1. The data controller and their contact details
Name: TOVA-INNOVATIONS Kereskedelmi és Szolgáltató Kft.
Address: 1163 Budapest, Lombos utca 17.
Company registry no.: 01-09-346545
Tax no.: 27046414-2-42
Electronic mail address: info@tovainnovations.com
Website: https://tovainnovations.com
(hereinafter referred to as: Controller)
2. Description of the data processing
The Controller operates a webshop on the website https://tovainnovations.com (hereinafter referred to as the “Website” or “Webshop”), through which it sells custom-made strings and specially designed custom-made string holders for string mounting manufactured by the Controller. This Data Protection Notice provides, among other things, information on the processing of the data during the use of the Controller’s Website and the purchase of products: the sources and scope of the data processed, the legal basis, purposes and duration of the processing, the rights and choices concerning the personal data, and the contact details where the Data Subject can obtain answers to questions about the Controller’s data protection processes.
3. Data subjects
Data Subjects include those who register a profile on the Website and/or purchase products from the Controller.
4. Source of the personal data
The Controller receives the Data Subject’s personal data directly from the Data Subject when registering on the Website or ordering products.
5. Purpose of the data processing
5.1. For the purpose of selling the products offered on the Website.
5.2. For the purpose of registering and create a profile on the Website.
5.3. For the purpose of sending you a newsletter. The Data Subject gives his or her consent to the controller to send them a newsletter.
5.4. For the purpose of fulfilling its obligation to preserve evidence. The obligation for the Controller to keep financial records relating to the services it provides.
5.5. For the purpose of fulfilling the obligation to investigate a consumer complaint. The Controller’s obligation to investigate complaints from consumers.
6. Personal data processed
6.1. For the purpose of creating the profile selling products, the personal data processed of the Data Subject includes the following: name, address; e-mail address, telephone number; payment method chosen; order ID; billing address, if different from the Data Subject’s address; any comments made by the Data Subject on the order.
6.2 For the purpose of creating the profile, the personal data processed of the Data Subject includes the following: name, address; e-mail address, telephone number; payment method chosen; order ID; billing address, if different from the Data Subject’s address; password, serial number of the string holder.
6.3. For the purpose of sending the newsletter, the personal data processed of the Data Subject includes the following: name and e-mail address.
6.4. For the purpose of fulfilling its obligation to keep records, the personal data processed of the Data Subject includes the following: accounting records directly and indirectly supporting the accounting of the sales of its products.
6.5. For the purpose of fulfilling the obligation to investigate a consumer complaint, the personal data processed of the Data Subject includes the following: name, address; unique ID number of the complaint; place, time and manner of lodging the complaint; detailed description of the Data Subject’s complaint; list of documents, records and other evidence submitted by the Data Subject; content of the minutes, place and time of recording; response to the complaint; relevant product data; e-mail address, telephone number and signature of the Data Subject.
7. Legal basis of the data processing
7.1. The legal basis for the processing of personal data for the purpose of the sale of products is the performance of a contract between the Data Subject and the Controller for the sale of products [Article 6(1)(b) GDPR]. If the Data Subject does not provide the Controller with the necessary personal data, the Data Subject cannot purchase products.
7.2 The legal basis for the processing of personal data for the purpose of creating a profile is the explicit consent of the Data Subject [Article 6(1)(a) GDPR]. To be sure that we have your explicit consent, you must tick the appropriate box during registration. Consent may be withdrawn at any time.
7.3. The legal basis for the processing of personal data for the purpose of sending you a newsletter is the explicit consent of the Data Subject [Article 6(1)(a) GDPR]. Consent may be withdrawn at any time.
7.5. The legal basis for the processing of personal data for the purpose of fulfilling its obligation to keep evidence is the fulfilment of a legal obligation to which the Controller is subject [Article 6(1)(c) GDPR; Article 169 of Act C of 2000 on Accounting (hereinafter: Accounting Act)].
7.6. The legal basis for the processing of personal data for the purpose of fulfilling the obligation to investigate a consumer complaint is the fulfilment of a legal obligation to which the Controller is subject [Article 6(1)(c) GDPR and Article 17/A of Act CLV of 1997 on Consumer Protection].
8. Duration of the data processing
8.1. For the purpose of selling products, personal data are processed by the Controller until 6 years after the sale of the specific product (conclusion of the sales contract).
8.2 For the purpose of creating the profile, the processing of the Data Subject’s personal data will continue until the withdrawal of consent (request for erasure).
8.3. For the purpose of sending a newsletter, the Data Subject’s consent is withdrawn (request for erasure).
8.6. For the purpose of fulfilling its obligation to keep evidence, the processing of personal data lasts for eight years [the Controller is obliged to keep the documents pursuant to Article 169 (2) of the Accounting Act].
8.7. For the purpose of fulfilling the obligation to investigate a consumer complaint, the processing of personal data lasts for three years [Article 17/A (7) of Act CLV of 1997 on Consumer Protection].
9. Recipients of data processing and access
The Controller transfers the Data Subject’s personal data to its contracted partners for processing in the course of providing the service (sale of products), in order to fulfil the service and to the extent necessary for the processing. The Controller has concluded a data processing contract with all its contracted partners.
Data processors who are contracted partners of the Controller and who are necessary for the provision of the service and by whom the Data Subject’s data are processed:
MikroVPS Ltd. (address: 7150 Bonyhád, Jókai u 3., EU tax no.: HU25189861);
purpose of data processing: website development;
Sandor Vagi Einzelunternehmen. (address: 7503 Großpetersdorf, Raiffeisenplatz 1, Tür 3 – Austria, EU VAT number: ATU79760279);
purpose of processing: facilitation of payment transactions;
Stripe Payments Europe, Limited (address: C/O A&L Goodbody, Ifsc, North Wall Quay Dublin 1., Dublin 1, Dublin, www.stripe.com, E-mail: info@stripe.com);
purpose of processing: to process payment transactions.
Zöld-Kontírszám Kft. (address: 2100 Gödöllő, Palota-kert 15. 4/3., registered under the registery number 23697506-2-13);
purpose of data processing: hosting services
10. Data security measures
The Controller shall ensure the security of the data processed and shall take all measures to prevent unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage, inaccessibility due to changes in the technology used, i.e. to ensure that the personal data of Data Subjects are protected in accordance with the law. Among the measures necessary to maintain the requirement of data security, the Controller processes the Data Subjects’ data in a computerised database, in an automated and manual manner, and has taken measures to ensure that the processing of the Data Subjects’ data is carried out in a closed and in any case password-protected system and that these systems are only used by those who are authorised to access the data in the context of the provision of the service and to the extent strictly necessary for that purpose. Computer systems are equipped with firewalls and appropriate virus protection. The Controller shall carry out a technical check of the system and take action in the event of detection or indication of a fault. The Controller shall ensure that those who have access to the data are fully informed of the data protection rules. As a guarantee of data security, the Controller’s officers and employees shall be bound by confidentiality obligations and shall bear legal liability in respect of personal data obtained in the course of their duties.
11. Rights concerned
11.1. Right of access. At the request of the Data Subject, the Controller shall provide information on what personal data are processed, for what purposes and for how long, the rights of the Data Subject in relation to the processing and the right to lodge a complaint with the Authority. At the request of the Data Subject, the Controller shall provide a copy of the personal data processed concerning the Data Subject.
11.2. Right to rectification. The Controller shall, at the request of the Data Subject, correct the personal data provided by the Data Subject, provided that the Data Subject certifies which of his or her personal data is inaccurate, for what reason and what is the correct personal data.
11.3. Right to deletion. The Controller shall delete the personal data at the request of the Data Subject if
- The Data Subject requests,
- The personal data are no longer necessary for the purposes for which they were collected,
- The Controller concludes, on the basis of the information contained in the erasure request, that the personal data are unlawfully processed,
- It must be erased in order to comply with a legal obligation under Union or Member State law to which the Controller is subject.
11.4. Right to restriction. The Data Subject may request the blocking of his or her personal data if
- The Data Subject contests the accuracy of the personal data,
- The processing is unlawful but the Data Subject opposes the erasure of the personal data and instead requests the restriction of their use;
- The Controller no longer needs the personal data but the Data Subject requests the blocking of the data for the establishment, exercise or defence of legal claims.
11.5. Right to data portability. The Data Subject also has the right to receive data relating to them in machine-readable format and to request the Controller to transfer these data to another controller.
11.6. Right to withdraw consent. The Data Subject may withdraw his or her consent at any time, without restriction and without giving any reason, free of charge, or may request that the sending of advertising be prohibited. The withdrawal may be made both by post, by sending a letter to the Controller’s head office, and electronically by sending an e-mail to info@tovainnovations.com.
11.7. Right to object. If the legal basis for the processing is the legitimate interest of the Controller, the Data Subject may object to the processing. In this case, the Data Subject must state the grounds for the objection in his or her request. The Controller shall examine the Data Subject’s objection and may continue the processing if the processing is justified by compelling legitimate grounds which override the interests and rights of the Data Subject or if the processing is necessary for the establishment, exercise or defence of legal claims. The Controller shall examine the Data Subject’s objection and may continue the processing if the processing is justified by compelling legitimate grounds which override the interests and rights of the Data Subject or if the processing is necessary for the establishment, exercise or defence of legal claims.
11.8. Common rules on the exercising of rights. The Data Subject may exercise their rights through the e-mail address or postal address indicated in the introduction to this Notice. The exercise of rights is free of charge. The Controller will assess the Data Subject’s request within a maximum of one month and inform the Data Subject of the action taken. If the request is refused, the Controller shall inform the Data Subject within one month of receipt of the request of the reasons for the refusal and of the right to lodge a complaint with the Authority and to exercise his or her right of judicial remedy. The Controller reserves the right, where it has reasonable doubts as to the identity of the person making the request, to request the provision of the information necessary to confirm the identity of the Data Subject.
12. Legal remedies
Investigation of the Data Subject’s notification by the Controller. The Controller asks Data Subjects to notify the Controller of their complaint if they consider that the processing does not comply with data protection requirements before lodging a complaint with the Authority or initiating legal proceedings. The Controller undertakes to investigate the Data Subject’s report promptly and substantively and, if justified, to take the necessary corrective measures. The Controller shall inform the Data Subject of its position and, if the report was justified, of the measures taken.
The right of recourse to the Hungarian National Authority for Data Protection and Freedom of Information. The Data Subject has the right to initiate proceedings before the Authority. The official website of the Authority contains information on how the Data Subject can lodge a complaint with the Authority. The contact details of the Authority (website: www.naih.hu; postal address: 1363 Budapest, Pf.: 9.; e-mail address: ugyfelszolgalat@naih.hu; telephone number: +36 (1) 391 1400).
Right to apply to the courts. Right to apply to the courts. If the Data Subject considers that the Controller has infringed his or her right to the protection of personal data, they may also initiate legal proceedings and claim compensation for the damage caused to the Data Subject by the unlawful processing of his or her data or by the breach of data security, and in the case of personal injury, the payment of damages. In the event of legal action, the Data Subject may also bring the action before the courts in the place where they reside or is domiciled.