Privacy Policy

PRIVACY & DATA PROTECTION POLICY

Effective date: February 4, 2020

1. Preamble

The purpose of these Rules is to set out on the website pamutkababy.com, the principles of data protection and data management applied by István Gyenes sole proprietor (Head Office and mailing address: Szél utca 2/b, Etyek, Hungary 2091, Tax number.: 75689579-1-27, E-mail address : info@pamutkababy.com, Phone number: + 36-30-611-4099, Contact person: István Gyenes) (hereinafter referred to as the Data Controller or Operator) and the data protection and data management procedures of the Data Controller.

The Privacy Statement contained in these Terms and Conditions applies only to the pamutkababy.com website and does not apply to third party websites, even if these websites are directly accessible from pamutkababy.com.

Data Controller pays special attention to its data management in your best interest to comply with the following laws and practices: Act V of 2013 on the Civil Code, CXIX law of 1995 on managing name and address information for research and direct marketing purposes, Act CXII of 2011 on Freedom of Informational Self-Determination and Freedom of Information law, REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation). Data Controller also complies with other applicable data protection laws and data protection practices in the conduct of the Data Protection Commissioner.

The website does not create its own database, no profiling is done. 

Our company will not forward your personal information to any third country or international organization.

2. Definitions, abbreviations, principles

Infotv.: Act CXII of 2011 on Freedom of Informational Self-Determination and Freedom of Information;

GDPR: REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

"Data controller": A natural or legal person, public authority, agency or any other body which determines the purposes and means of the management of personal data independently or in combination with others; where the purposes and means of data management are determined by Union or Member State law, the Data Controller or the specific criteria for designating the controller may be defined by Union or Member State law; (GDPR)

"Data management": Any operation or set of operations, whether automated or not, carried out on personal data or data files, such as collection, recording, filing, organizing, storing, transforming or altering, retrieving, accessing, using, communicating, transmitting, disseminating or otherwise making available through coordination or linking, restriction, deletion or destruction; (GDPR)

 "Personal Data": Any information relating to an identified or identifiable natural person (data subject); a natural person is identifiable directly or indirectly, in particular by virtue of one or more factors such as name, number, position, online identification or physical, physiological, genetic, intellectual, economic, cultural or social identity; (GDPR)

"Data processor": Any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Data Controller; (GDPR)

"Recipient"Any natural or legal person, public authority, agency or any other body, even a third party, to whom the personal data are disclosed; (GDPR)

"Privacy incident"Breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access of personal data transmitted, stored or otherwise processed; (GDPR)

"IP address": An IP address is a sequence of numbers that uniquely identifies computers, mobile devices on the Internet. IP addresses can be used to locate a visitor using a particular computer geographically. The addresses of the pages visited, as well as the date and time data alone are not suitable for the identification of the data subject, but in combination with other data (eg provided during registration) they are useful for drawing conclusions about the user.

"Customer, Buyer": The user of the website.

The principles of personal data management that the Data Controller respects:

-legality, fairness and transparency,

-goal orientation,

-data minimisation

-accuracy,

-limited storage,

-integrity and confidentiality, 

-accountability of the Data Controller.

In the case of a child under the age of 16, the processing of children's personal data may only take place if the consent has been given or authorized by the parent exercising parental authority over the child, and to the extent authorized by the parent.

3. Data processing methods

3.1. Data processed in the course of services provided by pamutkababy.com

When buying from the pamutkababy.com website, the following personal data are managed by the Data Controller: name, phone number, e-mail address, IP address, shipping and billing address.

3.2. Visitor's data

Purpose of data management: during the visit to the website, the Data Controller records the visitor's data in order to perform services, supervise functionality, and prevent abuse.

Legal basis for data management: consent of the data subject and Paragraph 13/A. § (3) of Eker. TV.

The data handled includes date, time, IP address, address of previously visited page, information about the user's operating system and browser.

Duration of data management: 30 days from the date of access to this website.

Data transfer: The html code of the portal may contain links from external servers and links pointing to external servers that are independent of the data controller. Third-party servers are directly connected to the user's computer. Please note that the providers of these links are able to collect user data (eg. IP address, browser, operating system data, mouse cursor movement, clicks, page visited and date and duration of visit) due to their direct connection to their server and direct communication with the user's browser.

Content that may be personalized to the user is served by the server of the external service provider.

The data is transmitted for hosting purposes to Stablehost.com (2719 Hollywood Blvd, Hollywood, FL 33020 USA, Website: stablehost.com, Contact: support@stablehost.com), which may use additional data processors to provide background IT services.

3.3. Registration in the webshop

Purchase is not subject to registration.

Buyer provides the following information when registering on the site: first name, last name, e-mail address, phone number, password.

Regular buyers should register so they don't have to provide their personal information with each purchase and keep track of their purchases.

Purpose of data management: to provide a more convenient shopping opportunity, to maintain customer relations, to analyze and evaluate buyer habits, to obtain the necessary consent for direct marketing inquiries.

Legal basis for data management: voluntary consent of the data subject.

Type of personal data processed: data provided by the data subject, date and time of clicking on the link to confirm registration.

If the user makes a purchase using the registration profile, the personal data related to the purchase will be retrieved from the registration database.

Duration of data management:

-two years from the date of last login,

-3 weeks for unconfirmed registrations,

 Deletion or modification of data:

-The user is entitled to initiate the deletion and modification of his/her personal data at any time by accessing his/her profile on the website,

-via the Data Controller's contact details as set out in this Privacy Policy.

3.4. Data management during shopping

It is possible to buy as a guest and as a registered user.

If a purchase is made by logging in with a registration profile, the personal data related to the purchase will be retrieved from the registration database.

Purpose of data management: purchase in the webshop, issuing of invoice, fulfillment of orders, documentation of purchase and payment, possible return administration, fulfillment of accounting obligation, customer relations, analysis of customer habits.

Legal basis for data management: Data management is necessary for the performance of a contract in which the data subject is a party.

Type of personal data processed: data provided by the data subject.

Duration of data management: Data will be deleted within 5 years of order fulfillment.

Deletion and modification of data: The user has a limited right to initiate the deletion and modification of his/her personal data at the contact details of this data controller, subject to the obligation of accounting retention.

Data Transmission: When choosing credit card payment method, the buyer will provide the credit card details directly to the following payment service providers.

Barion Payment Zrt.

Head office: Infopark sétány 1. Building "I" 5/5, Budapest, Hungary 1117

Company registration number: 01-10-048552

Tax Number: 25353192-2-43

Phone: +36-1-464-7099

Customer Data: Name, phone number, e-mail address, IP address, transaction amount, date and time of transaction, shipping and billing address, card details.

Paypal Holdings Inc.

Head Office: 2211 N 1st St, San Jose, California 95131, USA

Website: paypal.com

E-mail: info@paypal.com

Customer data: Seller details, name, address, telephone number, e-mail address, purchase details, card details.

The buyer's name, delivery address, e-mail address, telephone number will be forwarded to the following suppliers for delivery, performance of the contract:

Csomagpont Logisztika Kft.

Head office: Szondi utca 15, Budapest, Hungary 1067

Company registration number: 01-09-340159

Tax number: 26704058-2-42

E-mail: info@csomagpont.com

Phone: +36-1-622-4497

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

Head office: GLS Európa utca 2, Alsónémedi, Hungary 2351

Company registration number: 13-09-111755

Tax number: 12369410-2-44

E-mail: info@gls-hungary.com

Phone: +36-29-886-694

FOXPOST Zrt.

Head office: Batsányi János utca 9, Gyöngyös, Hungary 3200

Company registration number: 10-10-020309 

Tax number: 25034644-2-10

E-mail: info@foxpost.hu

Phone: +36-1-999-0369

G3 Worldwide Hungary Ltd.

Head office: Ecseri út 14-16, Budapest, Hungary 1097

Company registration number: 01-09-063948

Tax number: 10271384-2-43

Phone: +36-20-916-5981

3.5. Data management related to issuing and archiving invoices

The purpose of data management is to issue and archive invoices in accordance with the legal obligations.

Personal data processed: The data content of the invoices is determined by law (Paragraph 169 of Áfa tv. CXXVII of 2007).

Legal basis for data management: the fulfillment of a legal obligation pursuant to Article 6 (1) (c) of the Regulation.

For data management, the data controller uses a data processor:

Billingo (Octonul Ltd.)

Head office: József körút 74. I. Em. 6., Budapest, Hungary 1085

Company registration number: 01-09-1981177

Tax number: 25073364-2-42

E-mail: hello@billingo.hu

Pursuant to Article 169 (2) of Act C of 2000 on Accounting, personal data will be processed by the Data Controller for 8 years from the date of issue.

Data processors record and process the personal data transmitted by the Data Controller in accordance with the provisions of the GDPR, and make a statement to that effect to the Data Controller.

3.6 Newsletter

If the Buyer subscribes to the newsletter, the Data Contoller may send news and information newsletters to the Buyer at the given contact details.

Newsletters may only be sent with the Buyer's prior consent. The prior consent must be clear. 

The Buyer may unsubscribe from the newsletter at any time by clicking on the link in the newsletter.

Purpose of data management: The data provided by the Buyeyr during the subscription process shall be used by the Data Controller only for sending the newsletter.

Managed personal information: The name and the e-mail address the Buyer provided during sign-up.

Legal basis for data management: Article 6 (1) (a) of the Regulation, ie the consent of the Buyer as the data subject, is the legal basis for the data management. 

Recipients of personal data provided: Personal data provided by Buyer will be accessible only to those employees of the Data Controller who are authorized to send the newsletter.

Period of management of personal data: Until the Buyer withdraws consent (by unsubscribing from the newsletter).

3.7. Email communication

The Data Controller primarily communicates with its Buyers electronically. As part of this, the Buyer may send an e-mail directly to the Data Controller at info@pamutkababy.com.

Purpose of Data Management: Contact can be made by sending direct email to the above email address. The data provided by the Buyer in connection with the contact shall be used by the Data Controller solely for the purpose of communicating with the Buyer or dealing with the contents of the message.

Personal data managed: Name, email address.

Legal basis for data management: Article 6 (1) (b) of the Regulation, ie. data management is necessary for the performance of a contract where the Buyer is a party of the contract, or if it is required by the Buyer before the conclusion of the contract.

Recipients of the personal data provided: Personal data provided by the Buyer will only be accessed by employees of the Data Controller who have authority over the message sent by the Buyer or the administration required to do so.

Period of management of personal data: If any contract or agreement between the Data Controller and the Buyer is entered into, Buyer may manage the personal data obtained by the Data Controller in connection with that contract for up to the expiration of the limitation period (5 years after performance).

If no contract or agreement is reached between the Data Controller and the Buyer following the data processing prior to the conclusion of the contract, the Data Controller shall delete the message(s) after the termination of the communication.

3.8. Enforcement

Pursuant to Article 6 (1) (f) of the Data Protection Regulation, the Data Controller has the right to process the personal data of the Buyer to the extent necessary for the enforcement of his or her legitimate interests for the settlement of disputes and legal and judicial proceedings.

The Data Controller may use additional experts (claims manager, legal representative, forensic expert, etc.) as data processors at its discretion in the course of enforcement. For the purposes of enforcing your rights, the Data Controller shall process the Buyer's personal data in accordance with the laws governing the protection of personal data and the applicable Privacy Policy.

3.9. Cookies

It is of the utmost importance for the Operator to ensure that the user-accessible web interfaces are sufficiently convenient and secure in the provision of its services, in some cases the user operations can be interrupted and later resumed, therefore they use cookies on certain pages of the portal.

Cookies (short files) are placed on the visitor's computer by the web site, which can be modified, deleted or created later.

Some cookies are created and stored the first time you visit the site, and then remain permanently on your computer (static cookie). The other part of the cookie is temporary (session or session cookie). It is stored until the end of the user session, and is automatically deleted when you close the browser. Temporary cookies are used to prevent users from having to re-enter certain information while browsing the site. These cookies expire and are deleted after you leave the site or when you close your browser.

Subject to applicable privacy policies, cookies that store the status of user-initiated transactions and operations (except as necessary to maintain the functionality of a service) may not be placed on a computer without the user's prior consent. Information about this and receiving user consent is handled by a cookie window that appears in the bottom bar of the website.

Some types of cookies do not require prior approval and are automatically managed by our system.

The purpose of the website's personal data management functions is to facilitate the operation of the website and to enhance the user experience.

Legal basis for data management: performance of the contract and voluntary consent of the visitor.

Scope of data managed: The following cookie types:

  • First Party Cookies: These are cookies that are essentialfor the operation of our site.
  • Third party cookies: These cookies are used to track which website or search terms you have entered into the site. These cookies do not collect information about how the Buyer uses the site.
  • Social media cookies: These cookies allow the Buyer to share various content on other community sites.
  • Operation support cookies, aka. session cookies: These are only temporary cookies that are downloaded to the Buyer's computer only for the time of his/her visit.

Storage period: Static cookies can be cleared by the Buyer by clearing the browser cache they use, and session cookies are automatically cleared when the browser window is closed.

The first time the Buyer visits the website, he/she will be notified in a notification bar that the Data Controller is using cookies. By continuing to use the service, you consent to your use of them.

Checking cookies settings, disabling cookies: By selecting the appropriate settings for your browser, User may refuse the use of cookies and prevent Google from collecting and processing information created by cookies and the User's use of the website. (https://tools.google.com/dlpage/gaoptout?hl=en).

If User does not wish to allow cookies, he/she can disable or enable cookies as follows. By clicking on the link, User can set the use of cookies.

-Google Chrome: https://support.google.com/chrome/answer/95647?hl=en

-Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

-Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

-Safari: https://help.apple.com/safari/mac/8.0/#/sfri11471

-Opera: http://help.opera.com/Windows/10.20/en/cookies.html

For other browsers, look for the on-off option in the browser settings.

4. Responsibility for providing date

The Data Controller does not verify the personal data provided to him. The accuracy of the information provided is the sole responsibility of the person providing it. Any User entering his or her email address is also responsible for ensuring that he or she uses the service from the email address provided.

5. Exercising customer rights

Customer may request from the Data Controller access to, rectification, erasure or restriction of processing of personal data relating to him/her, and may object to the processing of such personal data and shall have the right to data portability.

Customer's access rights 

Customer is entitled to receive feedback from the Data Controller as to whether personal data is being processed and, if such processing is in progress, to receive access to the personal data and the information specified in Article 15 of the GDPR (eg: purposes of data processing; categories of personal data; categories of recipients or categories of recipients to whom the personal data have been or will be communicated, the intended period for which the personal data will be stored or, if not possible, the criteria for determining this period; to request the controller to rectify, erase or restrict the processing of personal data concerning him or her, and to object to the processing of such personal data; right to lodge a complaint with a supervisory authority). 

The Data Controller shall respond to Customer's request without undue delay, but no later than within one month, and if the Data Controller does not comply with any Customer request, it shall provide reasons. Where necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request. Where the data subject has made an application by electronic means, the information shall, as far as possible, be provided by electronic means, unless otherwise requested by the data subject.

If the Data Controller does not act on the data subject's request, it shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for the non-action and of the data subject's ability to lodge a complaint with a supervisory authority.

The Data Controller shall provide the Customer with a copy of the personal data subject to the data management. For any additional copies requested by Customer, the Data Controller may charge a reasonable fee based on administrative costs.

Right to rectification 

You have the right to request the correction of incorrectly recorded information at any time. You can contact the Data Controller at info@pamutkababy.com to correct incorrect data.

Right to erasure ("right to be forgotten") 

You have the right, upon request, to delete personal data relating to you without undue delay, and the controller is obliged to delete personal data relating to you without undue delay if:

  1. a) Personal data are no longer needed for the purpose for which they were collected or otherwise processed;
  2. b) You withdraw your consent to the data management and there is no other legal basis for the data management;
  3. c) You object to the data management and there is no legitimate reason to manage the data;
  4. d) The personal data have been unlawfully managed;
  5. e) Personal data must be deleted in order to comply with a legal obligation under Union or Member State law applicable to the Data Controller.

Deletion can be initiated by sending a request to the Data Controller by email to info@pamutkababy.com.

You may object to the management of your personal data,

  1. a) Unless the processing or transfer of personal data is necessary for the sole purpose of fulfilling a legal obligation to which the Data Controller is subject or for the fulfillment of a legitimate interest of the Data Controller, the recipient or a third party, except in the case of mandatory processing;
  2. b) When personal data is used or transmitted for direct marketing, opinion polling or scientific research; as well as
  3. c) In other cases specified by law.

The data subject shall have the right to object at any time to the management of his or her personal data based on Article 6 (1) (e) or (f) of the GDPR, including for profiling based on those provisions. In this case, the Data Controller may not further manage the personal data unless the Data Controller proves that the management is justified by compelling legitimate reasons, which take precedence over the interests, rights and freedoms of the data subject, or which are necessary for the establishment, exercise or defense of legal claims. (GDPR)

Right to restrict data management 

You have the right, at your request, to limit the data management if any of the following applies:

  1. a) You dispute the accuracy of your personal data, in which case the limitation applies to the period of time that allows the Data Controller to verify the accuracy of your personal data;
  2. b) The data management is unlawful and you object to the deletion of the data and instead request that their use be restricted;
  3. c) The Data Controller no longer needs personal data for the purposes of data management, but you request it for the purpose of making, enforcing or defending legal claims; or
  4. d) You have objected to the data management; in this case, the restriction shall apply for a period until it is ascertained whether the Data Controller's legitimate reasons take precedence over your own legitimate reasons.

Right to data portability

You have the right to receive personal data about you made available to you by a Data Controller in a structured, widely used, machine-readable format, and to transmit such data to another controller without being hindered by the Data Controller, provided your personal information to you, provided that the management is based on your consent or contract and the management is automated.

6. Handling complaints

If you disagree with the Data Controller's decision or if the Data Controller fails to comply with the deadline, you may, within 30 days of the date of notification of the decision or the last day of the deadline, apply to the courts. The court of the county in which the data controller is domiciled is the Metropolitan Tribunal in the capital (hereinafter referred to collectively as the "county court"). The lawsuit may, at your choice, be instituted before the county court of the place where you are domiciled or staying.

You may file a complaint to the National Data Protection and Freedom of Information Authority. (headquarters: Szilágyi Erzsébet fasor 22/c, Budapest, Hungary 1125, Postal address: 1530 Budapest, Pf.: 5., Phone: + 36 (1) 391-1400, E-mail: ugyfelszolgalat@naih.hu).

If the Data Controller causes damage to another through unlawful management of data of the data subject or violation of data security requirements, he or she is obliged to compensate him. If the Data Controller violates the privacy of the data subject by illegally managing the data of the data subject or violating the data security requirements, the data subject may claim damages from the Data Controller.

7. Data security, privacy incident

The Data Controller takes great care to ensure the secure management of the data and therefore takes the technical and organizational measures necessary to enforce the data and privacy rules. The Data Controller shall endeavor to protect the data in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction or damage.

Built-in and default data protection 

(The Data Controller shall take into account the state of science and technology and the costs of its implementation, as well as the nature, scope, circumstances and purposes of the processing and the varying likelihood and severity of the risks to the rights and freedoms of natural persons, when implementing appropriate technical and organizational measures, such as pseudonymisation, aiming at the effective implementation of data protection principles, such as data saving, and the incorporation of the necessary guarantees to meet the requirements of the GDPR and to protect the rights of data subjects.)

The Data Controller shall take appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the particular purpose of the management are processed. This obligation applies to the amount of personal data we collect, the extent to which they are processed, the length of time they are stored and their availability. In particular, these measures shall ensure that, by default, personal data cannot be made accessible to an unspecified number of individuals without the intervention of a natural person.

The Data Controller maintains a high level of security for its data storage servers to protect personal data. Physical access to the servers is only possible through a strict authorization process. Data management web applications are also run on industry-standard, secure application servers. In the event of an attack, the primary goal is to maintain data security.

Privacy incident

As soon as the Data Controller becomes aware of the privacy incident, it shall notify the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless it can demonstrate, in accordance with the principle of accountability, that a privacy incident is unlikely to endanger the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, the reason for the delay shall be indicated and the required information may be given in further detail, without undue delay.

The Data Controller shall inform the Customer without undue delay if the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons in order to take the necessary precautions. The information shall include a description of the nature of the privacy incident and proposals to mitigate possible adverse effects on the individual. Information to stakeholders should be provided as soon as reasonably practicable, in close cooperation with the supervisory authority and following instructions issued by it or other authorities concerned, for example law enforcement authorities.

8. Other rules

8.1. The Data Controller reserves the right to change its data management information from time to time. This may be the case, in particular, when the scope of services, data processors, external service providers expands or is required by law. Any misspellings or spelling corrections are not considered changes. Changes in data management should not imply the processing of personal data for purposes other than those for which they were intended. The controller will publish the change information on its website 15 days in advance.

8.2. This Privacy Statement and the Data Controller's Terms of Service are complementary documents and may be viewed at pamutkababy.com.

8.3. The management of the data is done on the one hand by means of information technology and on the other hand by the use of a data processor.   All other issues related to data management and data protection shall be governed by the following provisions: Infotv. and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Repealing Regulation 95/4/EK (GDPR).