

Cookies are small text files containing IT data that ensure the proper functioning of the Website. They are stored on endpoint devices. The files recognise the device and adapt the Website's appearance to its preferences. Cookies are essential for logging in to the Website and for ensuring the smooth operation of its functions.

You can modify your cookie settings in the menu in the pop-up window in the footer.

Types and characteristics of cookies

Essential cookies / Functional cookies

These are necessary to provide the functions of the site – such as login, webshop basket, etc.

By disabling functional cookies, certain features of the site will not function properly.

Performance cookies

These collect information about the use of the site and the user's activity. They are not suitable for personal identification but provide information about the browser type, screen resolution, and how the website is navigated. Their purpose is to provide the website owner with data that can be used to improve the performance and quality of the site.

Advertising cookies

Their purpose is to make the advertisements displayed on the website as relevant as possible to the visitor's needs and interests. Such cookies are only provided by pages on which advertisements appear.

Deleting cookies

All modern browsers allow cookie settings to be changed. Most browsers automatically accept cookies by default, but these settings can generally be changed to prevent automatic acceptance and to offer a choice each time as to whether or not to allow cookies. Please note that since the purpose of cookies is to facilitate the use of our website, preventing or deleting cookies may mean that you are unable to use all the features of our website, or that the website may not function as intended in your browser.

Blocking cookies

Cookies are created and stored by the browser, so they can be blocked within the browser. However, it should be noted that with cookies blocked, familiar websites may not function properly.

For information on how to disable cookies, please refer to your browser's Help section.

Disable cookies in Internet Explorer: http://windows.microsoft.com/hu-hu/windows-vista/block-or-allow-cookies

  Right to prior information Right of access Right to rectification Right to erasure Restriction Data portability Objection Withdrawal of consent
Consent YES YES YES YES YES YES NO YES
Contract YES YES YES YES YES YES NO NO
Legal obligation YES YES YES NO YES NO NO NO
Vital interests YES YES YES YES YES NO NO NO
Public task, public authority. YES YES YES NO YES NO YES NO
Legitimate interest YES YES YES YES YES NO YES NO

Right to information (GDPR Articles 13 and 14)

Where the Data Controller processes personal data relating to the data subject, the Data Controller is obliged to provide the data subject – even without a request to that effect – with information on the most important characteristics of the processing, including its purpose, legal basis, duration, the identity and contact details of the Data Controller and its representative, the contact details of the data protection officer, the recipients of personal data, in the case of processing based on legitimate interest the legitimate interest of the Data Controller and/or a third party, and the rights of the data subject and remedies available (including the right to lodge a complaint with a supervisory authority); and, if the data subject is not the source of the data, the source of personal data and the categories of personal data concerned, to the extent the data subject does not already have this information. The Data Controller provides this information by making this notice available to the data subject.

Right of access (GDPR Article 15)

The data subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and, where that is the case, the right to access the personal data and information relating to the circumstances of the processing. Where personal data is transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. The Data Controller shall provide a copy of the personal data undergoing processing to the data subject upon request.

Right to withdraw consent (GDPR Article 7)

The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to rectification (GDPR Article 16)

The data subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning them.

Right to object (GDPR Article 21)

The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on GDPR Article 6(1)(e) or (f).

In such a case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

Right to restriction of processing (GDPR Article 18)

The data subject has the right to obtain from the Data Controller restriction of processing upon request where one of the conditions set out in the GDPR applies, in which case the Data Controller shall not carry out any operation on the data other than storage.

Where the data subject has objected to processing, the restriction shall apply for the period pending the verification of whether the legitimate grounds of the Data Controller override those of the data subject.

Right to erasure ('right to be forgotten') (GDPR Article 17)

The data subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay where the processing has no purpose, where consent has been withdrawn and there is no other legal basis, where there is no overriding legitimate reason for processing in the case of an objection, or where the data was processed unlawfully from the outset, or where the data must be erased to comply with a legal obligation. Where the Data Controller has made the personal data public and is obliged to erase it, the Data Controller shall, taking into account available technology and the cost of implementation, take reasonable steps – including technical measures – to inform controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Right to data portability (GDPR Article 20)

The data subject has the right to receive the personal data concerning them, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided, where the statutory conditions apply (automated processing and consent or contract as legal basis).

Where and how can the data subject request detailed information about data processing and transfers, and where and how can they exercise their rights?

The Data Controller draws the attention of data subjects that they may submit requests for information, exercise their right of access, and exercise other rights by sending a declaration to the Data Controller's postal address (Decoration & Design Kft., 2310 Szigetszentmiklós, Kántor u. 5.) or e-mail address (info@decorand.com). The Data Controller shall examine and respond to the declaration within the shortest possible time from receipt, and shall take the necessary steps in accordance with the declaration, the Internal Data Protection Policy, and applicable legislation.

Contact details of the supervisory authority for complaints (GDPR Article 77):

National Authority for Data Protection and Freedom of Information

Address: 1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf. 9.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

www: http://www.naih.hu

e-mail: ugyfelszolgalat@naih.hu

For further information about your rights and the details of lodging a complaint with the authority, please visit: http://naih.hu/panaszuegyintezes-rendje.html.

In the event of an infringement of their rights, the data subject may also turn to the court competent for their place of residence and may claim damages, among other remedies.

You can find the court competent for your place of residence here: https://birosag.hu/birosag-kereso

Other

In the case of voluntary consent, consent may be withdrawn by e-mail sent to info@decorand.com or by post sent to Decoration & Design Kft., 2310 Szigetszentmiklós, Kántor u. 5.

Closed: 11 April 2026.

Version: 1.0. Barna Ferenc and Boris Malovík, Managing Directors, Decoration & Design Kft.