11th of March 2022.
SCUDERIA SA Kft. (hereinafter referred to as the „Service Provider”) processes the data of visitors to and registrants of the website www.scuderia-sa.com (hereinafter referred to as the „Website”).
In connection with the processing of data, the Service Provider hereby informs the Data Subjects about the personal data processed by the Service Provider on the Website, the principles and practices followed in the processing of personal data, as well as the ways and means of exercising the rights of the Data Subjects.
By using the Website, the Data Subject accepts the Privacy Notice and consents to the processing of personal data as set out below.
The Data Processing Policy is fully compliant with the legislation on data processing and has been developed taking into account the provisions of the following legislation:
Act CVIII of 2007 on certain aspects of electronic commerce services and information society services (Eker. tv.)
Data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;
personal data: data that can be associated with a data subject, in particular his or her name, an identifier and the knowledge of one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference that can be drawn from the data concerning that data subject;
- personal data revealing racial or ethnic origin, nationality, political opinions or political party affiliation, religious or philosophical beliefs, membership of an interest group or membership of a representative body, sex life,
- personal data concerning health, pathological addiction and personal data concerning criminal offences;
consent: a voluntary and freely given indication of the data subject’s wishes, based on adequate information, by which he or she signifies his or her unambiguous agreement to the processing of personal data concerning him or her, either in full or in relation to specific operations;
objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;
data controller: the natural or legal person or unincorporated body, in this case the Service Provider, who, alone or jointly with others, determines the purposes for which the data are processed, takes and executes decisions regarding the processing (including the means used) or has them executed by a processor on its behalf;
‘processing’ means any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of further use, taking of photographs, sound recordings or images and physical features which permit identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
transfer: making data available to a specified third party;
data erasure: rendering data unrecognisable in such a way that it is no longer possible to retrieve them;
‘processing’ means the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
third party: a natural or legal person or an unincorporated body other than the data subject or the controller
‘personal data breach’ means unlawful processing or processing of personal data, in particular unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage.
PURPOSE OF PROCESSING
The Service Provider uses the data provided by the Data Subject for a specific purpose:
- to fulfil orders in the webshop,
- Providing ordering conditions,
- maintaining contact,
- complaint handling,
- subsequent proof of the terms of the contract concluded and
- if the Data Subject has subscribed to a newsletter, store and process it for the purpose of sending the newsletter.
The data automatically collected are used for statistical purposes and for the technical development of the IT system.
The Service Provider will not use or may not use the personal data provided for purposes other than those specified above. The disclosure of personal data to third parties or public authorities, unless otherwise required by law, is possible with the prior express consent of the Data Subject.
In all cases where the Service Provider intends to use the data provided for purposes other than those for which they were originally collected, the Data Subject shall be informed thereof and shall obtain his or her prior explicit consent or be given the opportunity to prohibit such use.
DATA CONTROLLER’S DATA
SCUDERIA SA Kft., Hungary 2073 Tök, Kis sor 21.
Company registration number: 13 09 203935
Registrar of Companies: Court of Registration of the Metropolitan Court of Budapest
Tax number: 27317677213
DATA PROCESSORS’ DETAILS
salesforce.com EMEA Limited
Floor 26 Salesforce Tower, 110 Bishopsgate EC2N 4AY London, UK
Activity: contact information storage, profiling, email delivery, analytics and measurement services, behavioral advertising
Facebook Inc. (USA) Place of business: Menlo Park, California, USA Activity: Profiling, advertising, analytics and measurement services, behavioural advertising
Google LLC (USA) Place of business: Google Data Protection Office, 1600 Amphitheatre Pkwy. Mountain View, California 94043 Activity: profiling, advertising, analytics and measurement services, behavioural advertising
Data of the hosting provider:
M-TRADER Kereskedelmi és Szolgáltató KFT.
Cím: 1062. Budapest Bajza u. 58. II em. 5.
Tel.: +36 1 351-7566
Mobil: +36 30 948-6252
Activity: profiling, emailing, analytical and measurement services, behavioural advertising
In addition to the above, the transfer of personal data concerning the Data Subject may only take place in cases that are mandatory by law or on the basis of the Data Subject’s consent.
SCOPE OF THE DATA PROCESSED, PURPOSE, LEGAL BASIS AND DURATION OF THE PROCESSING
Visitors to the www.scuderia-sa.com website
The data processed: date and time, pages visited, IP address, data relating to the visitor’s computer settings (such as browser, operating system, screen resolution), the source page from which the visitor clicked through to the website, in a manner that does not allow the identification of the visitor’s personal data.
Purpose of processing.
5. § (1) a)),
Duration of processing.
The Service Provider and the designated third-party service providers place and read back a small data package, a so-called cookie, on the Data Subject’s computer in order to provide a personalised service. If the browser sends back a previously saved cookie, the service provider handling the cookie has the possibility to link the data saved during the Data Subject’s current visits with the data saved during previous visits, but only with regard to its own content.
The Service Provider uses the following cookie:
- Temporary (session) cookie: session cookies are automatically set after the Data Subject’s visit Persistent (persistent) cookie: persistent cookies are also used by the Service Provider to provide a better user experience (e.g. to provide optimised navigation). These cookies are stored for a longer period of time in the browser’s cookie file. The duration of this period depends on the settings of the Data Subject’s internet browser.
- The „Help” function in the menu bar of most browsers provides information on whether the Data Subject’s browser
- will be deleted. These cookies are used to enable the Service Provider’s Website to function more efficiently and securely, and are therefore essential to enable certain features of the Website or certain applications to function properly.
- how to disable cookies,
- how to accept new cookies,
- how to instruct your browser to set a new cookie, or
- how to turn off other cookies.
Cookies set by Google Analytics (cookies)
The analytical information collected by Google Analytics cookies is transmitted to and stored by Google on its servers. This information is processed by Google on behalf of the operator of the website in order to evaluate users’ browsing habits, compile reports on the frequency of use of the website and provide other services related to the use of the website for the website operator. The IP address transmitted via the browser in the context of the Google Analytics application will not be combined with other data by Google.
Google Analytics uses the following cookies for analytical purposes:
web tracking __utma used to distinguish visitors and sessions, which is saved by the web tracking service Google Analytics (3rd party) 2 years
web tracking __utmt used to control the retrieval rate, saved by the web tracking service Google Analytics (3rd party) 10 minutes
web tracking __utmv is used to store individual variable data at the user level, downloaded from the Google Analytics web tracking service (3rd party) 2 years
web tracking __utmb is used to identify new sessions and visitors, downloaded from Google Analytics web tracking service (3rd party) 30 minutes
web tracking __utmc not currently used, used to interact with urchin.js, downloaded from Google Analytics web tracking service (3rd party) end of browser session
web tracking __utmz is used to store the traffic source or campaign that identifies the source of the visit, downloaded by the Google Analytics web tracking service (3rd party) 6 months
web tracking (tracking) ga-disable-<ID> saved when opt-out function is used, which overrides tracking by Google Analytics until 2100
For more information on the cookies used by Google, please visit http://www.google.com/policies/technologies/ads/
Google’s privacy statement can be found at http://www.google.com/intl/hu/policies/privacy/.
The Website may also contain links to external servers (not managed by the Service Provider) and the sites accessible through these links may place their own cookies or other files on your computer, collect data or request personal information. The Service Provider excludes all liability for these.
When subscribing to newsletters on the www.scuderia-sa.com websites or on the websites of the Data Controller’s business partners, the following data are recorded: name, e-mail address, date of subscription, IP address of subscription, date of confirmation of subscription, IP address of confirmation, newsletter openings, clicks on links in newsletters.
PURPOSE OF PROCESSING: SENDING NEWSLETTERS
Legal basis for processing. (§ 5 (1) a)) of the GDPR, Article 5 (1) a)) and Article 5 (1) a) of the Grt. 6. §-a.
Duration of data processing.
The data controller informs the user that failure to provide the above personal data will result in the registration being unsuccessful and the user will not receive the newsletter.
The deletion of the data will be carried out upon the user’s request by sending an e-mail to email@example.com. The Company shall delete the data within 5 working days of receipt of the request. The user has the right to withdraw his consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.
The data controller shall take all necessary steps to ensure the security of personal data provided by users, both during network communication and during storage and retention.
Possibility to unilaterally modify the privacy statement
The data controller reserves the right to unilaterally modify this privacy statement, with prior notice to users. Once the amendment has entered into force, the user accepts the amended privacy statement in force by his or her own free will. The amendment shall not affect the data protection obligations provided for by law.
RIGHTS OF THE USER AND THEIR ENFORCEMENT
The data subject may request from the controller (a) information about the processing of his/her personal data, (b) rectification or restriction of the processing of his/her personal data, and (c) erasure or blocking of his/her personal data, except for mandatory processing.
At the request of the data subject, the controller shall provide information on whether or not his or her personal data are being processed and, if so, on the data processed by the controller, the source of the data, the purposes of the processing, the categories of personal data concerned, the envisaged storage period, the name and address of the processor and the activities of the processor in relation to the processing, the circumstances and effects of the personal data breach and the measures taken to remedy it, and, in the case of a transfer of personal data, the legal basis and the recipient of the transfer. The controller shall provide the data subject with a copy of the personal data which are the subject of the processing, for which service the controller may charge a reasonable fee based on administrative costs. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
The controller shall keep a register for the purpose of monitoring the measures taken in relation to the personal data breach and informing the data subject, which shall include the scope of the personal data concerned, the number and categories of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the legislation providing for the processing.
A data controller subject to the Electronic Communications Act may also fulfil the obligation set out in the above paragraph by keeping a register of personal data breaches as provided for in the Electronic Communications Act.
The data controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but not later than 30 days. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The controller shall inform the user of the extension, stating the reasons for the delay, within one month of receipt of the request. The information shall be provided free of charge if the person requesting the information has not yet submitted a request for information to the controller in the current year for the same set of data. In other cases, a fee may be charged. The amount of the charge may be fixed in a contract between the parties. Any compensation already paid shall be refunded if the data have been processed unlawfully or if the request for information has led to a correction. The data controller may refuse to provide the data subject with information only in the cases provided for in Article 9(1) and Article 19 of the Act.
In the event of refusal to provide information, the controller shall inform the data subject in writing of the provision of this Act on the basis of which the information was refused. In the event that the controller does not take action on the request of the data subject, the controller shall inform the user within a maximum of one month, stating the reasons for the failure to take action.
The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification by the controller of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, inter alia, by means of a supplementary declaration
The data subject shall have the right to obtain from the controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the controller shall be obliged to erase personal data relating to him or her without undue delay where one of the following grounds applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws his or her consent to the processing of personal data in accordance with Article 6. (b) the data subject has withdrawn his or her consent to the processing pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing; (c) the data subject has withdrawn his or her consent pursuant to Article 21. (d) the personal data have been unlawfully processed; (e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject; (f) the personal data have been collected in connection with the provision of information society services referred to in Article 8(1) of the GDPR. Where the controller has disclosed the personal data and is required to erase it pursuant to the above paragraph, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question. The above shall not apply where the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for compliance with an obligation under Union or Member State law to which the controller is subject to fulfil an obligation to process personal data or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for the exercise of a task carried out in the exercise of official authority vested in the controller by virtue of Article 9 of the GDPR; d) for the exercise of the right to inform the data subject about the processing of personal data; e) for the exercise of the rights referred to in Article 9 of the GDPR. (h) and (i) of Article 9(2) and Article 9(3) of the GDPR on grounds of public interest in the field of public health; d) in accordance with Article 89. in accordance with Article 89(1) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right to erasure would be likely to render impossible or seriously impair such processing; or e) for the establishment, exercise or defence of legal claims: (a) the data subject contests the accuracy of the personal data, in which case the restriction shall be for a period of time which allows the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use; (c) the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or (d) the data subject has been informed of the processing in accordance with Article 21 of the GDPR. (d) the data subject has objected to the processing pursuant to Article 21(1) of the GDPR; in this case, the restriction shall apply for the period until it is established whether the controller’s legitimate grounds override the data subject’s legitimate grounds. Where processing is subject to a restriction as referred to above, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State. The controller shall inform in advance the data subject at whose request the processing has been restricted on the basis of the above of the lifting of the restriction.
The rectification, restriction and erasure shall be notified to the data subject and to all recipients to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of those recipients at his or her request. In the context of the present processing, the data subject shall have the right to receive personal data relating to him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance by the controller, since the processing is based on consent; and the processing is automated. In exercising the right to data portability, the data subject has the right to request, where technically feasible, the direct transfer of personal data between controllers. This right must not adversely affect the rights and freedoms of others.
In the context of the present processing, the data subject should not be entitled to be excluded from the scope of a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, given that the processing is based on the data subject’s explicit consent. However, the controller must take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. The information provided to the data subject shall clearly and prominently describe the nature of the personal data breach and shall include at least the information and measures referred to in Article 33(3)(b), (c) and (d) of the GDPR. The data subject need not be informed if any of the following conditions are met: (a) the controller has implemented appropriate technical and organisational protection measures and those measures have been applied in relation to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data; (b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise; (c) the provision of information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by means of a similar measure which ensures that the data subjects are informed in an equally effective manner.
Where the controller does not comply with a data subject’s request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, provide in writing the factual and legal reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.
The above rights of the data subject may be restricted by law in the interests of the external and internal security of the State, such as defence, national security, the prevention or prosecution of criminal offences, the security of law enforcement, the economic or financial interests of the State or of a local authority, the important economic or financial interests of the European Union, the prevention and detection of disciplinary or ethical offences in connection with the exercise of the profession, infringements of labour law or of the protection of the rights of others, including in all cases control and supervision, and the protection of the data subject or of the rights of others.
The data subject may object to the processing of his or her personal data (a) where the processing or transfer of the personal data is necessary for the fulfilment of a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, except in cases of mandatory processing; (b) where the personal data is used or transferred for direct marketing, public opinion polling or scientific research; and (c) in other cases provided for by law.
The controller shall examine the objection, decide whether it is justified and inform the applicant in writing of its decision within the shortest possible time from the date of the request, but not later than 15 days.
If the controller establishes that the data subject’s objection is justified, the controller shall terminate the processing, including further collection and further transmission, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data covered by the objection have been previously disclosed and who are obliged to take measures to enforce the right to object.
If the data subject disagrees with the decision of the controller or if the controller fails to comply with the time limit, the data subject may, within 30 days of the notification of the decision or the last day of the time limit, have recourse to the courts.
If the data subject does not receive the data necessary to exercise his or her rights because the data subject objects, he or she may, within 15 days of the notification, take legal action against the controller in order to obtain the data. The controller may also take the data subject to court.
If the controller fails to give the notification, the data subject may request the controller to provide information on the circumstances surrounding the failure to disclose the data, which the controller shall provide within 8 days of the service of the data subject’s request. In the event of a request for clarification, the data subject may bring an action against the controller before a court within 15 days of the date on which the clarification was provided, but no later than the time limit for the provision of clarification. The controller may also bring legal proceedings against the data subject.
The controller may not erase the data subject’s data if the processing is required by law. However, the data may not be transferred to the data recipient if the controller has consented to the objection or if the court has ruled that the objection is justified.
The data subject may take legal action against the controller in the event of a breach of his or her rights. The court shall rule on the case out of turn.
It is for the controller to prove that the processing complies with the law. It is for the recipient to prove the lawfulness of the transfer to him.
The county court, in the capital the Metropolitan Court (hereinafter together referred to as the county court) shall have jurisdiction to hear the case. The action may, at the option of the data subject, also be brought before the county court of the place of residence or domicile of the data subject.
A person who does not otherwise have legal capacity may also be a party to the proceedings. The Authority may intervene in the proceedings in order to ensure that the person concerned is successful.
If the court grants the application, the controller shall be ordered to provide the information, rectify, block or erase the data, annul the decision taken by automated processing, take into account the right of the data subject to object, or provide the data requested by the data subject.
If the court rejects the data subject’s request, the controller shall erase the personal data of the data subject within 3 days of the notification of the judgement. The controller shall also be obliged to delete the data if the data subject does not apply to the court within the time limit.