Personal Data Management and Privacy Notice

Privacy Notice

for Customers using the services of Culinaris Retail Kft. via online and offline sales channels.

Privacy Notice

The following Privacy Notice is issued by Culinaris Retail Kft. for Customers using the Company’s Webshop services at the www.culinaris.hu website, or subscribing to the Company’s Newsletter, or partaking in the Company’s Customer loyalty scheme:

I. General provisions

The product portfolio of Culinaris Retail Kft (Company Registry No.: 01-09-389093, registered seat (and mailing address): 1025 Budapest, Pusztaszeri út 59., VAT No.: 27413285-2-41, hereinafter referred to as “Culinaris Retail Kft.” or the “Data Controller”) is displayed at the www.culinaris.hu website (hereinafter referred to as the “Website”), featuring the food and other products sold by Culinaris Retail Kft. When placing an order online via the Webshop, in line with the Company’s applicable General Terms and Conditions of Business, a Sales Contract is entered into between Culinaris Retail Kft. and the retail Customer having placed the order, and holding a valid registration.

The Customers, or anyone interested may subscribe to the Newsletters of Culinaris Retail Kft., to be informed about the latest offers, news and special events.

The Company’s Customer loyalty scheme offers certain benefits to the participants, whom hold a valid registration to the loyalty program, such benefits being provided in line with the special terms and conditions set by Culinaris Retail Kft.

This Privacy Notice (hereinafter referred to as the “Privacy Notice” governs and sets forth the rights and obligations related to the handling and processing of personal data supplied to the Data Controller.

While processing personal data, Culinaris Retail Kft. always acts in full compliance with the applicable laws of the European Union and of Hungary, in particular Act CXXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information (hereinafter referred to as the “Info tv.”) and Regulation (EU) 2016/679 referred to as the General Data Protection Regulation (“GDPR”).

All personal data received from the Customers are processed by Culinaris Retail Kft. confidentially, and the Company takes all necessary measures to facilitate a secure data processing. Culinaris Retail Kft. is fully committed to ensure the adequate protection of personal data. The purpose of this Privacy Notice is to supply adequate information to the Customers of Culinaris Retail Kft., to make an informed decision about the processing of their personal data.

This Privacy Notice is drafted on the basis of the provisions of Info tv. and of Regulation (EU) 2016/679, i.e. the General Data Protection Regulation (“GDPR”), and Culinaris Retail Kft. retains the right to unilaterally review and update this Privacy Notice, if the applicable laws get amended in the future, and/or new laws are issued. Any issues remaining uncovered by this Privacy Notice shall be governed by the applicable provisions of the GDPR and of the Info tv.

The Company’s prevailing Privacy Notice is available for view at the Company’s website, at http://www.culinaris.hu/adatvedelmi.

Culinaris Retail Kft. retains the right to make amendments to this Privacy Notice any time. When the Privacy Notice is amended, the Company will make a notification via its website.

II. Definitions

1. data subject: any natural person, who is identified or can be identified - directly or indirectly - on the basis of personal data;

2. personal data: any information relating to the data subject - in particular his/her name, an identification number, or one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person - and the conclusion that can be drawn from the data, related to the data subject;

3. sensitive data:

a) personal data revealing racial or ethnic origin, political opinions or affiliation, religious or other philosophical beliefs, trade union membership, or data related to sex life;

b) personal data concerning health, pathological addiction and personal data related to criminal convictions;

4. personal data relating to criminal convictions and offences: personal data relating to criminal offences or criminal proceedings, obtained in the course of, or prior to criminal proceedings, by the authorities competent to prosecute or investigate criminal offences, and personal data generated by penitentiary organizations, relating to the data subject or to his/her criminal records;

5. data of public interest: any information or piece of knowledge not covered by the concept of personal data, recorded in any way or form, which is held by a body or person performing state or local government duties, or other public functions, by the law, and that relates to such body’s activities or arises in connection with the performance of its public function, and irrespective of the method of processing, and whether it is separately or collectively processed, and including in particular any information on the given body’s powers, competences, organisational structure, professional activities, an assessment of its effectiveness, the types of data stored, the laws governing its operations, or related to its financial management or any contracts concluded;

6. data published for the benefit of the public: any data not covered by the concept of data of public interest, the publication, disclosure or making available of which is required by the law, for public interest;

7. consent: any freely given, specific, informed indication of the data subject's wishes by which he or she, by a clear affirmative consent, signifies agreement to the - full scope or limited to specific operations - processing of the personal data relating to him or her;

8. objection: a statement by the data subject objecting to the processing of his or her personal data, and requesting that the data processing is terminated, or the processed data being erased;

9. data controller: a natural or legal person, or unincorporated body which, alone or jointly with others, determines the purposes of the data processing, or makes and implements decisions on the data processing (including the means used), or arranges for them to be executed by a data processor;

10. data processing: any operation or set of operations, which is performed on the data, irrespective of the procedure used, in particular the collection, recording, structuring, storage, alteration, use, retrieval, transmission, publication, alignment or combination, blocking, erasure or destruction, and the prevention of any further use of the data, and taking of photographs, audio or video recordings, and recording of physical characteristics that can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

11. data transfer: making the data available to a given third party;

12. publication: making the data available to anyone;

13. data erasure: making data unrecognisable in such a way that it cannot be restored;

14. data marking: the marking of data with an identification mark to distinguish it;

15. data blocking: the marking of data with an identification mark for the purposes of limiting its further processing permanently or for a specific time period;

16. data destruction: the complete physical destruction of the data carrier device containing the data;

17. data processor tasks: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations or the place of application, provided that the technical task is performed on the data;

18. data processor: a natural or legal person or unincorporated body, which processes data on the basis of a contract - including contracts mandatory to be signed based on the law - ;

19. data owner: a public sector body, which produced data of public interest mandatory to be published via electronic means, or in the course of whose operation the data was generated; 20. informant: a public sector body which - if the data owner does not publish the data - publishes the data submitted to it by the data owner, on a website;

21. data set: the entirety of data managed in a single register;

22. third party: any natural or legal person, or unincorporated body, who is not the data subject, the data controller or the data processor;

23. EEA member state: a member state of the European Union or of the Agreement on the European Economic Area (“EEA”), or a state, whose nationals enjoy the same status as nationals of a state party to the Agreement on the EEA, under an international treaty made between the EU and its member states and a state not party to the Agreement on the EEA;

24. third country: any state that is not an EEA member state;

25. binding corporate rules: an internal Data Protection Policy adopted by a data controller or a group of data controllers operating in several countries, including at least one EEA member state, and approved by the National Authority for Data Protection and the Freedom of Information (hereinafter referred to as the “Regulatory Authority"), which is binding on the data controller or the group of data controllers, and which ensures the protection of personal data when being transferred to a third country, by means of a unilateral commitment made by the data controller or group of data controllers;

26. personal data breach: the unlawful handling or processing of personal data, in particular any unauthorised access, alteration, transfer, publication, erasure or destruction, or accidental destruction or damage.

27. minor: a person under the age of 18. A minor becomes an adult via marriage.

III. Key principles

Personal data may solely be processed tied to a specific purpose, for the exercising of rights and fulfilment of obligations. In each stage of the data processing, the purpose set for the data processing must be complied with, and the data collection and processing must be fair and lawful.

Solely personal data strictly necessary to meet the purposes set for the data processing, and suitable to accomplish such purposes, may be processed. Personal data may only be processed to the extent and for the duration necessary for the purposes set.

Personal data will remain to be personal data during the course of data processing, as long as it can be linked to the data subject. The link to the data subject may be restored, if the Data Controller has the technical means required to make such reconnection.

During the data processing activities, the accuracy and completeness of the data must be ensured, and - when needed, taking into account the purposes of the data processing - it must be up-to-date, and it must be ensured that the data subject is only identifiable for the duration needed for the purposes set for the data processing.

The processing of personal data must be deemed to be fair and lawful, when the data subject is contacted at home or place of residence, under the freedom of expression granted, to express his/her views, provided that the personal data of the data subject is processed in line with the provisions of this Act, and the enquiry was not made for business purposes. Enquiries must be avoided on public holidays (as defined by the Labour Code).

IV. Data processing

Online shopping via the Webshop - Registration

The legal basis for the data processing:

The legal basis for the processing of the collected data is the data subject’s consent granted to the data processing, pursuant to Article 6(1) point a) of the GDPR, and as for the processing of the personal identification data necessary for the identification of the natural person, serving as Customer, as well as his/her home address, the legal basis is section 13/A of Act CVIII of 2001, and section 169(2) of the Accounting Act, i.e. the purpose is to fulfil a legal obligation, as per Article 6(a) point c) of the GDPR.

If the Customer is a natural person who is minor, being under the age of 18, or an incapacitated person being under guardianship restricting his/her capacity to act, the consent is only valid when agreed upon or approved by the legal guardian.

The scope of data subjects: the Customers registering at the www.culinaris.hu website.

Scope of the data processed:

The data subject’s name, phone number, e-mail address, delivery address and billing address

Purpose of the data processing:

The data subject’s name is needed to identify the person placing the order, for the purposes of being able to duly fulfil the order, to issue the bill, and to record the delivery address.

The data subject’s phone number is processed for the purposes of fulfilling the order placed by the data subject, or if any data in the order needs to be clarified, a staff member at Culinaris Retail Kft. will call the data subject at the phone number provided.

The data subject’s e-mail address is needed for written correspondence, and to be able to confirm the order placed.

The data subject grants his/her voluntary consent to the fact that the Data Controller may contact him/her via the contact details provided, when any issue arises, or to supply additional information, or to obtain or clarify any information related to the order. The purpose of the data processing is primarily to sign the contract related to the use of the Webshop, and to ensure the fulfilment of such contract and the enforcement of the related claims, to protect the Customer’s rights, and as a secondary purpose, the use of additional services, to make statistics, and to make technical or quality related improvements to the IT system. Data processing for statistical purposes, i.e. the preparation of statistical reports is solely possible to meet the primary objectives of the system, or for the purposes of making technical or quality related improvements to the IT system. The Customer may object the processing of data for quality assurance purposes any time, by sending an e-mail to the following e-mail address: webshop@culinaris.hu. The Customer and data subject expressly acknowledges and agrees that the system operated by Culinaris Retail Kft. may collect data about user activity, which data cannot be linked to any other data supplied by the users during the registration process, or with any other data generated during the use of the website or services.

The following persons are authorised to get access to the data: the Data Controller, the Data Processor, and their staff members.

Duration of the data processing, and data erasure:

Personal data may solely be processed to the extent and for the duration necessary to meet the purposes set for the data processing, and suitable to accomplish such purposes. The processing of personal data may start when the Customer has registered with the Webshop, and the personal data gets stored until the purposes set for the data processing are met, or the Customer submits an application for the data to be erased. In terms of personal data stated on documents being subject to a mandatory retention period, as per the Accounting Act, the duration of the data processing shall be equal to the mandatory data retention period (section 169(2) of the Accounting Act). Pursuant to the GDPR, when the data gets erased, Culinaris Retail Kft. will make it unrecognisable, in a way that it cannot be restored.

If the Customer submits an application for his/her personal data processed to get erased, the Company must comply with such request, and at the same time, must delete the Customer’s registration.

Culinaris Retail Kft. will not disclose the personal data collected to any third party, other than the official authorities mandated by the law, and especially will not disclose the data for money (no database sale).

Culinaris Retail Kft. will solely obtain personal data directly from the data subjects, therefore the source of the personal data is always the data subject supplying it (no database purchase).

Sensitive data is not processed by Culinaris Retail Kft.

When registering at the Webshop, the Customer declares and confirms that this Privacy Notice was read, and that the Customer agrees to be bound by the same. By getting registered with the Webshop, and/or the Customer supplying his/her data and contact details at the store, the Customer grants his/her consent for the Data Controller to use his/her personal data voluntarily supplied (name, address, e-mail address, phone number) and the information related to the products purchased, and any other data related to the purchase (place and date of the purchase, the products purchased, total purchase value) - hereinafter collectively referred to as the “Data”.

The Customer placing an order expressly acknowledges and agrees that the system operated by Culinaris Retail Kft. may collect data about the user activity, which data cannot be linked to any other data supplied by the users during the registration process, or with any other data generated during the use of the website or services.

Payment with bank card:

Only bank card payment is enabled by the Data Controller. The Data Controller operates the bank card payment system via its financial services provider’s system used, which is the operator of the SimplePay system, therefore the Data Controller does not process any data related to the payments made by the data subjects. During the registration process, and shopping via the Webshop, the data subject agrees to and approves the fact that all orders must be paid for via the use of bank card, and acknowledges the fact that the Data Controller does not process payment related (bank card) data.

Newsletter:

The legal basis for the data processing:

On the basis of the Customer’s consent granted pursuant to Article 6(1), point a) of the GDPR, Culinaris Retail Kft. is entitled to send Newsletters, special offers, and notifications to the Customers on new product launches. The Customer has the right to revoke his/her consent granted any time, and the Customer acknowledges the fact that Culinaris Retail Kft. supplied due information on that the Customer may unsubscribe from the Newsletter any time, via the link provided at the Newsletters sent. When this happens, Culinaris Retail Kft. will not send any more Newsletters or other advertising material to the Customer, after the consent is revoked, and will delete the given user’s data from the database of users subscribing to the Newsletter.

Newsletters may only be sent, if the proposed recipient has granted his/her prior and clear consent to it, which consent may be revoked by the Customer by sending a related statement to Culinaris Retail Kft. any time. When the Customer registers for the Webshop, his/her consent to the receipt of Newsletters may also be given.

Scope of the data subjects: anyone subscribing to the Newsletter, and granting their consent to it.

Scope of the data processed: name, e-mail address.

Purpose of the data processing:

To inform the subscribers about the latest news, events, our special offers, discounts and special events.

If you wish to receive the Newsletter, you may subscribe to it during the registration process. As part of registration, our system will record your name and e-mail address, by which you grant your consent for us to send you our Newsletter, to the e-mail address provided. The e-mail address you provided as part of subscribing to our Newsletter will solely be used by us for sending the Newsletter, in line with your consent given. The legal basis for the data processing is your consent granted, pursuant to Article 6(1), point a) of the GDPR.

The following persons are authorised to get access to the data: the Data Controller, the Data Processor, and their staff members.

Duration of the data processing, and data erasure: the data will be processed by the Data Controller from the time the Customer subscribed to the Newsletter, to the Customer’s related consent being revoked. The related data will be erased when the Customer has revoked his/her consent.

A data subject may revoke his/her consent given to the related data processing any time, by sending an e-mail to the following e-mail address: webshop@culinaris.hu email (please put “Unsubscribe from the Newsletter” in the subject field), or by clicking the “Unsubscribe” link provided in the Newsletters.

You may revoke your consent given to the data processing, in which case you will no longer get notifications about the latest news, events, special offers and discounts.

The following persons are authorised to get access to the data: the Data Controller, the Data Processor, and their staff members.

Customer loyalty scheme

The legal basis for the data processing:

On the basis of the Customer’s consent granted pursuant to Article 6(1), point a) of the GDPR, Culinaris Retail Kft. will register the data of the Customers intending to participate in the Customer loyalty scheme. If you wish to uphold the rights attached to your Customer loyalty scheme membership, and/or wish to newly join the scheme, please complete and sign the relevant registration form, and send it back to Culinaris Retail Kft. via regular mail, or hand it over to the dedicated personnel at any of our stores.

Scope of the data subjects: persons participating in the Customer loyalty scheme, or getting newly registered to it.

Scope of the data processed: name, e-mail address, date of birth.

The purposes of the data processing:

To enable Culinaris Retail Kft. to identify all persons registering for, or already participating in the Customer loyalty scheme, in order to be able to duly register all benefits provided, and all rights granted to the Customer under the loyalty scheme, at the Customer account.

To enable the Company to duly inform the Customers about the benefits available via the use of the Customer loyalty card issued.

To enable the Company to send information on any changes made to the Customer loyalty scheme.

The following persons are authorised to get access to the data: the Data Controller, the Data Processor, and their staff members.

Duration of the data processing, and data erasure: the Data Controller will process the related data from the time when the Customer registered for the Customer loyalty scheme until the Customer’s relevant consent is revoked, or when the Customer loyalty card or the related entitlement is terminated, the related data will no longer be processed. The related data will be erased when the Customer has revoked his/her consent, or his/her related entitlement being terminated. Your consent will be deemed to be on-going by Culinaris Retail Kft., until you revoke it.

You may revoke your consent given to the related data processing by sending an e-mail to the following e-mail address: webshop@culinaris.hu email (please put “terminating the loyalty scheme membership” in the subject field).

If your consent is revoked, your data will be permanently erased, and you will no longer be able to enforce the benefits linked to your loyalty scheme card, and will no longer receive information on the benefits available with the card.

How cookies are processed

The Data Controller issued a separate Cookie Policy, related to the processing of cookies.

V. Data security

Culinaris Retail Kft. will make all efforts to prevent and avoid any unauthorised parties to get access to the personal data processed. Nonetheless, due to the fast pace development and changes in the area of IT, and also considering the fact that not all risks arising out of the nature of IT can be completely eliminated beforehand, it may happen that via the use of unlawful means, a third party may gain access to the personal data processed by Culinaris Retail Kft., in any manner remaining unknown to Culinaris Retail Kft., and despite the Company’s security measures applied, or any such party may peruse the data, or commit an abusive act with it. Culinaris Retail Kft. refuses to take any liability for any potential damage arising out of such unlawful actions, or for any abuse committed via the use of the personal data being obtained by a third party.

VI. Legal remedy available

The data subject may request information about the processing of his/her personal data, and may request the rectification, blocking or - except for mandatory data processing - the erasure of his/her personal data.

All questions, information request or complaint related to the data processing activities of Culinaris Retail Kft. must be submitted to the Company in writing. The request submitted must include the following data:

Name and mailing address

A clear description of the question, information request or complaint.

Please attach the following documents to your mail sent to us:

Date of the submission and your handwritten signature

If you are acting on behalf of another person, please submit your Power of Attorney provided by the data subject.

Please send any such letter via registered mail, with receipt confirmation required, to the following address:

Culinaris Retail Kft.

1025 Budapest, Pusztaszeri út 59.

You may send a complaint to us via e-mail as well, to the following e-mail address: webshop@culinaris.hu.

The data subject has the right to the following:

- right of access to his/her personal data (right of access, Article 15 of the GDPR).

- to request the rectification of inaccurate data, or to have incomplete data completed (right to rectification, Article 16 of the GDPR).

- to request the erasure of personal data (right to erasure, Article 17 of the GDPR).

- to request the restriction of the processing of his/her personal data (right to restriction of data processing, Article 18 of the GDPR).

- to receive the personal data concerning him/her, and to transmit the data to another data controller (right to data portability, Article 20 of the GDPR).

- to revoke his/her consent given to the data processing (but the consent being revoked has no impact on the lawfulness of data processing carried out based on the consent, prior to being revoked (right to revoke consent, Article 7 of the GDPR).

The data subject has the right to object to the processing of his/her personal data:

a) when the processing or transfer of personal data is solely needed to comply with a legal obligation of the Data Controller, or to enforce a legitimate interest of the Data Controller or of the data recipient, or a third party - except for mandatory data processing - ;

b) where the personal data is used or forwarded for the purposes of direct marketing, market research or scientific research; or

c) in any other case specified by the law.

The Data Controller shall review the objection/complaint submitted within the shortest possible timeframe upon submission, or within 15 days, and shall decide on its merits, and inform the applicant in writing of its decision. Culinaris Retail Kft. will respond the objection/complaint within 30 days.

If the Data Controller concluded that the data subject's objection/complaint is justified, the Data Controller shall cease the data processing - including the further recording and transmission of data - and block the data, and send a notification on the objection and the actions taken on the basis of the objection, to all those to whom the personal data impacted by the objection/complaint was previously transferred, and whom are obliged to take measures to enforce the right to objection.

If the data subject does not agree with the decision of the Data Controller, or if the Data Controller fails to comply with the legal deadline, the data subject may - within 30 days of the notification on the decision, or when the deadline elapsed - take the case to court.

The following court has jurisdiction to hear the case (contact details of the Budapest Metropolitan Court: 1055 Budapest, Markó utca 25.). The data subject also has the option to bring the action before the court having territorial scope, according to his/her registered address or place of residence. The court will have an expedited trial on the case. If the Data Controller has caused damage to anyone by the unlawful processing of the data subject’s data, or by violating the data security requirements, the Data Controller has an indemnification obligation arising. If the Data Controller committed an infringement of the data subject’s rights to privacy by the unlawful processing of the data subject’s data, or by violating the data security requirements, the data subject might claim a grievance fee from the Data Controller. The Data Controller is also liable towards the data subject for any potential damage caused by the Data Processor involved. The Data Controller shall be relieved from the liability, if the damage was caused by any reason falling outside the scope of the data processing, and being unavoidable. If the damage is due to the intentional or grossly negligent conduct of the injured party, the Data Controller has no compensation obligation.

To seek legal remedy, the data subject/Customer may turn to the National Authority for Data Protection and Freedom of Information (mailing address: 1530 Budapest, Pf.: 5; address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410; e-mail address: ugyfelszolgalat@naih.hu, website: http://naih.hu), or seek judicial remedy.