Terms And Conditions

system_check_international

I. General information, the data controller

1.1. Identity and Activities of the Data Controller

For the purpose of data management activities defined in this Notice (“Notice”), the data controller is the Legal Beauty Kft. (site: 1111 Budapest, Lágymányosi utca 12. fszt. 2.; registration number: 01-09-978372; [email protected]; hereinafter “Data Controller”).

The Data Controller is a company registered in Hungary, dealing with commerce activities.

1.2. Governing Laws

Data management performed by the Data Controller is primarily governed by the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) on the protection of natural persons with regard to the management of personal data and on the free movement of such data, and repealing Directive 95/46/EC; hereinafter “GDPR”). In addition, data management is also governed by Hungarian laws regulating the legal relationship between the Data Controller and the affected data subject, in particular, Civil Code, and legislation on commerce, online commerce, in particular:

  • Act CXII. of 2011 on the Right of Informational Self-Determination and on Freedom of Information;
  • Act XLVIII. of 2008 on Essential Conditions of and Certain Limitations to Business Advertising (hereinafter: „Grtv.”);
  • Act CLV of 1997 on Consumer Protection (hereinafter: „Fgytv”)
  • Act C. of 2000 on Accounting (concerning the storage of bills).

1.3. Scope of the Notice, Data Subject

The scope of this Notice shall cover the data management activities of the Data Controller, in particular the data management of websites managed by the Data Controller ( www.legalbeauty.hu; hereinafter: “Website”). The scope of this Notice shall only cover data management activities subject to the provisions of the GDPR.

Based on the GDPR, personal data means any information relating to an identified or an identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

For the purposes of data management performed within the scope of this Notice, data subject shall be any person who is in a legal relationship with the Data Controller, was in legal relationship, or will initiate the establishment of such legal relationship. In particular, data subjects are the users registering and shopping on the Websites.

On this basis, the scope of this Notice shall not cover data unrelated to natural persons (e.g. company data), or those data that cannot be linked to natural persons (e.g. statistical data, anonymized data).

The scope of this notice shall only cover data management performed by the Data Controller.

II. Data management principles, purpose and lawfulness of processing

2.1. Data Management Principles

The Data Controller shall manage data lawfully, fairly and transparently as far as the data subject is concerned. The Data Controller shall ensure that the data managed by the company should be accurate and up-to-date. The Data Controller ensures that the data subject can enforce his rights, and shall take the necessary actions to ensure that data management is performed lawfully at every relevant stage.

2.2. Purpose of Data Management

The primary purpose of data management is to establish and maintain a legal relationship between the data subject and the Data Controller. The purposes of data management shall include the following:

  • Identifying, contacting and liaising with the data subject;
  • Establishing and concluding a legal relationship;
  • Registration on the Websites;
  • Shopping;
  • Transfer of goods;
  • Accounting, payment;
  • Exercising the rights and fulfilling the obligations arising from the legal relationship between the parties (e.g. accounting);
  • Fulfilling the obligations required by law
  • Advertising.

2.3. Lawfulness of Data Management

Considering that the Data Controller manages personal data for several reasons, the legal basis for data management may vary. The key legal bases for data management are listed below.

Consent granted by the data subject (GDPR Article 6 (1) Point (a))

In certain cases data management is based on a consent given by the data subject. The data subject grants his consent by contacting the Data Controller, and by initiating the establishment of the related legal relationships. Consent shall be given in each case on a voluntary basis, however, if consent is not granted it may result in the failure of creating any legal relationship between the data subject and the Data Controller. The Data Controller shall in each case inform the data subject about its data management activity. The consent is the legal basis if the data subject contacts the data controller, requires information, register, or hives consent for sending advertisements.

Contract entered upon by the Data Controller and the data subject (GDPR Article 6 (1) Point (b))

If the data subject enters into a contract with the Data Controller, or initiates to conclude such contract (shopping), he shall provide his data in the contract and in the related forms that are required for fulfilling the related contract. In the case specified in this section, processing is necessary for performing the contact and for taking the steps at the request of the data subject according to the relevant section of the GDPR.

If the data subject fails to grant his content to the processing of any data requested by the Data Controller or specified in the contract, the data subject shall have the right to refuse the supply of such data. If processing is mandatory by law, or in the absence of such data the contract cannot be performed, the contract shall not be concluded if the data subject fails to provide such data.

Fulfilment of legal obligation (GDPR Article 6 (1) Point (c))

In certain cases processing is necessary for compliance with a legal obligation.

III. Data collection, scope of data processed

3.1. Data Collection

The Data Controller shall primarily collect data directly from the data subject, during the registration on the Websites. The Data Controller shall only collect data from other sources, if the data subject has granted his consent thereto, or authorisation for data collection is given by any relevant legislation.

3.2. Scope of Data Processed

The Data Controller shall process the following data related to data subjects:

  1. Full name, gender, e-mail address, password: the data managed during registration, it is a condition of registration.
  2. Facebook profile: the data subject may register with Facebook profile, in this case the Facebook login data shall be give, other data will be transferred from Facebook by the Data Controller.
  3. Phone number: the data subject may give a phone number, helping the contact, it is not obligatory.
  4. Delivery and billing address: in case of shopping, the delivery and billing address shall be entered.
  5. Data related to ordered goods and the order process: in case of ordering (shopping) the Data Controller processes the related data.

IV. Specific data management

4.1. Data processing related to shopping

The description of the data processing: If the data subject orders from the Data Controller, a contract is concluded. In this case the Data Controller manages the data detailed in Section 3.2. above.

Scope of the processed data: The data specified in Section 3.2 above.

The purpose of the data processing:

  • Identifying, contacting and liaising with the data subject;
  • Establishing and concluding a legal relationship;
  • Registration on the Websites;
  • Shopping;
  • Transfer of goods;
  • Accounting, payment;
  • Exercising the rights and fulfilling the obligations arising from the legal relationship between the parties (e.g. accounting);
  • Fulfilling the obligations required by law.

The legal basis of the data processing: The legal basis for data processing is the preparation, conclusion and performance of the contract.

The duration of the data processing: The Data Controller may process the data for five years after the data are entered. This is justified by the fact that this is the period during which any rights may be enforced.

4.2. Registration

The description of the data processing: The Websites may be visited without registration, but certain services are available only for registered users.

Scope of the processed data: Data specified in Section 3.2.a. or b.

The purpose of the data processing:

  • Identifying, contacting and liaising with the data subject;
  • Registration on the Websites.

The legal basis of the data processing: The legal basis for data processing is the consent of the data subject.

The duration of the data processing: The Data Controller shall delete the data upon request or when the data subject objects to the data processing.

4.3. Data processing for the purposes of advertising

The description of the data processing: If the data subject consents, the Data Controller may use the contact information provided by the data subject (e-mail address, postal address, telephone number) for the purposes of advertising. In the course of the above, the Data Controller may send advertisements to the data subject using direct marketing methods. The data subject may withdraw his/her consent at any time. The data and the consent may also be provided on the website of the Data Controller.

Scope of the processed data: Data provided for the purposes of making contact for advertising purposes (e-mail address, telephone number, postal address).

The purpose of the data processing:

  • advertising.

The legal basis of the data processing: The legal basis for data processing is the consent of the data subject.

The duration of the data processing: The Data Controller shall delete the data upon request or when the data subject objects to the data processing.

4.4. Data processing related to payment

The description of the data processing: If the data subject orders, the Data Controller manages the data related to the payment.

Scope of the processed data: From the data specified in Section 3.2 above, the data related to the payment of fees.

The purpose of the data processing:

  • invoicing, payment.

The legal basis of the data processing: Performance of the contract, provision of law (Accounting Act, Section 169 ).

The duration of the data processing: The duration of the data processing shall be eight years after the issuance of the invoice.

4.5. Inquiries by courts, bailiffs and other authorities

The description of the data processing: If the Data Controller receives any inquiry from a court, bailiff or other authority pertaining to any of its employees, and the inquiry satisfies the requirements of the relevant provisions of law, the Data Controller shall file and comply with the inquiry, and also record what measures were taken on the basis of the inquiry.

Scope of the processed data: The data specified in Section 3.2 above that are related to the given inquiry.

The purpose of the data processing:

  • the performance of the obligations pursuant to provisions of law.

The legal basis of the data processing: In all cases, the legal basis of data processing is the statutory authorisation on which the inquiry is based.

The duration of the data processing: The Data Controller shall delete the data after five years.

V. Other information related to data management

5.1. Data Transfer

The Data Controller shall only transfer personal data to any third party, if the data subject has expressly given his consent thereto, being aware of the type of data transferred and of the identity of the recipient, the contract between the Data Controller and the data subject provides legal basis, or if the data transfer is authorised by law.

5.2. Data Processing

The Data Controller shall have the right to employ a data processor for performing its activities. Data processors shall not make independent decisions, and they shall perform their data processing activities on behalf of the Data Controller according to the written contract signed with the Data Controller and as specified in the contract, and by following the instructions given by the Data Controller. The Data Controller shall supervise the work performed by the data processors. Data processors may only employ further data processors with the consent of the Data Controller. The Data Controller shall provide information about the data processors engaged.

5.3. Data Security, Access to Data

The Data Controller shall ensure the protection of data security, and shall take the technical and organisational measures, and shall work out those procedural rules that are necessary to ensure compliance with data security requirements. The Data Controller shall keep records of the data managed by it according to the applicable legislations, ensuring that access to such data shall only be given to those employees and other persons acting for and on behalf of the Data Controller, who need to know such data based on their position, or for performing their work. Access to the personal data of data subjects shall only be given to those persons working within the organisation of the Data Controller, who need to know those for performing their work. All employees are required to treat such data confidentially.

In particular, the Data Controller shall ensure the following within the scope of its responsibilities related to IT protection:

  • It shall take measures to provide protection against unauthorized access, including protection for software and hardware devices, or physical protection (access protection, network protection);
  • It shall take measures to ensure the possibility of data recovery, including the performance of regular backup services, and the separate and safe storage of backup files (mirroring, data backup);
  • It shall provide antivirus protection for data files (antivirus protection);
  • It shall ensure the physical protection of data files and data carriers, including protection against fire, water ingress, lightening and other natural disasters, and shall ensure that such devices can be recovered after the occurrence of the above incidents (archiving, fire protection).

The Data Controller shall take the necessary measures to provide protection for hard copy records, in particular, for ensuring the physical safety of and fire protection for such records.

Employees, agents and other persons acting for and on behalf of the Data Controller shall be obliged to ensure the safe keeping and appropriate protection for data carriers containing personal data used by or entrusted to them, regardless of the method by which such personal data have been recorded.

5.4. Term of Data Management

The Data Controller shall ensure by developing and complying with data deletion rules that the duration of data management should not exceed the required and lawful retention period. Data shall be deleted in the following cases:

  • It is confirmed that data management is unlawful. If management of any data is unlawful, the Data Controller shall in each case delete such data, as soon as the unlawfulness of data management is confirmed.
  • Deletion of data is requested by the data subject. If deletion of data is requested by the data subject, the Data Controller shall in each case check whether data management is mandatory by law. If so, the Data Controller shall reject the request for deletion of data. If management of data is not mandatory, but the Data Controller has a lawful reason for data management, and data management is necessary for the submission, enforcement or protection of any legal claim, the Data Controller shall assess whether the affected data can be deleted. In the event that management of the affected data is not required by law, the Data Controller has no lawful reason for data management other than the related consent granted, or if despite any lawful reason for data management the related management activity is not justified, the Data Controller shall delete such data at the request of the data subject. If the Data Controller rejects the request for deletion of data, it shall in each case inform the data subject, and at the same time shall in each case specify the legal grounds for rejecting such request as well as the applicable legal remedies.
  • The purpose for data management is not relevant any more, or the data retention period as specified in advance, by law or in the related consent has expired. If the purpose for data management is not relevant any more, and management of the affected data is not required by law, the Data Controller shall delete such data. If a data retention period is specified by law, the Data Controller shall delete the related data after the expiry of the statutory data retention period.
  • Deletion of data has been ordered by a court or an authority. If deletion has been ordered by a court or an authority, and the order is binding, the Data Controller shall delete the relevant data.

When deletion of data is performed, the Data Controller shall make such data unidentifiable. If the law requires so, the Data Controller shall arrange for the destruction of the data carrier containing personal data.

5.5. Addressing Data Protection Incidents

Data protection incident means that a security infringement has occurred resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to transferred, stored or otherwise managed personal data. The Data Controller shall promptly report any data protection incident to the competent authority, unless, the data protection incident is unlikely to pose any risk to the rights and freedoms of the affected data subjects. The Data Controller shall keep records of the data protection incidents, along with the measures taken in response to any given incident. In case of a serious incident (i.e. it is likely to pose high risk to the rights and freedoms of the data subject), the Data Controller shall inform the data subject about the data protection incident without undue delay.

VI. Data subjects’ rights and their enforcement

6.1. Data Subjects’ Rights

Information (access). The data subject shall have the right to receive information about the management of his data. The Data Controller shall inform the data subject about data management at the time of recording such data, and this Notice shall be available to him at any time. The data subject may request full information about the management of his data during the data management process. The data subject may request The Data Controller to give him a copy of the affected data.

Correction. The data subject shall have the right to request The Data Controller to correct inappropriate data related to him, and to supplement incomplete data.

Deletion, withdrawal of consent. The data subject shall have the right to withdraw at any time his consent given to data management, and may request the deletion of his data. The Data Controller shall only reject such request, if data management is based on legal requirement, or if data management is necessary for the submission, enforcement or protection of any legal claim.

Restriction. The data subject shall have the right to restrict the management of data in the following cases:

  1. the data subject challenges the accuracy of personal data, in this case restriction shall apply to the period, during which the data controller checks the accuracy of personal data;
  2. data management is unlawful, and the data subject objects to the deletion of data, and instead he requests the restriction of their use;
  3. the data controller will not need the personal data any longer for data management purposes, but the data subject needs those for submission, enforcement or for the protection of any legal claim;
  4. the data subject objected to data management; in this case, restriction shall apply to the time period, until it is established whether the data controller’s legitimate interests override the data subject’s legitimate interests.

If data management is restricted, with the exception of data storage, the affected personal data may only be managed with the data subject’s consent, or may only be used for the purposes of submitting, enforcing or providing protection for any legal claim, or for the protection of the rights of any natural person or legal entity, or for pursuing the important public interests of the European Union or of any member state.

Objection. If data management is necessary for pursuing the legitimate interest of The Data Controller or any third party, the data subject shall have the right to object to the management of his personal data at any time for reasons related to his own circumstances. In this case, the data controller shall not continue the management of data, unless, the data controller provides evidence that data management is justified by such compelling legitimate reasons, which are given priority over the data subject’s interests, rights and freedoms, or are related to the submission, enforcement or protection of any legal claim. If data management is performed for the purpose of gaining direct business opportunities, the data subject shall have the right to object to the management of his personal data at any time.

Data portability. The data subject shall have the right to receive his personal data in a segmented, widely used machine readable format, and shall be also entitled to transfer such data to another data controller, provided that data management process is performed automatically. If technically feasible, the data subject shall have the right to request the direct transfer of his personal data to another data controller.

6.2. Ensuring the Rights of and Managing the Requests of the Data Subject

The Data Controller shall inform the data subject about its data management activities when the initial contact is made. The information on data management shall be available in the forms used for collecting data from the data subject, and this detailed Notice shall be made available to the data subject, and The Data Controller shall also notify the data subject about the existence and availability thereof.

The data subject may submit its request for exercising his rights in any form to The Data Controller (whether orally, or in writing). The Data Controller shall promptly assess such request, make a decision on the fulfilment thereof, and shall take the necessary measures. The Data Controller shall inform the data subject about the measures taken within one month. The information given shall in each case include the action taken by The Data Controller, or the information requested by the data subject. If The Data Controller rejects such request (fails to take the necessary actions required for the fulfilment of the request), the information supplied shall include the ground for rejection, the related reasons and the available legal remedies.

The Data Controller shall not make the fulfilment of the request conditional on the payment of any fee or the reimbursement of any cost.

If it is uncertain whether the request has been made by the data subject due to the given circumstances, or the method of submission, The Data Controller may request the data subject to verify his eligibility, or to submit the request by such method so that the eligibility can be clearly established.

The Data Controller shall inform all recipients about such correction, deletion or restriction imposed on data management, to whom the affected personal data was transferred, unless this is deemed impractical, or would involve disproportionate effort. At the data subject’s request, it shall inform the data subject about such recipients.

6.3. Legal Remedy

In the event that the data subject’s rights have been infringed, he may request The Data Controller to terminate such unlawful data management, and to assess the data management process, and consider the rejection of the data subject’s request. The Data Controller shall in each case examine all such complaints lodged by the data subject, and shall inform the data subject about the related outcome.

The data subject may also file his complaint directly to the National Data Protection and Freedom of Information Authority (address: Hungary, 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: [email protected]; web: www.naih.hu

The data subject shall have to right to file his case in court, if his rights have been infringed. At the data subject’s request, The Data Controller shall provide detailed information to the data subject about the competent court having appropriate jurisdiction, and about the method to bring legal proceedings.