Privacy policy

Privacy Policy

I. Introduction

This Privacy Policy is concerning the processing of personal data during online services provision, provision of information on direct marketing, sending of newsletters, market research, market analyses, production of statistics (Services) done by Aphrodite 97 Kft. (office: 34 Ankara Street, Budapest, 1045; business registration number: 01 09 567793, EU tax number:HU12239715) (Data controller). This policy shall be applicable in any further cases, services to which the Data controller applies its provisions.
This Privacy Policy contains the principles and practices followed by the Data controller, the types of personal data processed by the Data controller, the purpose of the data processing, as the ways in which the Data subjects shall practice their rights.
Our Data processing procedure is in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

II. Legal basis of data processing

1. The recording and processing of personal data is based on the consent of the Data subject who uses the Service. The Data subject provides his or her consent by making use of the Service, or its sub-services (for example opening the website, registration, answering a question, sharing a comment, making an order, etc.), by the initiation of its usage, by using or ordering the Service.
2. Personal data may be processed under the following circumstances:
• when the data subject has given his consent, or
• when processing is necessary as decreed by law or by a local authority based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest
3. Personal data may be processed also if obtaining the data subject's consent is impossible or it would give rise to disproportionate costs, and the processing of personal data is necessary:
a) for compliance with a legal obligation pertaining to the data controller, or
b) for the purposes of the legitimate interests pursued by the controller or by a third party and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.
4. If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time such reasons persist, to protect the vital interests of the data subject or of another person, or in order to prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
5. The statement of consent of minors over the age of sixteen shall be considered valid without the permission or subsequent approval of their legal representative.
6. Where processing under consent is necessary for the performance of a contract with the controller in writing, the contract shall contain all information that is to be made available to the data subject under this Act in connection with the processing of personal data, such as the description of the data involved, the duration of the proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a data processor. The contract must clearly indicate the data subject's signature and explicit consent for having his data processed as stipulated in the contract.
7. Where personal data is recorded under the data subject's consent, the controller shall -unless otherwise provided for by law - be able to process the data recorded where this is necessary:
• for compliance with a legal obligation pertaining to the controller, or
• for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data, without the data subject's further consent, or after the data subject having withdrawn his consent.

III. Purposes of data processing

1. Personal data may be processed only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness and fairness.
2. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.

IV. Other principles of data processing

1. In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall - in particular - be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification.
2. The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the up-to-datedness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded.

V. Functional data processing

1. The processed data are:
• Username
• password
• First name and surname
• e-mail address, telephone number
• invoicing address
• delivery address
• name of contact person
• time of registration
• IP address from which the registration happened.
2. Data subjects are: All the Users who are registered on www.aphroditebeautyshop.com website are data subjects.
3. The purpose of data collection:
• Provision of online services by the Data controller – e.g. creation of a contract about service provision, defining its content, or the invoicing of charges from the service
• Provision of information with the purpose of direct marketing, sending of newsletter based on the specific consent of the Data subject given during the registration
• Processing of the Data subject's personal data for the purpose of market research, market analyses, production of statistics based on the specific consent of the Data subject given during the registration.
4. The duration of the Data processing, the deadline of the Data erasure: The Data processing starts on the day of the registration and ceases with its deletion, except for the cases of accounting documents as these should be kept for 8 years according to Section 169 § (2) of Act C of 2000 on Accounting.
5. The person of possible Data processors entitled to learn the data: Personal data shall be processed by the employers of Data controller, in accordance to the principles contained by Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
6. Informing the Data subjects about the rights of the Data subject related to Data processing: The erasure or modification of personal data can be initiated by the Data subject the following ways:
• by post, to the mailing address 34 Ankara Street, Budapest, 1045 (Hungary)
• via e-mail to the e-mail address [email protected].
7. The legal basis of data processing: The legal basis of the Data processing is the consent of the Users who register on the website www.aphroditebeautyshop.com

VI. Cookie policy

1.The cookies used the webshops – the so-called „cookies used for password protected session", „cookies necessary for the shopping cart" and „safety cookies" – for the usage of which it is not necessary to request consent in advance from the Data subjects.
The computer of the visitors of the website is identified by cookies. In order for all content to be visible for the user it is necessary to enable the cookies. According to this cookies can be placed on the visitor's computer during the download of some parts of this website. These cookies are essential for the operation of some functions of the webshop.
Cookies are small text files stored on your computer by your browser. When this occurs the Operator does not send any notification to the Customer.
The Operator uses two kinds of cookies:
- Session cookies: these are automatically deleted after the Customer's visit of the page. These cookies are for the more efficient and more secure operation of the Operator's webshop, they are essential for the proper operation of some functions or applications of the webshop.
- Persistent cookies: these are used by the Operator in order to be able to provide better user experience to the Customer (e.g. optimized navigation). These cookies are stored for longer periods of time by the browser. The length of the period of time is determined by the settings of the Customer's browser. With these cookies the Operator collects data, not storing names, for marketing and optimization. These cookies are used so that the Operator can identify the special requirements of particular customer groups and send them personalised promotions. The Operator does not use the data to personally identify the Customer. Naturally the Customer can at any time disable such usage of these data via any of the contact details of the Operator mentioned above.
The abovementioned information can be used by the Operator for sake of the website's operation, for sending customized newsletters or for statistical purposes.
Most browser's menu contain a "Help" function, which can give you information on
- how you can disable cookies,
- how to accept new cookies,
- how you can make your browser set new cookies, or
- how to turn off other cookies.
The cookies used in the Webshop do not cause harm to the Customer's computer, and do not contain viruses.
Primarily it is the Operator and its inner employees who are entitled to learn these data, which they do not disclose to third parties, they only use and can use these data for the purposes mentioned above.
2. The processed data are:
• the unique identification number of the User,
• dates and times related to the usage of the Service.
3. The Data subjects are: Every subject who visits the website.
4. The purpose of Data processing is:
• the identification of the Users, keeping a record of the „shopping cart"
• the follow up of the activities carried out on the website by its visitors in order to assess the habits of customers.
5. The duration of the Data processing, the deadline of the Data erasure: The duration of the Data processing last until the end of the visit of the websites in case of the session cookies.
6. The person of possible Data processors entitled to learn the data: Personal data shall be processed by the employers of Data controller, in accordance to the principles contained by Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
7. Informing the Data subjects about the rights of the Data subject related to Data processing: The Data subject can delete the cookies in the Options/Settings panel in their browser, usually under the settings of 'Privacy'.
8. The legal basis of Data processing: The consent of the Data subject is not needed if the only purpose of the usage of cookies is the transmission of a communication over an electronic communication network or if it is essential for the provision of the service that is related to the information society requested by the subscriber or user.
9. The Data controller keeps track of the data related to the page views of the webshop using the service of Google Analytics. During the usage of the service data is being processed. These processed data are not able to identify the Data subject. More information on the privacy policy of Google can be found on the following site: http://www.google.hu/policies/privacy/ads/.

VII. Newsletter, Direct Marketing Activity

1. According to Section 6 of the Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity Users can give their preliminary consent, clearly and expressly, to being contacted by the Data controller with advertisements and other mails on the contact details (e.g. e-mail or telephone number) provided by the User during registration.
2. According to this privacy policy the Users can give their consent to their personal data that is necessary for sending advertisements being processed by the Data controller.
3. The Data controller does not send advertisements that are unrequested, and the User can unsubscribe from receiving these offers free of charge and without any limitation and without the need for the withdrawal to be reasoned. For such a case, the name and the personal data of the person making the statement shall immediately be deleted from the record and thereafter no advertisements may be communicated to the User. The User may unsubscribe from receiving advertisements by clicking on the link in the message.
4. The fact of Data processing, the processed data are:
• name
• e-mail address
• telephone number
• dates and times related to the usage of the Service.
5. Data subjects are: Users who subscribe to the newsletter.
6. The purpose of Data processing:
• sending messages (e-mail, text, push message) that contain advertisement to the Data subject
• providing information on the latest information, products, new functions, etc.
7. The duration of the Data processing, the deadline of the Data erasure: The duration of the Data processing starts on the day of registration and lasts until the withdrawal of consent, namely until unsubscribing.
8. The person of possible Data processors entitled to learn the data: Personal data shall be processed by the employers of Data controller, in accordance to the principles contained by Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
9. Informing the Data subjects about the rights of the Data subject related to Data processing: The Data subject may unsubscribe from the newsletter at any time, free of charge.
10. The legal basis of Data processing: the voluntary consent of the Data subject.

VIII. Facebook

1. The fact of Data processing, the processed data are: The name of the User that is registered on www.facebook.com social media site, as well as the public profile picture of the User.
2. Data subjects are: The Data subjects are who are registered on Facebook.com social media site and liked the website.
3. The purpose of the Data processing: The sharing and liking of the website or the content elements, products, sales of the website on www.facebook.com.
4. The duration of the Data processing, the person of possible Data processors entitled to learn the data and informing the Data subjects about the rights of the Data subject related to Data processing: The data subject may receive information on the source and processing of the data, as well as the way and legal basis of the data's transfer on the following link: http://www.facebook.com/about/privacy/.
5. Informing the Data subjects about the rights of the Data subject related to Data processing: The Data processing is implemented on www.facebook.com website, therefore the legal terms of facebook.com social media site are applicable for the following: the duration and the method of Data processing, possibilities of data erasure and modification. The legal terms of facebook.com can be viewed on the following link:
http://www.facebook.com/legal/terms?ref=pf, http://www.facebook.com/about/privacy/.
6. The legal basis of the data processing: The voluntary consent of the Data subject to the processing of his or her personal data on Facebook.com.

IX. Data transfer

1. The fact of Data processing, the processed data are:
• Data transferred for the purpose of the completion of the delivery are: Name, address, telephone number, name of the product, amount to be paid.
• Data transferred for the purpose of the completion of the online payment: Name, address, the transaction's amount, the transaction item.
2. Data subjects are: Users who request delivery.
3. The purpose of the Data processing: The delivery of the ordered product.
4. The duration of the Data processing, the deadline of the Data erasure: The duration of the Data processing starts with the usage of the Service and lasts until the delivery is completed, the receipt of the product.
5. The person of possible Data processors entitled to learn the data: Personal data shall be processed by the following, in accordance to the principles contained by Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information:
GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
mailing address: GLS 2 Európa Street, Alsónémedi, 2351
telephone number: (+36 29) 88 66 70
fax: (+36 29) 88 66 10
e-mail: [email protected]
privacy policy: https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat
6. Informing the Data subjects about the rights of the Data subject related to Data processing: The Data subject may request the deletion of his or her personal data from the delivery/online payment service provider's data processor.
7. The legal basis of the data processing: The legal basis of the data processing is the voluntary consent of the Users registered on www.aphroditebeautyshop.com website.
8. The Data controller is not liable for any damage caused by the delivery/online payment service provider's data processor.

X. Data security

1. Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects.
2. Controllers, and within their sphere of competence, data processors must implement adequate safeguards and appropriate technical and organizational measures to protect personal data, as well as adequate procedural rules to enforce the provisions of Act CXII of 2011 and other regulations concerning confidentiality and security of data processing.
3. Data must be protected by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
4. For the protection of data sets stored in different electronic filing systems, suitable technical solutions shall be introduced to prevent - unless this is permitted by law - the interconnection of data stored in these filing systems and the identification of the data subjects.
5. In respect of automated personal data processing, data controllers and processors shall implement additional measures designed to:
a) prevent the unauthorized entry of data;
b) prevent the use of automated data-processing systems by unauthorized persons using data transfer devices;
c) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data transfer devices;
d) ensure that it is possible to verify and establish which personal data have been entered into automated data-processing systems and when and by whom the data were input;
e) ensure that installed systems may, in case of malfunctions, be restored; and
f) ensure that faults emerging in automated data-processing systems is reported.
6. In determining the measures to ensure security of processing, data controllers and processors shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the data controller.

XI. Rights of data subjects

1. The data subject may request from the data controller information on his personal data being processed, the rectification of his personal data, and the erasure or blocking of his personal data, save where processing is rendered mandatory.
2. Upon the data subject's request the data controller shall provide information concerning the data relating to him, including those processed by a data processor on its behalf or according to his/her notice, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and - if the personal data of the data subject is made available to others - the legal basis and the recipients.
3. With a view to verifying legitimacy of data transfer and for the information of the data subject, the data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.
4. Data controllers must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject's request, within not more than thirty days. The information shall be provided free of charge.
5. At the request of the User the Data controller must provide information about the data processed by the controller, as well as its source, the purpose, the legal basis and duration of data processing, the name and address of a data processor, as well as his activities related to the data processing, furthermore – in case of the transfer of the Data subject's personal data – about the legal basis and addressee of the data transfer. The Data controller must provide the information in a written and in an accessible language in the shortest possible time from the submission of the request, but within not more than thirty days. The information shall be provided free of charge.
6. Where a personal data is deemed inaccurate, and the correct personal data is at the controller's disposal, the data controller shall rectify the personal data in question.
7. Personal data shall be blocked instead of erased if so requested by the data subject, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose which prevented their erasure.
8. Personal data shall be erased if processed unlawfully; if it is requested by the data subject; if it is incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act; if the purpose of processing no longer exists or the legal time limit for storage has expired; if so ordered by court or by the Hungarian National Authority for Data Protection and Freedom of Information.
9. If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of referencing.
10. When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.
11. If the data controller refuses to comply with the data subject's request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within thirty days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

XII. Legal remedy

1. The data subject shall have the right to object to the processing of data relating to him:
a) if processing or disclosure is carried out solely for the purpose of discharging the controller's legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
c) in all other cases prescribed by law.
2. In the event of objection, the controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision. If, according to the findings of the controller, the data subject's objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had
previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
3. If the data subject does not agree with the decision taken by the controller, the data subject shall have the right under Section 22 to turn to court within thirty days of the date of delivery of the decision. The court shall hear such cases in priority proceedings.
4. The data subject may file complaints against the violation of the controller to the Hungarian National Authority for Data Protection and Freedom of Information:
Hungarian National Authority for Data Protection and Freedom of Information
22/C. Szilágyi Erzsébet fasor, Budapest, 1125
Mail address: 1530 Budapest, PO Box: 5.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: [email protected]

XIII. Judicial remedy

1. The burden of proof to show compliance with the law lies with the data controller. The burden of proof concerning the lawfulness of transfer of data lies with the data recipient.
2. The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought before the tribunal in whose jurisdiction the data subject's home address or temporary residence is located.
3. Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions. The Authority may intervene in the action on the data subject's behalf.
4. When the court's decision is in favour of the plaintiff, the court shall order the controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data - processing systems, to respect the data subject's objection, or to disclose the data requested by the data recipient.
5. If the court rejects the petition filed by the data recipient, the controller shall be required to erase the data subject's personal data within three days of delivery of the court ruling. The controller shall erase the data even if the data recipient does not file for court action within the time limit.
6. The court may order publication of its decision, indicating the identification data of the controller as well, where this is deemed necessary for reasons of data protection.

XIV. Compensation

1. Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by any breach of data security requirements. The data controller shall also be liable for any damage caused by data processor acting on its behalf. The data controller may be exempted from liability if he proves that the damage was caused by reasons beyond his control.
2. No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part of the aggrieved party.
XV. The operator of the website
www.aphroditebeautyshop.com website is operated by Aphrodite 97 Kft. (office: 34 Ankara Street, 1045 Budapest, business registration number: 01 09 567793, EU tax number: HU12239715), all data is stored on a secure server by www.aphroditebeautyshop.com