1. INTRODUCTION
This policy sets forth the data protection and data management principles and policies of Univ-Fashion Trading and Services Limited Liability Company (registered office: 11095 Budapest, Soroksári út 48. company registration number: 01-09-408274; tax number: 23781539-2-41; hereinafter: Service Provider).
The Service Provider manages the data of visitors to the “www.u-style.hu” website, those who register on the website, and customers (hereinafter collectively: Data Subjects) in accordance with the provisions of this policy.
2. DATA CONTROLLER INFORMATION
Name: Univ-Fashion Ltd.
Registered Office: 11095 Budapest, Soroksári út 48.
Mailing Address: 11095 Budapest, Soroksári út 48.
Representative: Márk Zelenák
Company Registration Number: 01-09-408274
Registering Court: Court of Registration of the Metropolitan Court of Budapest
Tax Number: 23781539-2-41
EU VAT Number: HU23781539
Bank: MKB Bank Plc.
Bank Account Number: 10102103-81573000-01004009
IBAN: HU8310102103-81573000-01004009
Email Address: info@u-style.hu
Phone Number: +36 70 324 7665
3. LEGAL BASIS OF DATA PROCESSING
The Service Provider processes data on the website www.u-style.hu (hereinafter: Website) based on Section 5(1)(a) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Info Act), with the voluntary consent of the data subject. Data processing is also carried out in accordance with Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. The data processing is based on the voluntary and explicit consent of the users, following appropriate information. The Data Subject provides express consent to the data processing in accordance with this policy and the Service Provider’s general terms by visiting the Website and registering.
For registration on the Website, Data Subjects must provide the following mandatory personal information:
– Last name and first name
– Email address
– Password
– Billing address (billing name, address, street, house number, city, postal code)
– Shipping address (shipping name, address, street, house number, city, postal code)
– Phone number
The Service Provider reserves the right, with the consent of the Data Subject, to record the number of the identity card of the individual receiving the product on the invoice during personal collection, as per the provisions of the Info Act. According to the Info Act, consent can be given verbally, in writing, or through implied conduct (by presenting the document). The purpose of this data processing is to protect the interests related to the ownership rights of the customers. Under the provisions of the Info Act, the Data Subject may request the deletion of the personal data recorded in this section from the Service Provider.
The purpose of the data processing is to ensure the provision of services available on the Website. The Service Provider uses the data provided by the Data Subject strictly for the purposes of fulfilling orders, arranging home delivery, issuing invoices, maintaining contact, and, if the Data Subject has subscribed to the newsletter, sending newsletters, and for later proving the terms of any contracts that may arise.
The purpose of the automatically recorded data is to create statistics, improve the technical infrastructure, and protect the rights of the Data Subject.
The Service Provider will not use or may not use the provided personal data for purposes other than those specified in these points. Disclosure of personal data to third parties or authorities is only possible with the prior, express consent of the Data Subject, unless otherwise required by law.
The Service Provider does not verify the personal data provided to it. Responsibility for the accuracy of the provided data lies solely with the person providing the data. By providing an email address, each Data Subject also takes responsibility for ensuring that services are used only by them from the provided email address. Given this assumption of responsibility, the Data Subject who registered the email address bears all responsibility for any activities carried out under that email address.
4. DEFINITIONS
4.1. Personal Data
Any information relating to an identified or identifiable natural person (Data Subject), from which a conclusion can be drawn about the Data Subject. Personal data retains its status as personal data as long as the connection with the Data Subject can be restored. A person is particularly considered identifiable if they can be identified, directly or indirectly, by reference to a name, identification number, or one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.
4.2. Filing System
A structured set of personal data, accessible according to specific criteria, whether centralized, decentralized, or arranged according to functional or geographical considerations.
4.3. Data Controller
A natural or legal person, or an entity without legal personality, who determines the purposes and means of processing personal data, makes decisions regarding data processing (including the tools used), and implements or has it implemented by a data processor they appoint.
4.4. Data Processor
A natural or legal person, or an entity without legal personality, who processes personal data on behalf of the Data Controller.
4.5. Recipient
A natural or legal person, public authority, agency, or any other body to whom or which personal data is disclosed, regardless of whether they are a third party. Public authorities that may access personal data under Union or Member State law as part of a specific inquiry are not considered recipients. The processing of such data by those public authorities must comply with the applicable data protection rules, according to the purposes of processing.
4.6. Data Subject
Any identified or identifiable natural person based on personal data, whether directly or indirectly.
4.7. Third Party
Any natural or legal person, or an entity without legal personality, other than the Data Subject, the Data Controller, or the Data Processor.
4.8. Client
A Data Subject who uses any service provided by the Data Controller.
4.9. User
Any natural person who interacts with the Data Controller or visits their website.
4.10. Data Processing
Any operation or set of operations performed on personal data, regardless of the method used, such as collection, recording, organization, storage, modification, use, transmission, disclosure, alignment, combination, blocking, erasure, or destruction, as well as preventing the further use of data. Data processing also includes the creation of photo, sound, or video recordings, as well as recording physical characteristics suitable for identifying a person (e.g., fingerprints, palm prints, DNA samples, iris images).
4.11. Profiling
Any form of automated processing of personal data intended to evaluate certain personal aspects of a natural person, particularly to analyze or predict characteristics related to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
4.12. Pseudonymization
The processing of personal data in such a manner that the data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data is not attributed to an identified or identifiable natural person.
4.13. Data Processing (technical)
The technical tasks related to data processing, regardless of the method or tools used for the execution of these tasks, as well as the place of application.
4.14. Consent
A voluntary and explicit expression of the Data Subject’s will, based on adequate information, whereby they give their unequivocal agreement to the processing of their personal data, either in full or in relation to specific operations.
4.15. Data Breach
A breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
4.16. Objection
A statement by the Data Subject objecting to the processing of their personal data and requesting the cessation of processing or the deletion of the data.
4.17. Data Transfer
Making data accessible to a specified third party.
4.18. Data Deletion
The irreversible rendering of data in such a way that it can no longer be recovered.
5. NEWSLETTER
The Service Provider offers an option to subscribe to a newsletter through the Website. By subscribing, the user voluntarily provides the following personal data to the Service Provider and consents to their processing:
– Name
– Email address
– Phone number
– Address
– Behavioral habits related to website usage
– Behavioral habits related to newsletter reading
The Service Provider places special emphasis on the lawful use of the email addresses it processes, and will use them only in the following ways for sending emails (either informational or promotional).
The primary purpose of managing email addresses is to identify the Data Subject, maintain communication during order fulfillment, and service usage, primarily for this reason emails are sent.
In the event of changes to the services provided by the Service Provider or its general terms and conditions, the Service Provider may, in certain cases, send information about such changes and similar services offered by the Service Provider electronically via email to the Data Subjects. However, the Service Provider does not use these notifications for promotional purposes.
6. DURATION OF DATA PROCESSING
The processing of personal data provided by the Data Subject during registration begins with the registration and lasts until the data is deleted upon request. For non-mandatory data, the processing begins at the time the data is provided and lasts until the data is deleted upon request. The Data Subject may request the deletion of their registration at any time, and the Service Provider may also delete the registration in the cases and manner set out in the general terms and conditions.
The system stores logged data for six months from the time of logging, except for the date of the last visit, which is automatically overwritten.
These provisions do not affect the obligations to retain data as required by law (particularly accounting regulations) or the data processing based on additional consents provided during registration or otherwise on the Website.
In the case of newsletters, personal data will be processed until the Data Subject unsubscribes from the newsletter.
Emails containing advertisements or promotional materials (newsletters) will only be sent to the email addresses provided during registration with the express consent of the Data Subject, and only in accordance with legal requirements. The newsletter includes direct marketing elements and contains advertisements. The Service Provider processes the data provided by the Data Subject when subscribing to the newsletter.
For newsletters, the Service Provider will process the data provided by the Data Subject at the time of subscription until the Data Subject unsubscribes by clicking the “Unsubscribe” button at the bottom of the newsletter or by requesting removal from the subscription list via email or post. Upon unsubscribing, the Service Provider will no longer contact the Data Subject with newsletters or offers. The Data Subject can unsubscribe from the newsletter and withdraw their consent at any time free of charge. Registered users can also unsubscribe from the newsletter at any time by logging into their personal account.
7. PARTIES WITH ACCESS TO DATA
The data is primarily accessible to the Service Provider and its internal employees, but it will not be made public or disclosed to third parties.
For the operation of the IT system, fulfillment of orders, and settlement of accounts, the Service Provider may engage data processors (e.g., system operators, courier companies, accountants).
List of Data Processors:
8. RIGHTS OF THE DATA SUBJECT
The Data Subject has the right to request information at any time about their personal data processed by the Service Provider and may modify such data at any time.
Upon the Data Subject’s request, the Service Provider will provide information about the data it processes related to the Data Subject, the data processed by any data processors it engages, the source of the data, the purpose, legal basis, and duration of the data processing, as well as the name, address, and activities of the data processor related to the data processing, the circumstances and effects of any data breach, and the measures taken to address it. If the Data Subject’s personal data is transferred, the Service Provider will inform them about the legal basis and recipients of the transfer. The Service Provider will provide the requested information in writing within 30 days of receiving the request.
The Service Provider, through its internal data protection officer if applicable, maintains a record for monitoring actions related to data breaches and informing the Data Subject. This record includes the scope of the Data Subject’s personal data, the individuals affected by the breach, the date, circumstances, effects of the breach, and the measures taken to address it, as well as any other data required by applicable laws.
The Data Subject may exercise their rights through the contact details provided in the Service Provider’s information section.
The Data Subject has the right to request the correction or deletion of inaccurately recorded data at any time. Some data can be corrected by the Data Subject directly on the website, while in other cases, the Service Provider will delete the data within 3 business days of receiving the request. Once deleted, the data cannot be restored. This deletion does not apply to data that must be retained by law (e.g., accounting regulations), which the Service Provider will retain for the required duration.
The Data Subject may also request the blocking (restriction) of their data. The Service Provider will block personal data if the Data Subject requests it, or if it is assumed based on available information that deletion would violate the Data Subject’s legitimate interests. Blocked personal data may only be processed for as long as the purpose of the data processing that justified the exclusion of deletion persists.
The Data Subject, and any parties to whom the data was previously transferred for processing, must be notified of any correction, blocking, or deletion. Notification may be omitted if it does not violate the legitimate interests of the Data Subject based on the purpose of the processing.
If the Service Provider does not comply with the Data Subject’s request for correction, blocking, or deletion, the Service Provider will provide written justification within 30 days of receiving the request, detailing the factual and legal reasons for the refusal.
The Data Subject may object to the processing of their personal data. The Service Provider will examine the objection as soon as possible, but no later than 15 days from the receipt of the request, and will inform the Data Subject in writing of its decision regarding the objection.
The Data Subject, under the applicable law, including the Information Act and the Civil Code, may:
– Lodge a complaint with the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; www.naih.hu) or
– Enforce their rights in a court of law.
If the Data Subject provided third-party data during registration or caused any damage while using the Website, the Service Provider is entitled to seek compensation from the Data Subject. In such cases, the Service Provider will offer all possible assistance to the competent authorities to identify the infringing person.
9. FINAL PROVISIONS
The Service Provider commits to ensuring the security of the data and to taking the necessary technical measures to safeguard the collected, stored, and processed data, as well as to do everything possible to prevent the destruction, unauthorized use, or unauthorized modification of such data. The Service Provider also undertakes to require all third parties to whom data may be transmitted or transferred to fulfill similar obligations regarding data protection.
The Service Provider reserves the right to unilaterally modify this Policy with prior notice to the Data Subjects on the Website. After the modification comes into effect, the Data Subject must accept the changes in order to continue using the Website, following the procedure provided by the Service Provider on the Website.