Data management policy

Privacy policy for websites www.koffeinroasters.hu and www.koffeinservice.hu

Valid: from October 7, 2020 until revoked

‍Data controller:

Name: Koffein Group Kft. Represented by: Máté Pintér

Registered office:

1023 Budapest, Bécsi út 3-5. 5. 56.

Postal address: 1023 Budapest, Bécsi út 3-5. 5. 56.

Customer service telephone number: 061/206-1881

Customer service email address: hello@koffeinroasters.hu, info@koffeinservice.hu

Receiving Hours: Monday to Friday, 8 a.m. to 4:30 p.m.

The data controller is not required to appoint a data protection officer.

Name and purpose of the data processing

Legal basis for data processing

Scope of data processed

Duration of data processing

Data processing related to establishing contact:

User identification, Contacting the User

Consent of the data subject

GDPR Article 6(1)(a).

For 24 hours after the duration of the relationship.

Privacy policy related to orders:

Sale of products and services on the website, identification of the customer, fulfillment of contractual obligations, GDPR Article 6(1)(b). Customer's first and last name, telephone number, email address, Messenger, Skype, ID 5 years from the conclusion of the contract created by sending the order. (Act V of 2013 on the Civil Code ("Ptk.") Section 6.22 (1)), given that civil law claims expire after 5 years.

Payment transaction:

Conducting the data communication necessary for payment transactions between the service provider and the payment service provider's system, ensuring the traceability of transactions.

Consent of the data subject Article 6(1)(a) of the GDPR.

The account holder's name, billing address, telephone number, email address, the price of the service purchased, the transaction amount, and the date.

The bank account number and bank card details are provided by the Data Subject through their own bank.

The Data Controller does not process or store invoice or card details.

For the purposes of contract fulfillment, for a maximum of 8 years following the issuance of the accounting document (in accordance with Section 166(6) of the Accounting Act, Section 169(1) of the Accounting Act).

‍Communication with the customer:

Information about orders and information about future products and offers

Legitimate interest

GDPR Article 6(1)(f)

Customer name, telephone number, email address, Messenger, Skype, ID.

Until the contract with the Customer remains in force or until the data subject prohibits the sending of general marketing messages, promotional offers, coupons, event invitations, i.e. until the right to object is exercised in accordance with Article 21(2)-(3) of the GDPR.

(Whichever comes first.)

‍Billing activity:

Proper issuance of invoices, retention of accounting documents

Compliance with legal obligations GDPR Article 6(1)(c).

Invoice name, address, tax number, email address, price of the service purchased, date of purchase: for 8 years after the issuance of the accounting document (in accordance with Section 166(6) of the Accounting Act, Section 169(1) of the Accounting Act).

‍Data privacy related to shipping:

Delivery of the ordered product to the customer

Fulfillment of contractual obligations

GDPR Article 6(1)(b).

Delivery name, delivery address, email address, telephone number.

5 years from the conclusion of the contract created by sending the order

(Section 6.22 (1) of Act V of 2013 on the Civil Code ("Ptk.")), given that civil law claims expire after 5 years.

Registration on the website

Registration is not mandatory, but by registering, customers can track and retrieve their orders.

Consent of the data subject

GDPR Article 6(1)(a)

Name, email address, telephone number, billing address, delivery address of the registrant

Until the data subject requests deletion

Content marketing, promotional offers, coupons, sending event invitations

Consent of the person concerned

GDPR Article 6(1)(a).

Subscriber's name, email address

Until the data subject requests deletion

Participation in prize draws

Promotion of products and websites, provision of winning benefits, delivery of prizes, consent of the data subject,

Article 6(1)(a) of the GDPR.

The data subject may withdraw their consent at any time, without conditions.)

Data specified in the competition rules.

(Typically name, email address, public social media profile. Postal address for prize delivery.)

Until the date specified in the competition rules.

(Typically until the end of the prize draw, until the date of delivery of the prize.)

Community building on social media platforms Consent of the data subject

Article 6(1)(a) of the GDPR.

(The data subject may withdraw their consent at any time, without conditions.)

Data subject's public profile data

Until the person concerned unsubscribes

‍ADDRESSEES (FURTHER DATA CONTROLLERS AND DATA PROCESSORS)

The Data Controller uses external Data Processors (Recipients) to perform certain tasks.

1.) HOSTING SERVICE (Ensuring the operation of the website, storing data generated during the use of the website)

Data Processor: Hostinger International Ltd.

Address: 61 Lordou Vironos Street, 6023 Larnaca, Cyprus

Tax number: 10301365E

Email address: hu@hostinger.com

Website: https://www.hostinger.hu/

Phone: +357 22232364

The data processor's privacy policy is available at: https://www.hostinger.hu/adatvedelem

The use of a data processor is necessary to make the website available and to ensure its proper functioning.

The data processor is responsible for storing the data. The data is stored on the data processor's server.

2.) PAYMENT BY BANK TRANSFER (Payment for the purchased product/service)

Data processor: Erste Bank Hungary Zrt. (head office address: 1138 Budapest, Népfürdő u. 24-26., Telephone: +36 (1) 298-0222, fax: +36 (1) 272-5160; e-mail address: adatvédelem@erstebank.hu)

The data processor's data management information is available at: https://www.erstebank.hu/hu/adatkezelesi

Data Processor is used because, in the case of bank transfers, the amount payable must be transferred to the Data Controller's bank account number held with the Data Processor.

The data processor receives the following data: 1. name of the bank account holder 2. bank account number 3. details of the account-holding bank

3.) PAYMENT SIMPLEPAY Service (Payment for the ordered service by credit card)

Data controller: OTP Mobil Szolgáltató Kft. (Address: 1143 Budapest, Hungária krt. 17-19

Data protection officer contact details: dpo@otpmobil.comAdatfeldolgozó Data processing information is available at: https://simplepay.hu/wp-content/uploads/2020/09/SimplePay_b2c_adatkezelesi_tajekoztato_hun_20201001.pdf

Data controller is used to enable payment for the ordered product/service by credit card.

The data processor receives the following data:

When using the credit card payment function of the SimplePay Service, the Buyer enters their card details, i.e. the name on the card, card number, expiry date, name of the card-issuing bank and CVC/CVV security code, on the online interface provided for this purpose.

SimplePay processes this card data as the Merchant's data processor, and OTP Bank Nyrt. and Borgun hf., which provide the bank card acceptance background behind the SimplePay service, have access to this data as independent data controllers.

The merchant does not have access to the card details.

4.) INVOICING SERVICE (Proper issuance of invoices, management of outstanding payments)

Data processor: KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (KBOSS.hu Kft.) Contact details: 1031 Budapest, Záhony utca 7.

E-mail: dpo@kboss.huAdatfeldolgozó's data processing policy is available at:https://www.szamlazz.hu/adatvedelem/

Data processor is used for the purpose of issuing invoices in accordance with the regulations and forwarding them to the National Tax and Customs Administration (NAV). The data processor receives the following data: Billing name, address/registered office, tax number, e-mail address (if included on the invoice)

Data processor: MiniCRM Zrt. Contact details: 1075 Budapest, Madách Imre út 13-17.

E-mail: help@minicrm.hu

The data processor's data management policy is available at: https://www.minicrm.hu/adatvedelem/ Data processor is used for the purpose of issuing invoices in accordance with the rules and managing outstanding debts. The data processor receives the following data: billing name, address/registered office, tax number, email address (if indicated on the invoice).

5.)ACCOUNTING SERVICES (Checking the correctness of invoices, storing accounting documents) Data processor: TONIAGROUP Kft. Contact details: 2030 Érd, Nagy Lajos utca 89. 1115 Kelenföldi út 2. 061/200-1340The Data Processor is used for checking the correct issuance of invoices and retaining accounting documents. The Data Processor receives the following data: Billing name, address/registered office, tax number, email address (if included on the invoice).

6.) POSTAL AND COURIER SERVICES (Delivery of ordered products)

1. Data processor: Magyar Posta Zrt. (registered office and postal address: 1138 Budapest, Dunavirág utca 2-6., telephone number: 06-1-767-8282, e-mail address: adatvedelem@posta.hu)        

The data processor's data management information is available at https://www.posta.hu/adatkezelesi_tajekoztato

Date processor was used to deliver the ordered product to the customer's home or a parcel collection point. The data processor receives the following data: 1. Recipient's name 2. Recipient's address 3. Recipient's telephone number 4. Recipient's e-mail address

Data processor: GLS General Logistics System Hungary Kft. (registered office and postal address: 2351 Alsónémedi, GLS Európa utca 2. Email address: adatvedelem@gls-hungary.com)                      

The data processor's data management information is available at:

https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat

Data processor was used to deliver the ordered product to your home or a parcel collection point.

The data processor receives the following data: 1. Recipient's name 2. Recipient's address 3. Recipient's telephone number 4. Recipient's email address

Data processor: iLogistic Logisztikai Kft. (registered office and postal address: 2051 Biatorbágy, Verebély László u. 2. telephone number: 06-23-804-211 e-mail address: penzugy@ilogistic.hu)

The data processor's data management information is available below:

https://ilogistic.hu/adatvedelmi-tajekoztato

Data processor is used to prepare the ordered product, issue an invoice, package the ordered product, and deliver it to the courier service. The data processor receives the following data: 1. Recipient's name 2. Recipient's address 3. Recipient's telephone number 4. Recipient's email address 5. Billing name 6. Billing address/registered office in the case of companies 7. Tax number in the case of companies

7.) RECEIVING AND SENDING MESSAGES Data processor: Messenger (Facebook) The data controller's data processing policy is available at: https://www.facebook.com/about/privacy/update  

The data processor is used for video calls and sending messages. When sending messages, the data subject may provide personal data other than their name, which they provide voluntarily on an ad hoc basis.

8.) RECEIVING AND SENDING E-MAILS Data processor: Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052, USA. Phone number: +1 (425) 882 8080. The Data Processor's data processing policy is available at: https://privacy.microsoft.com/hu-hu/privacystatement The Data Processor is used to access correspondence and the data contained therein.

9.) SENDING NEWSLETTERS

Data processor: Markestic Kft. Contact details: 1085 Budapest, Rigó utca 6. 3. em. 19. hello@markestic.com

The data processor's data management policy is available here: https://markestic.com/hu/adatvedelem/ The data processor has access to the following data: Subscriber's name, Subscriber's email address

10.) APPEARANCE AND COMMUNICATION ON SOCIAL MEDIA (Facebook, Instagram)

Data processor: Facebook Inc., Menlo Park, California, USA (Facebook, Instagram)

The data processor's privacy policy is available at: https://www.facebook.com/about/privacy/update https://www.facebook.com/help/instagram/155833707900388/ The Data Processor is used to access the data subject's public profile, including their publicly available name and other data, public comments, shares, and other reactions, as well as to send messages via the social networking site. When sending messages via the social media site, the data subject may disclose personal data other than their name, which they have voluntarily provided on an ad hoc basis. The data controller also uses subcontractors to edit social media sites. Editors have access to the data subject's public profile, including their publicly provided name and other data, as well as their public comments, shares, and other reactions.

1. DATA TRANSFER TO THIRD COUNTRIES:

Among the data processors, Microsoft Corporation (e-mail service) and Facebook Inc. (community building, messaging) are based in third countries (the US).

These companies are listed in the European Commission's adequacy decision pursuant to Article 45 of the GDPR and Commission Implementing Decision 2016/1260, as well as in the US -EU Privacy Shield List, i.e. data transfers to these countries do not qualify as data transfers to third countries outside the European Union and do not require the specific consent of the data subjects, and data transfers to these countries are permitted under Article 45 of the GDPR. These companies have undertaken to comply with the GDPR.

III. AUTOMATED DECISION-MAKING AND PROFILING is not carried out on this website.

1. DATA SECURITY MEASUREMENTS:

The data controller plans and performs data processing operations in such a way that they ensure the protection of the privacy of data subjects in accordance with the GDPR and other legislation relating to data processing. The Data Controller shall ensure the security of the data and shall take the technical and organizational measures and establish the procedural rules necessary for the enforcement of the GDPR and other data protection and confidentiality rules. The Data Controller shall protect the data with measures proportionate to the risk, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, and inaccessibility resulting from changes in the technology used. In this context, the Data Controller stores the personal data of the data subject in a password-protected and/or encrypted database. The Data Controller protects the data with firewalls, antivirus programs, and encryption mechanisms in accordance with the risk.

‍YOUR RIGHTS IN RELATION TO THE PROCESSING OF YOUR DATA

The data subject's data protection rights and remedies, and their limitations, are set out in detail in the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, and 82 of the GDPR). The Data Subject may request information about their data at any time, request the correction, deletion, or restriction of their data at any time, and otherwise object to data processing based on legitimate interests.

The most important provisions are summarized below.

The Data Controller draws the Data Subject's attention to the following in particular:

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the legitimate interests of the Data Controller. In this case, the Data Controller may no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes. Where the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

1.) RIGHT TO INFORMATION:

If the Data Controller processes personal data relating to the Data Subject, the Data Controller shall provide the Data Subject with information – even without a request from the Data Subject – on the most important characteristics of the data processing, such as the purpose, legal basis, duration, identity and contact details of the Data Controller and its representative, the contact details of the data protection officer, the recipients of the personal data, in the case of data processing based on legitimate interest, the legitimate interest of the Data Controller and/or third party, and the Data Subject's rights and remedies in relation to data processing (including the right to lodge a complaint with the supervisory authority), and, if the Data Subject is not the source of the data, the source of the personal data and the categories of personal data concerned, if the Data Subject does not already have this information. The Data Controller shall provide this information by making this notice available to the Data Subject.

2.) ACCESS RIGHTS:

The data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and certain information about the processing, including the purposes of the processing, the categories of personal data concerned, the recipients of the personal data, the (planned) duration of the processing, the rights of the data subject and the possibilities for legal remedy (including the right to lodge a complaint with a supervisory authority), and, where the data are not collected from the data subject, information on their source. At the request of the Data Subject, the Data Controller shall provide the Data Subject with a copy of the personal data undergoing processing. The Data Controller may charge a reasonable fee based on administrative costs for any additional copies requested by the Data Subject. If the Data Subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the Data Subject requests otherwise. The right to request a copy shall not adversely affect the rights and freedoms of others.

3.) RIGHT TO CORRECTION:

The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.

4.) RIGHT TO ERASE PERSONAL DATA:

The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay, and the Data Controller shall have the obligation to erase personal data concerning the Data Subject without undue delay, provided that certain conditions are met. Among other things, the Data Controller shall erase the personal data at the request of the Data Subject if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; if the Data Subject withdraws their consent on which the processing is based and there is no other legal basis for the processing; or the personal data has been unlawfully processed; or the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.

The above shall not apply if data processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject; c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the right to erasure is likely to render impossible or seriously impair such processing; d) for the establishment, exercise or defense of legal claims.

5.) RIGHT TO RESTRICT DATA PROCESSING:

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

a) The Data Subject disputes the accuracy of the personal data, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;

c) the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims; or

d) the Data Subject has objected to the processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the Data Controller take precedence over those of the Data Subject. If data processing is restricted on the basis of the above, such personal data may be processed, with the exception of storage, only with the consent of the Data Subject, or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. If the restriction of data processing requested by the Data Subject is lifted, the Data Controller shall inform the Data Subject in advance.

6.) RIGHT TO OBJECT:

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the legitimate interests of the Data Controller. In this case, the Data Controller may no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes. Where the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

‍ RIGHT TO COMPLAIN:

In the event of a violation of your rights, you may lodge a complaint with the competent data protection supervisory authority (in Hungary, the National Authority for Data Protection and Freedom of Information; "NAIH") and exercise your right to judicial remedy. NAIH's contact details (Address: 1055 Budapest, Falk Miksa u. 9-11, mailing address: 1374 Budapest, Pf. 603. Tel: +36 1 391 1400, Fax: +36-1-391-1410, Email: ugyfelszolgalat@naih.hu, Website: http://naih.hu/

VII. MANAGEMENT OF COOKIES:

The data controller also informs data subjects that it uses cookies on its website. Cookies are files that store information in the data subject's web browser. Cookies are used to exchange information between the web server and the user's browser. The information sent by cookies facilitates the recognition of web browsers, so that users receive relevant and personalized content. Cookies make browsing more convenient. Cookies enable website operators to compile anonymous statistics about the habits of visitors to their website. Most cookies do not contain personal information and cannot be used to identify users. The stored data is necessary for more convenient browsing.

Websites may use the following types of cookies:

Temporary cookies, which remain on the data subject's device until they leave the website.

Persistent cookies, which remain on the data subject's device for a longer period of time, depending on the settings of the data subject's web browser, or until the data subject deletes them.

Third-party cookies, which are placed on the user's device by a third party. (e.g. Google Analytics). These are placed in your browser if the website you visit uses services provided by third parties.

Cookies can also be grouped as follows:

a) Essential cookies: These are essential for navigating the website and for the website's functions to work. Without accepting these, the website or parts of it may not display properly or at all.

b) Analytical or performance cookies: These help the Data Controller to distinguish between visitors to the website and collect data on how visitors behave on the website. They do not collect information that can identify the data subject, as the data is stored in aggregate and anonymously.

c) Functional cookies: These cookies are designed to improve the user experience. They detect and store, for example, the device used by the data subject to open the website, or the data previously provided by the data subject and requested to be stored. These cookies do not track the data subject's activity on other websites. However, the information they collect may include personal identification data that the user has shared.

d.) Targeted or advertising cookies: These enable the website to provide information that is most relevant to the interests of the data subject. This requires the express consent of the data subject, as these cookies collect detailed information about their browsing habits. This website records the IP address, time of visit, page visited, country of the visitor, browser version, and operating system type for analytical and security reasons. This is necessary for the purposes of legitimate interests, to provide an adequate level of service, and for analytical reasons.

The data controller uses cookies in accordance with the provisions of Eker tv., Info tv. and the GDPR.

Websites operating within the European Union, including the website operated by the Data Controller, must request the consent of users for the use of cookies and their storage on the user's computer or other device. Cookies can be deleted or disabled in the browser programs used. Browsers allow cookies by default. This can be disabled in the browser settings, and existing cookies can be deleted. In addition, the browser can be set to notify the user when a cookie is sent to the device.

However, it is important to note that disabling or restricting these files may impair your browsing experience and may cause errors in the functionality of the website. The settings options are usually found in the "Options" or "Settings" menu of your browser. Each web browser is different, so in order to find the appropriate settings, the Data Controller asks the data subject to use the "Help" or "Help" menu of their browser or to click on the relevant link below:

Internet Explorer: https://support.microsoft.com/hu-hu/help/17442/windows-internetexplorer-delete-manage-cookies

Firefox: https://support.mozilla.org/en-US/products/firefox/protect-yourprivacy/cookies

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Safari: https://support.apple.com/kb/PH5042?locale=en_US

Mozilla: https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torleseszamito

The website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses cookies, which are text files stored on your computer, to help analyze how you use the website. To disable anonymous Google Analytics cookies, you can install a so-called "Google Analytics plug-in" in your browser, which prevents the website from sending information about the Data Subject to Google Analytics.

Further information on this can be found at the following links: https://support.google.com/analytics/answer/6004245

https://policies.google.com/technologies?hl=hu

‍

‍