Preamble

In accordance with the provisions of the Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), Pelote Hungary Ltd hereinafter: Service Provider, controller) applies the following Privacy Policy (hereinafter:

Privacy Policy):

This Privacy Policy governs the data processing activities relating to the following pages: sparkbypelote.com The Privacy Policy is available at the following page:

http://sparkbypelote.com/….

Any amendments to the Policy will take effect upon publication at the above address.

The processor and its contact details:

Name:

Pelote Hungary Ltd

Registered seat:

1065 Budapest Andrássy út 15.

E-mail: office@pelote.hu

Telephone:

+36 304121469

Definitions

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 3. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 4. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 5. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; 6. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 7. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to the processing of personal data Personal data shall be:

* processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

* collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

* adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);

* accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

* kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

* processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

The data subject may initiate access to, deletion, modification or restriction of the processing of personal data, data portability, or objection to data processing in the following ways:

* by mail at the address 1061 Budapest, Andrássy út 15,

* by e-mail at the e-mail address office@pelote.hu

* by phone via the number + 36 30 4121469.

The rights of the data subject

* You may obtain information on the circumstances of data processing,

* You shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and to access all information regarding the data processing,

* You shall have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format,

* You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you.

 

1. Right of access

You shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the Regulation.

1. Right to rectification

You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you.

Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

1. Right to erasure

You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data concerning you without undue delay if specific conditions are met.

1. Right to be forgotten

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure of any links to, or copy or replication of, those personal data.

1. Right to restriction of processing

You shall have the right to obtain from the controller restriction of processing where one of the following applies:

* the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;

* the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

* the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;

* you have objected to processing, pending the verification whether the legitimate grounds of the controller override those of yours.

1. Right to data portability

You shall have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

1. Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions.

1. Objection to related direct marketing Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

1. Automated individual decision-making, including profiling You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph shall not apply if the decision:

* is necessary for entering into, or performance of, a contract between you and a data controller;

* is authorized by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

* is based on your explicit consent.

Time limit for action

The controller shall provide information on action taken on a request specified above to you without undue delay and in any event within 1 month of receipt of the request.

That period may be extended by two months where necessary. The controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on your request, the controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

* the pseudonymization and encryption of personal data;

* the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

* the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

* a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing."

Communication of a personal data breach to the data subject When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the name and contact details of the data protection officer or other contact point where more information can be obtained; it shall describe the likely consequences of the personal data breach; and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions are met:

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Notification of a personal data breach to the supervisory authority In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Review in the case of mandatory processing Unless the duration of or the periodic review of the necessity of mandatory processing is specified by law, a local decree or a binding act of the European Union, the controller shall review, at least every three years from the commencement of data processing, whether the processing of personal data processed by it or by any processor acting on its behalf is necessary for the achievement of the purpose of the processing.

The controller shall document the circumstances and results of such review, retain such documentation for a period of ten years from the date of the review, and make it available to the National Data Protection and Freedom of Information Authority (hereinafter: Authority) upon the Authority’s request.

Possibility to complain

Complaints about possible infringements of the controller can be lodged with the National Data Protection and Freedom of Information Authority:

National Data Protection and Freedom of Information Authority

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, Pf: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Applicable legislation

* the Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection

Regulation)

* Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter: Privacy Act)

* Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Article 13/A in particular)

* Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;

* Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising activity (Article 6 in particular)

* Act XC of 2005 on the Freedom of Information by Electronic Means

* Act C of 2003 on electronic communications (specifically, Article 155)

* Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising

* Recommendation of the National Data Protection and Freedom of Information Authority on the data protection requirements of prior notification Data processing 1.

Data processing related to web store operation 1. The fact of data collection, the type of data processed and the purpose of processing:

Personal data    The purpose of processing Username    Identification, enabling registration.

Password    It provides secure access to the user account.

First name and surname    It is required for making contact, purchasing, and issuing a proper invoice.

E-mail address    Maintaining contact.

Phone number    Maintaining contact, more effective coordination of issues related to invoicing or shipping.

Billing name and address    Issuing the proper invoice, and the conclusion of the contract, determination of the content and modification thereof, monitoring of its performance, invoicing of the fees arising therefrom, and the enforcement of claims related thereto.

Shipping name and address    Enabling home delivery.

Date of purchase/registration    Implementation of technical operation.

IP address at purchase/registration    Implementation of technical operation.

Neither the username nor the email address must contain personal data.

1. The data subjects: all data subjects who have registered and/or shop on the web-store website.

2. 3. Duration of processing, time limit for the erasure of data: in case of non-registered customers, one year after the completion of the sale, and in case of registered customers, immediately upon the cancellation of registration. Pursuant to Article 19 of the GDPR, the Controller shall notify the data subject of the erasure on any personal data provided by the data subject by electronic means. If the data subject’s request for erasure covers also the e-mail address provided by him or her, the controller, after the notification, will erase the e-mail address as well. Pursuant to Article 169 (2) of Act C of 2000 on Accounting, the Controller is obliged to retain the accounting documents for a period of 8 years.

3. The possible controllers authorized to access the data, the recipients of personal data: The personal data may be processed by the controller’s sales and marketing staff, subject to the above principles.

4. The legal basis for data processing:

5.1. in case of registration, point (a) of Article 6 (1) of the GDPR, 5.2. in case of purchase, point (b) of Article 6 (1) of the GDPR, (Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter:

Electronic Commerce Act):

The service providers shall be authorized to process personal data in connection with providing the service, to the extent absolutely necessary for technical reasons. Where all relevant conditions remain unaltered, service providers shall install equipment for the provision of information society services - and operate under all circumstances - with facilities to ensure that the processing of personal data takes place only when it is absolutely necessary for providing the services and to meet the objectives set out in this Act; however, under no circumstances may they exceed the extent required in terms of time and

volume.)

5.3. in case of accounting documents, point (c) of Article 6 (1).

5.4. In case of enforcement of claims arising from the contract, point

(f) of Article 6 (1).

1. We hereby inform you that

* processing is necessary for the performance of a contract.

* you are required to provide the personal data so that we can fulfill your order.

* failure to provide data will result in our inability to process your order.

Engaged processors

Logistics

1. Activities performed by the processor: logistics (storage, packaging, invoicing, shipping) 2. Name and contact details of the processor: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

2351 Alsónémedi

GLS Európa u. 2.

info@gls-hungary.com

Cégjegyzékszám:

13-09-111755

Adószám:

12369410-2-44

Közösségi adószám:

HU12369410

1. The fact of data collection, the type of data processed: shipping and billing name and address, phone number, e-mail address.

2. Data subjects: all customers.

3. The purpose of processing: conducting the sale of the ordered product.

4. The duration of processing, the time limit for the erasure of data:

until the conducting of the sale.

5. The legal basis for data processing: point (b) of Article 6 (1).

6. The processor is entitled to engage another processor, subject to the rules governing data processing.

Hosting provider

1. Activities performed by the processor: Hosting 2. Name and contact details of the processor: ……..

3. The fact of data collection, the type of data processed: All personal data provided by the data subject.

4. Data subjects: All data subjects using the website.

5. The purpose of processing: Making the website accessible and operating it properly.

6. The duration of processing, time limit for the erasure of data:

processing shall last until the termination of the agreement between the controller and the hosting provider or until the data subject’s request for erasure to the hosting provider.

7. The legal basis for data processing: points (c) and (f) of Article 6 (1), and Article 13/A (3) of the Electronic Commerce Act.

Recipients to which the personal data are disclosed (Data Transfer):

Online payment

1. Activities performed by the recipient: Online payment 2. Name and contact details of the recipient: Barion Payment Zrt. (1117 Budapest, Infopark sétány 1. I. ép. 5. em. 5.) 3. The fact of data collection, the type of data processed: Billing data, name, e-mail address 4. Data subjects: All data subjects who choose to pay on the website.

5. The purpose of processing: Completing online payment, confirming transactions and fraud monitoring in order to ensure the protection of users (control of abuse) 6. The duration of processing, time limit for the erasure of data: It lasts until the completion of online payment.

7. The legal basis for data processing: point (b) of Article 6 (1) of the GDPR. Processing is required for the completion of online payment carried out upon the request of the data subject.

 

2.

Managing Cookies

1. The cookies which are specific to web stores are the so-called “password-protected session cookies”, “shopping cart cookies” and “security cookies”, the use of which do not require prior consent from the data subjects.

2. The fact of data collection, the type of data processed: Unique identification number, dates, times 3. Data subjects: All data subjects visiting the website.

4. The purpose of processing: Identification of users, keeping records of the “shopping cart” and monitoring visitors.

5. The duration of processing, the time limit for the erasure of data Type of cookies    Legal basis for processing    Duration of processing    Data processed Session cookies

      Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Electronic Commerce Act)    The time period until the end of the relevant visitor session

      connect.sid

 

 

 

1. The possible controllers authorized to access the data: The controller shall not process personal data by using cookies.

2. Description of the data subjects’ rights related to the processing of

data: The data subjects have the opportunity to delete cookies in the browsers' Tools / Settings menu, usually under the Privacy menu item.

3. The legal basis for data processing: The consent of the data subject is not required if the sole purpose of the use of cookies is to transmit communications over an electronic communications network or if it is absolutely necessary for the service provider to provide an information society service explicitly requested by the subscriber or user.

 

 

3.

Use of Google Adwords conversion tracking 1. The controller uses the online adware “Google AdWords”, and, within that framework, uses Google’s conversion tracking service. Google conversion tracking is the analytical service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google“).

2. When a user accesses a webpage through a Google ad, a cookie required to track conversions is placed on his or her computer. These cookies have a limited period of validity and do not contain any personal data; thus, the user is not identifiable by them.

3. When the user browses certain pages of the webpage and the cookie has not yet expired, Google and the controller are able to see that the user has clicked on the ad.

4. Each Google AdWords customer receives a different cookie, so they cannot be tracked through the websites of AdWords customers.

5. The information obtained by means of conversion tracking cookies is used to generate conversion statistics for the AdWords customers choosing conversion tracking. This is how customers are informed about the number of users who click on their ads and are sent to a page with a conversion tracking tag. However, they do not have access to information that would identify a user.

6. If you do not want to participate in conversion tracking, you can opt-out by disabling cookies on your browser. Thereafter, you will not be included in conversion tracking statistics.

7. 7. Further information and Google’s Privacy Statement can be found at www.google.de/policies/privacy/

 

4.

The use of Google Analytics

1. The controller uses the Google Analytics application, which is the web analytical service of Google Inc. (“Google”). Google Analytics uses so-called cookies, text files, which are saved on the user’s computer, thus, they facilitate the analysis of the use of the website visited by the user.

2. The information generated by the cookie related to the website used by the user is usually placed and stored on a Google server in the US.

By activating the IP anonymization on the website, Google will previously shorten the user's IP address within the Member States of the European Union or other States party to the Agreement on the European Economic Area.

3. The full IP address will be forwarded to Google’s server in the US and it will be shortened there only in exceptional cases. Google will use this information on behalf of the operator of the website to evaluate how the user has used the website, and to prepare reports related to the website activity to the operator of the website, and to provide further services related to the use of the website and internet.

4. 4. Within the framework of Google Analytics, the IP address transmitted by the user's browser is not reconciled with other Google data. The storage of cookies may be prevented by the user by using the appropriate settings of his or her browser, however, please note that in this case, some features of this website may not be fully operational.

You may also prevent Google from collecting and processing the cookie-related data related to the use of the website by the user (including also the IP address) by downloading and installing the browser plug-in available at the following link.

https://tools.google.com/dlpage/gaoptout?hl=hu

 

5.

Newsletter, DM activity

1. Pursuant to Article 6 of Act XLVIII of 2008 on essential conditions of and certain limitations to business advertising activity

(hereinafter: Advertising Act.), advertisements may be conveyed to natural persons as advertising recipients by way of direct contact, such as through electronic mail or equivalent individual communications only upon the express prior consent of the person to whom the advertisement is addressed.

2. Bearing in mind the provisions of this Policy, the customer agrees to the Service Provider processing his or her personal data required for sending promotional offers.

3. The Service Provider does not send unsolicited advertising, and the user may, without limitation or justification, unsubscribe from sending offers. In this case, the Service Provider will delete all personal data required for sending advertising messages from its register and will not contact the user with any further advertising offers. The user can unsubscribe from ads by clicking on the link in the message.

4. The fact of data collection, the type of data processed and the purpose of processing:

 

Personal data    The purpose of processing Name, e-mail address.    Identification, enabling the subscription to the newsletter.

Date of subscription    Implementation of technical operation.

IP address at subscription    Implementation of technical operation.

1. Data subjects: All data subjects subscribing to the newsletter.

2. The purpose of processing: sending electronic messages (e-mail, text, push messages) containing advertising to the data subject, providing information on current information, products, promotions, new features, etc 3. The duration of processing, time limit for the erasure of data: data will be processed until the withdrawal of consent, that is until unsubscription.

4. The possible controllers authorized to access the data, the recipients of personal data: The personal data may be processed by the controller’s sales and marketing staff, subject to the above principles.

5. The legal basis for data processing: consent of the data subject, point (a) of Article 6 (1), and Article 6 (5) of the Advertising Act.

 

6.

Complaint handling

1. The fact of data collection, the type of data processed and the purpose of processing:

Personal data    The purpose of processing First name and surname    Identification, maintaining contact.

E-mail address    Maintaining contact.

Phone number    Maintaining contact.

Billing name and address    Identification, handling of quality claims, questions and issues arising in connection with the ordered products.

1. Data subjects: All data subjects shopping on the website of the web store and submitting a quality claim, complaint.

2. The duration of processing, time limit for the erasure of data:

Pursuant to Article 17/A (7) of Act CLV of 1997 on consumer protection

(hereinafter: Consumer Protection Act), copies of the minutes, transcription on the claim and the response thereto shall be retained for 5 years.

3. The possible controllers authorized to access the data, the recipients of personal data: The personal data may be processed by the controller’s customer service representatives, subject to the above principles.

4. The legal basis for data processing: point (c) of Article 6 (1) GDPR and Article 17/A (7) of the Consumer Protection Act.

5. We hereby inform you that

* the provision of personal data is based on a contractual obligation.

* the processing of personal data is a prerequisite for the conclusion of the contract.

* you must provide personal data in order to enable us to process your complaint.

* failure to provide the information will result in us not being able to process your complaint we have received.

 

7.

Social networks

1. The fact of data collection, the type of data processed: name of the person registered on the social networks Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc., and the public profile picture of the user.

2. Data subjects: All data subjects who have registered on the social networks Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc., and “liked” the website.

3. The purpose of data collection: The sharing, liking or promoting certain contents, products, promotions of the website or the website itself on social networks.

4. The duration of processing, time limit for the erasure of data, the possible controllers authorized to access the data and the description of the data subjects’ rights related to the processing of data: The data subject can find information on the source of the data, the processing thereof, the way of transmission and the legal basis thereof on the relevant social networks. Processing is performed on social networks, so the duration and way of processing and the options for erasing and modifying data are governed by the rules of the given social network.

5. The legal basis for processing: the freely given consent of the data subject to the processing of his or her personal data on social networks.

 

8.

Customer relationships and other processing of data 1. Should questions arise or should the data subject have any problems when using our data processing services, you may contact the controller in the ways specified on the website (telephone, e-mail, social networks, etc.).

2. The controller shall erase the incoming e-mails, messages, data provided on telephone, Facebook, etc., along with the name and e-mail address of the interested party, as well as any other freely given personal data of the interested party, no later than 2 years from the disclosure of data.

3. The Controller will provide information on data processing not listed in this Policy upon the recording of data.

4. The Service Provider is obliged to provide information, disclose and transmit data and provide documents upon exceptional request of an authority or upon request of other bodies based on the authorization by law.

5. In these cases, the Service Provider will provide the requesting party with personal data only to the extent necessary for achieving the purpose of the request, provided that the exact purpose and scope of the data have been indicated.