Privacy notice

about the processing of data provided during registration and login to the website

Data Controller:

Decoration&Design Ltd.

Registered office: 2310 Szigetszentmiklós, Kántor u. 5.
Represented by Ferenc Barna, Managing Director
E-mail address: info@decorand.com, info@dekorakademia.hu
Telephone: 06 24 526 888

The Data Controller hereby informs the data subjects that this notice covers two different types of processing on the website:

Processing of data provided during registration on the website (www.decorand.com)
Processing of data provided when registering for the website (www.decorand.com)

Processing of data provided during registration on the website (www.decorand.com)

The Data Controller allows data subjects to register on its website, facilitating the process of using the services available through the website.

What is the scope and purposes of the data processed?

Scope and purpose of the data processed:

Legal basis for consent (Article 6(1)(a) GDPR)

username*	identification/required for later access
password*	identification/required for later access
name*	identification
password*	identification
company name*	identification
e-mail*	identification, contact
phone number*	contact

the conclusion and performance of an agreement on a legal basis (Article 6(1)(b) GDPR; in relation to a representative or contact person, on a legal basis of legitimate interest (Article 6(1)(f) GDPR)

bank account number	identification, invoicing, transfer
company statement*	identification
specimen signature address	identification
operating licence	identification
delivery details*	fulfilment, delivery

fulfil a legal obligation (Article 6(1)(a) GDPR) with legal basis

billing data*

billing

as a separate processing operation with a legal basis for voluntary consent (Article 6(1)(a) GDPR)

subscribe to the newsletter

send newsletter

a legitimate interest (Article 6(1)(f) GDPR)

acknowledgement of receipt of declarations*	subsequent provability
registration date*	subsequent provability

Who are the stakeholders?

Data subjects: any natural person who can be identified or identified by the data provided during registration.

What is the main purpose of data processing?

The main purpose of the processing of data is to record the data subject's details, to grant, validate and control his/her rights, benefits and access, to facilitate registration and order placement, and to maintain contact.

How is the data processed?

The activity and process involved in the processing:

a. The data subject may provide the above-mentioned data through a specific interface on the website and (by clicking on it) send it to the Data Controller.
b. The data you provide will be transmitted to the server serving the website via an encrypted channel.
c. The data required for access are automatically recorded in an electronic registration system for this purpose.

How long does the processing last?

Duration of processing:

a. in case of a legal basis for consent, until the consent is withdrawn,
b. the conclusion of the agreement lasts for 5 years after its performance in case of a legal basis (pursuant to § 6:22 of the Civil Code)
c. in connection with the fulfilment of a legal obligation under the Audit Act, lasts for 8 years
d. lasts for 5 years after the account is closed on the basis of legitimate interest.

Where are the data from?

Source of data: directly from the data subject.

Are there any data disclosures (access, transfer, transmission) to third parties?

Disclosure:

a. for the purpose of accounting, auditing, bookkeeping activities: Istvánné Kecskés E.V., 6032 Nyárlőrinc, Dózsa György u. 26/a and Norbert György Gácsér E.V., Dunakeszi 2120, Hegyrejáró utca 20.
b. for the operation of the ERP system and the webshop: Vision Software Kft. (1149 Budapest, Pósa Lajos u. 51.)
c. to authorities, courts, if necessary.

How does the Data Controller ensure data protection?

Organisational and technical measures to protect the data processed:

a. the use of the up-to-date, state of the art https protocol, and the Data Controller shall ensure, in particular, in the context of its IT security responsibilities:
b. to deny unauthorised persons access to the tools used for data management (hereinafter referred to as the 'data management system'),
c. preventing the unauthorised reading, copying, modification or removal of data media,
d. to prevent the unauthorised input of personal data into the processing system and the unauthorised access, modification or deletion of personal data stored in the processing system,
e. the prevention of the use of data processing systems by unauthorised persons by means of data transmission equipment,
f. ensure that persons authorised to use the data management system have access only to the personal data specified in the access authorisation,
g. that it is possible to verify and establish to which recipients the personal data have been or may be transmitted or made available by means of a data transmission installation
h. to ensure that it is possible to verify and establish a posteriori which personal data have been entered into the system by whom, at what time
the prevention of unauthorised access to, copying, modification or deletion of personal data during transmission or transport of the data medium
j. ensure that the data management system can be restored in the event of a malfunction.
k. ensure that the data management system is operational, that any errors in its operation are reported and that the personal data stored cannot be altered even if the system is not functioning properly.

Is there automated decision-making, profiling?

Automated decision-making, profiling: no such processing takes place.

Other

In relation to the data marked with *, the Data Controller draws attention to the fact that if the data subject does not provide them to the Data Controller, the Data Controller refuses to provide the service (data processing).

What are the rights of data subjects?

The following table shows the relationship between the data subject's rights and the legal basis, so that it is clear to the data subject what rights he or she can exercise under the legal basis used.

Right of access (Article 15 GDPR)

The data subject shall have the right to obtain from the Controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and information about the circumstances of the processing. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46. The Controller shall provide the data subject with a copy of the personal data which are the subject of the processing, if the data subject so requests.

Right to withdraw consent (Article 7 GDPR)

You have the right to withdraw your consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

Right to rectification (Article 16 GDPR)

The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her.

Right to object (Article 21 GDPR)

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of Article 6(1)(e) or (f) of the GDPR. In such a case, the Controller may no longer process the personal data, unless it can demonstrate legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

Right to restriction of processing (Article 18 GDPR)

The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller if any of the conditions set out in the GDPR are met, in which case the controller shall not perform any operation on the data other than storage. Where the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

Right to delete (right to be forgotten) (Article 17 GDPR)

The data subject shall have the right to obtain the erasure of personal data concerning him or her without undue delay where the processing has no purpose, the data subject has withdrawn his or her consent and there is no other legal basis for the processing, there is no legitimate ground for processing which overrides the law in the event of an objection, the data have been unlawfully processed, and the data must be erased in order to comply with a legal obligation. Where the controller has disclosed the personal data and is under an obligation to erase it, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.

Right to data portability (Article 20 GDPR)

The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data, if legal conditions (automated processing and legal basis for consent or agreement) are met.

Where and how can data subjects request detailed information about the processing and transfer of their data, and where and how can they exercise their rights?

The Data Controller draws the attention of the data subjects to the fact that the data subjects may request information, exercise their right of access and other rights by sending a statement to the Data Controller by post (2310 Szigetszentmiklós, Kántor u. 5.) or by e-mail (info@decorand.com). The Data Controller will examine and reply to the statement as soon as possible after receipt and will take the necessary steps in accordance with the statement, the Internal Privacy Policy and the law.

How to contact the authority in the event of a complaint (Article 77 GDPR):

National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
Address for correspondence: 1374 Budapest, Pf. 603.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu

For more information about your rights and details of how to complain to the Authority, please visit http://naih.hu/panaszuegyintezes-rendje.html.

In the event of a breach of your rights, you can also take your case to the courts in your place of residence and claim, among other things, damages.

You can find the court in your country of residence at https://birosag.hu/birosag-kereso.

Processing of data provided when you log in to the website (www.decorand.com)

The User (data subject) can log in to the website after registration.

What is the scope, purposes, legal basis and duration of the data processed?

The scope, purpose, legal basis and duration of the data processed are as follows:

Who are the stakeholders?

Data subjects: all natural persons who access the website of the Data Controller.

What is the main purpose of data processing?

The main purpose of the data processing is to identify the data subjects logging on to the website, to ensure their rights and to verify them.

How is the data processed?

The activity and process involved in the processing:

a. The data subject may provide the data specified above through a specific interface on the website and (by clicking on it) transmit it to the Data Controller.
b. The data you provide will be transmitted to the server serving the website via an encrypted channel.
c. If the username and password pair exists, the server will allow the user to access the site.
d. If the data subject has forgotten his or her password, he or she will have the possibility to change his or her password to a new password by sending a new, randomly generated password to his or her e-mail address using the website's dedicated function.

e. If the data subject has previously made a change to his/her data, he/she may, after logging in, modify his/her data in the dedicated area of the website. The amended data will be transmitted to the Data Controller's system for this purpose via an encrypted channel.

Where are the data from?

Source of data: directly from the data subject.

Are there any data disclosures (access, transfer, transmission) to third parties?

Disclosure:

a. for the purpose of website operation: Vision Software Kft. (1149 Budapest, Pósa Lajos u. 51.)
b. to authorities, courts, if necessary.

How does the Data Controller ensure data protection?

Organisational and technical measures to protect the data processed:

a. the use of the state of the art https protocol, and the Data Controller shall ensure, in particular, in the context of its IT security responsibilities:
b. to deny unauthorised persons access to the tools used for data management (hereinafter referred to as the 'data management system'),
c. preventing the unauthorised reading, copying, modification or removal of data media,
d. to prevent the unauthorised input of personal data into the processing system and the unauthorised access, modification or deletion of personal data stored in the processing system,
e. the prevention of the use of data processing systems by unauthorised persons by means of data transmission equipment,
f. ensure that persons authorised to use the data management system have access only to the personal data specified in the access authorisation,
g. that it is possible to verify and establish to which recipients the personal data have been or may be transmitted or made available by means of a data transmission installation
h. to ensure that it is possible to verify and establish a posteriori which personal data have been entered into the system by whom, at what time
the prevention of unauthorised access to, copying, modification or deletion of personal data during transmission or transport of the data medium
j. ensure that the data management system can be restored in the event of a malfunction.

k. ensure that the data management system is operational, that any errors in its operation are reported and that the personal data stored cannot be altered even if the system is not functioning properly.

Is there automated decision-making, profiling?

Automated decision-making, profiling: no such processing takes place.

Other

In relation to the data marked with *, the Data Controller draws attention to the fact that if the data subject does not provide them to the Data Controller, the Data Controller refuses to provide the service (data processing).

What are the rights of data subjects?

The following table shows the relationship between the data subject's rights and the legal basis, so that it is clear to the data subject what rights he or she can exercise under the legal basis used.

Right of access (Article 15 GDPR)

Right to withdraw consent (Article 7 GDPR)

You have the right to withdraw your consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

Right to rectification (Article 16 GDPR)

The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification by the controller of inaccurate personal data relating to him or her.

Right to object (Article 21 GDPR)

Right to restriction of processing (Article 18 GDPR)

The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller if any of the conditions set out in the GDPR are met, in which case the controller shall not perform any operation on the data other than storage. Where the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

Right to erasure (right to be forgotten) (Article 17 GDPR)

The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay where the processing has no purpose, the data subject has withdrawn his or her consent and there is no other legal basis for the processing, there is no legitimate ground for the processing which overrides any objection, the data have been unlawfully processed, and the data must be erased in order to comply with a legal obligation. Where the controller has disclosed the personal data and is under an obligation to erase it, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.

Right to data portability (Article 20 GDPR)

The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data, if legal conditions (automated processing and legal basis for consent or agreement) are met.

Where and how can data subjects request detailed information about the processing and transfer of their data, and where and how can they exercise their rights?

How to contact the authority in the event of a complaint (Article 77 GDPR):

National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
Address for correspondence: 1374 Budapest, Pf. 603.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu