DATA PROTECTION POLICY
OF SOÓS-VÁRI MÁRIA JOHANNA SOLE ENTREPRENEUR
REGARDING DATA PROCESSING VIA WEBSHOP

Effective Date: December 10, 2021

I. GENERAL PROVISIONS
1.1 Purpose of the Policy
1.2 Scope of the Policy
1.3 Availability of the Policy
1.4 Amendment of the Policy
1.5 Applicable Laws
1.6 Definitions
1.7 Accuracy and Authenticity of Personal Data
1.8 Data Security

II. SPECIFIC DATA PROCESSING ACTIVITIES
2.1 DATA PROCESSING VIA THE WEBSHOP
2.2 DATA PROCESSING FOR INVOICING PURPOSES
2.3 DATA PROCESSING FOR NEWSLETTER DELIVERY

III. RIGHTS OF THE DATA SUBJECT
3.1 Right to Information
3.2 Right of Access
3.3 Right to Rectification and Completion
3.4 Right to Erasure (“Right to be Forgotten”)
3.5 Right to Restriction of Processing
3.6 Right to Object
3.7 Right to Data Portability
3.8 Right to Lodge a Complaint with a Supervisory Authority
3.9 Right to Effective Judicial Remedy Against a Supervisory Authority
3.10 Right to Effective Judicial Remedy Against the Controller or Processor
3.11 Right to be Informed of a Data Breach

IV. EXERCISING RIGHTS, SUBMITTING REQUESTS, CONTACTING THE CONTROLLER

V. DATA PROCESSORS / RECIPIENTS
I. GENERAL PROVISIONS
1.1 Purpose of the Policy
This Data Protection Policy (hereinafter: “Policy”) aims to provide information on the data processing practices followed and applied by Soós-Vári Mária Johanna Sole Entrepreneur (registered office: 1139 Budapest, Országbíró u. 42. 5/118., represented by: Soós-Vári Mária Johanna, website: www.revampdecor.hu, email: [email protected], phone: +36 30 5922021, hereinafter: “Controller”) operating the revampdecor webshop (hereinafter: “Webshop”), engaged in the sale and repair of unique home decor items. The various types of data processing carried out by the Controller are detailed in the tables in Chapter II.
1.2 Scope of the Policy
1.2.1 This Policy applies to the personal data of natural persons (hereinafter: “Data Subjects”) affected by the data processing activities listed in section 1.2.2.
1.2.2 The Controller sells home decor items (hereinafter: “Products”) to natural persons via the Webshop, issues invoices, sends newsletters with consent, collects opinions and photos with consent, and may organize promotional campaigns. Data Subjects include purchasers, invoice recipients, and newsletter subscribers. This Policy applies to all data processing activities conducted by the Controller.
1.3 Availability of the Policy
The current version of the Policy is available in printed form at the Controller’s registered office (see section 1.1) and electronically under the “Data Protection Policy” menu on the Website.
1.4 Amendment of the Policy
The Controller reserves the right to unilaterally amend this Policy at any time without prior notice. Amendments become effective upon publication. The Controller shall inform Data Subjects of changes via the channels specified in section 1.3.
1.5 Applicable Laws
The Controller declares that its data processing is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: “GDPR”).
1.6 Definitions
Terms with capital letters not defined separately in this Policy carry the meaning defined by the GDPR as referenced in section 1.5.
1.7 Accuracy and Authenticity of Personal Data
The personal data are provided by the Data Subject. The Controller is not responsible for inaccurate, incomplete, or false data provided by the Data Subject.
1.8 Data Security
The Controller is committed to protecting the personal data of Data Subjects and ensuring their information self-determination rights. The Controller treats all personal data confidentially and implements all necessary technical and organizational measures to ensure data security.

2. DESCRIPTION OF DATA PROCESSING

2.1. DATA PROCESSING THROUGH THE WEBSHOP:

Description of the data processing process:
By placing an electronic order through the WEBSHOP and its acceptance by the Data Controller (via an official confirmation), a sales contract is concluded between the natural person placing the order, as the buyer (hereinafter referred to as the “Customer” or “Data Subject”), and the Data Controller, as the seller, concerning the purchase of the ordered Products. The processing of certain personal data specified below is essential for the formation and fulfillment of this contract. If the Data Subject does not provide or does not fully provide the required personal data, the formation and/or fulfillment of the contract may fail.

The Data Subject provides data on the Webshop interface in the following cases:

  1. Under the “Registration” menu

  2. Under the “Login” menu

  3. Under the “Send Order” menu

Processed personal data:

  1. Data collected under the “Registration” menu:

    • Name (first and last name)

    • Address (postal code, city, street, house number)

    • Email address

    • Phone number

    • Username/email address

    • Password

    • Date and time of registration

  2. Data provided under the “Login” menu:

    • Username/email address

    • Password

  3. Data collected under the “Send Order” menu:

    • Billing name and address (if different from those provided during registration)

    • Shipping name and address (if different from billing data)

    • Date and time the order was placed

Purpose of data processing:
To conclude and perform the sales contract and to ensure related communication.

Legal basis of data processing:
The legal basis is Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject prior to entering into a contract.

Duration of data processing:
The Data Controller processes the personal data of the Data Subject for the duration of the contractual relationship, until the fulfillment of the contract, and thereafter for a specific period according to Act C of 2000 on Accounting, Section 169, for 8 years, and under tax law until the end of the statute of limitations as specified in applicable Hungarian laws.

Data Subject rights:
See Chapter III of this Privacy Notice.

Enforcement of Data Subject rights:
See Chapter IV of this Privacy Notice.

Recipients:
The Data Controller.

2.2. DATA PROCESSING FOR INVOICING PURPOSES

Description of the data processing process:
The Data Controller is required to issue an invoice for all orders in compliance with applicable tax and accounting legislation. For this purpose, the Data Controller transfers the necessary data to the invoicing software used.

Processed personal data:

  • Name

  • Billing address (postal code, city, street, house number)

  • Email address

  • Order details (product(s), quantity, price, total amount, date)

Purpose of data processing:
Issuance of a proper invoice in accordance with tax and accounting regulations.

Legal basis of data processing:
The legal basis is Article 6(1)(c) of the GDPR: the processing is necessary for compliance with a legal obligation to which the controller is subject (i.e., the issuance and retention of accounting documents).

Duration of data processing:
According to Section 169 of Act C of 2000 on Accounting, invoices must be retained for 8 years.

Data Subject rights:
See Chapter III of this Privacy Notice.

Enforcement of Data Subject rights:
See Chapter IV of this Privacy Notice.

Recipients:

  • The Data Controller

  • The invoicing software provider (as data processor)

2.3. DATA PROCESSING FOR NEWSLETTER DELIVERY

Description of the data processing process:
The Data Controller sends newsletters to individuals who have explicitly given their consent. The newsletter contains marketing content, updates on new products, special offers, and promotions related to the webshop.

Processed personal data:

  • Name (optional)

  • Email address

  • Date and time of subscription

  • IP address at the time of subscription (if technically logged)

Purpose of data processing:
To regularly inform the Data Subject about the Webshop’s news, updates, products, and services via email.

Legal basis of data processing:
The legal basis is Article 6(1)(a) of the GDPR: the Data Subject has given consent to the processing of their personal data for one or more specific purposes.

Duration of data processing:
Until the Data Subject withdraws their consent or unsubscribes from the newsletter.

Data Subject rights:
See Chapter III of this Privacy Notice.

Enforcement of Data Subject rights:
See Chapter IV of this Privacy Notice.

Recipients:

  • The Data Controller

  • The newsletter/email service provider (as data processor, if applicable)

III. RIGHTS OF THE DATA SUBJECT

3.1 Right to Information
The Data Subject has the right to receive clear, transparent, and easily understandable information regarding how their personal data is processed. The Controller provides this information in this Privacy Policy.

3.2 Right of Access
The Data Subject has the right to obtain confirmation from the Controller as to whether or not their personal data are being processed, and, if so, to access the personal data and related information as defined in Article 15 of the GDPR.

3.3 Right to Rectification and Completion
The Data Subject has the right to request the rectification of inaccurate personal data and the completion of incomplete data.

3.4 Right to Erasure (“Right to be Forgotten”)
The Data Subject has the right to request the erasure of their personal data in certain cases, such as when the data are no longer necessary for the purposes for which they were collected, or the Data Subject withdraws their consent.

3.5 Right to Restriction of Processing
The Data Subject has the right to request the restriction of data processing in the cases defined by Article 18 of the GDPR (e.g., during the period of verifying the accuracy of personal data).

3.6 Right to Object
The Data Subject has the right to object, on grounds relating to their particular situation, to the processing of their personal data which is based on a legitimate interest pursued by the Controller.

3.7 Right to Data Portability
The Data Subject has the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller, where the processing is based on consent or contract and is carried out by automated means.

3.8 Right to Lodge a Complaint with a Supervisory Authority
The Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place of the alleged infringement.

In Hungary, the competent supervisory authority is:
Hungarian National Authority for Data Protection and Freedom of Information
(NAIH)
Website: https://www.naih.hu
Address: 1055 Budapest, Falk Miksa utca 9-11.
Telephone: +36 1 391 1400
Email: [email protected]

3.9 Right to Effective Judicial Remedy Against a Supervisory Authority
The Data Subject has the right to an effective judicial remedy if the supervisory authority fails to act on a complaint or does not inform the Data Subject about the progress or outcome of the complaint within three months.

3.10 Right to Effective Judicial Remedy Against the Controller or Processor
The Data Subject has the right to an effective judicial remedy if they consider that their rights under the GDPR have been infringed as a result of the unlawful processing of their personal data.

3.11 Right to Be Informed of a Data Breach
Where the data breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the Controller shall communicate the personal data breach to the Data Subject without undue delay.

IV. EXERCISING RIGHTS, SUBMITTING REQUESTS, CONTACTING THE CONTROLLER

How can Data Subjects exercise their rights?
The Data Subject may contact the Controller at any time regarding the processing of their personal data, including exercising their rights under Chapter III.

Contact details of the Controller:
Name: Soós-Vári Mária Johanna Sole Entrepreneur
Registered address: 1139 Budapest, Országbíró u. 42. 5/118.
Email: [email protected]
Phone: +36 30 592 2021
Website: www.revampdecor.hu

Form and deadline of response:
The Controller shall respond to requests submitted by the Data Subject without undue delay, but no later than one month from receipt of the request. This period may be extended by an additional two months where necessary, considering the complexity and number of requests. The Controller shall inform the Data Subject of any such extension within one month of receiving the request, together with the reasons for the delay.

If the Data Subject submitted the request electronically, the information shall also be provided electronically, unless otherwise requested.

The Controller shall provide the information and any actions taken free of charge, except where the request is clearly unfounded or excessive (in particular because of its repetitive character), in which case the Controller may charge a reasonable fee or refuse to act on the request.

V. DATA PROCESSORS / RECIPIENTS

In the course of its data processing activities, the Controller may use third parties (data processors) to process personal data on its behalf. These data processors perform specific tasks in accordance with the Controller’s instructions and may not use the data for their own purposes.

Typical categories of data processors include:

  1. Web hosting service provider

    • Responsible for hosting the webshop and storing its data securely.

  2. Invoicing software provider

    • Processes billing-related data for the generation and archiving of invoices.

  3. Newsletter/email delivery provider (if applicable)

    • Delivers newsletters and marketing communications via email.

  4. IT service providers

    • Ensure the technical functioning and maintenance of the webshop and related systems.

  5. Courier/delivery service providers

    • In cases where the delivery of physical goods is required, the recipient’s name, delivery address, and phone number may be shared with the courier to complete delivery.

Data processors are contractually obliged to:

  • process personal data only as instructed by the Controller;

  • ensure appropriate technical and organizational measures to protect data;

  • maintain confidentiality;

  • comply with applicable data protection laws.

This Privacy Policy is governed by Hungarian law and is provided in Hungarian. An English translation is available for informational purposes only.