The current policy describes the principles of data processing on Libra Books Ltd.’s (hereinafter referred to as: Service Provider) websites www.nyelvkonyvbolt.hu, www.gyerekkonyvbolt.hu and www.lisztbolt.hu.
The policy is based on the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information and, Act CXIX of 1995 on processing names and addresses for research and marketing purposes, Act VI of 1998 on the protection of individuals while processing their electronic data and Act XLVIII of 2008 on the basic conditions of commercial advertising, as well as the recommendations of ‘Online Privacy Alliance’.
The Acts specify that before processing operations are carried out, the data subjects (in this case: the webshop user, hereinafter referred to as: User) shall be informed whether their consent is required or processing is mandatory. Before processing operations are carried out, the data subjects shall be clearly and elaborately informed of all aspects concerning the processing of their personal data, such as the purpose for which their data is required and the legal basis, the person entitled to control the data and to carry out the processing as well as the duration of the proposed processing operation.
Libra Books Ltd.’s data processing ID number is NAIH-74858/2014.
Personal data: means any information relating to the data subject, in particular by reference to his name, an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject;
Data subject/User: means a natural person who has been identified by reference to specific personal data, or who can be identified, directly or indirectly. In this case, any User of the webshops on www.nyelvkonyvbolt.hu, www.gyerekkonyvbolt.hu and www.lisztbolt.hu.
Data processor: means a natural or legal person or unincorporated organization that is engaged under contract in the processing of personal data, including when the contract is concluded by virtue of law. In this case, data processor is Libra Books Ltd. (seat: 1085 Budapest, Kölcsey u 2.)
a) personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
b) personal data concerning health, pathological addictions, or criminal record,
Data subject’s consent: means any freely and expressly given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed without limitation or with regard to specific operations;
Data subject’s objection: means an indication of his wishes by which the data subject objects to the processing of his personal data and requests that the processing of data relating to him be terminated and/or the processed data be deleted;
Controller: means the natural or legal person, or unincorporated body which alone or jointly with others determines the purposes of the processing of data, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor to execute them;
Processing of data: irrespective of the applied process, means any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording.
Public disclosure: means making data available to the general public;
Erasure of data: means the destruction or elimination of data sufficient to make them irretrievable;
Blocking of data: means the marking of stored data with the aim of limiting their processing in future permanently or for a predetermined period;
Destruction of data: means the complete physical destruction of the medium containing data;
Data processing: means the technical operations involved in data control, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data;
Data source: mean a body having public service functions, that is responsible for the inception – in the course of operations or otherwise – of any statutory public information to be published by way of electronic means;
III. Personal data
On the basis of Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following shall be specified relating to the functionality of the webshops:
a, an indication of the fact that data is being collected (user name, password, first name and family name, e-mail address, phone number, delivery address, delivery name, billing address, billing name)
b, the purpose of data collection (personal data of the data subject will be handled by the Service Provider for the purpose of the entire usage of the website, e.g. conclusion of a contract for providing the services, determining or amending the content, monitoring its compliance, billing of the prices thereof, and the establishment of the related claims, as well as for providing newsletters)
c, the duration of the proposed processing operation (deletion of data immediately after the deletion of registration. Except for accounting documents)
IV. Legal basis of data processing
1, Voluntary: Personal data may be processed when the data subject has given his consent this his data can be processed on the websites www.nyelvkonyvbolt.hu, www.gyerekkonyvbolt.hu and www.lisztbolt.hu.
2, The purpose of data processing is to provide the services as specified on www.nyelvkonyvbolt.hu, www.gyerekkonyvbolt.hu and www.lisztbolt.hu, in particular the use of the webshops, the creation of personalised content, the preparation of statistics, the improvement of the IT system and the protection of Users’ data. Data processor shall not use the data in any other way. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.
3, Data processor shall not check the personal data being processed. The User shall be solely responsible for the accuracy of the personal data provided. The User will be responsible that the email address provided will be solely used by the User himself. Regarding this responsibility, any login or transaction from the User’s email address will be considered the responsibility of the User himself.
V. Principles of data processing
In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall – in particular – be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification.
The accuracy and completeness, and – if deemed necessary in the light of the aim of processing – the up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way to permit identification of the data subject for no longer than is necessary for the purposes for which the data were recorded.
The personal data may be processed by the Service Provider for the purpose of providing services that are essential and necessary to achieve its purpose. Should other conditions be identical, the Service Provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in the Electronic Commerce Act, and only to the required extent and duration.
The Service Provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons.
The Service Provider may process data related to the use of the service for purposes – thus, in particular, for the purposes of enhancing the efficiency of the service, forwarding of electronic advertisements or other direct communications addressed to the recipient of the service, or market surveys – only with the prior specification of the objective thereof and subject to the consent of the recipient of the service.
Recipient of the services shall be allowed, at all times, prior to and during the course of using the information society service to prohibit the data processing.
Data processed shall be deleted if the contract is not concluded, is terminated and after the billing. Data processed shall be deleted if the objective of data processing has ceased or upon the instruction of the recipient of the service to this effect. Unless provided otherwise by law, deletion of the data shall take place without delay.
The Service Provider shall ensure that the recipient of the service of the information society service may, at any time prior to and in the course of using the service, get acquainted with the types of data processed by the Service Provider and the objective of processing such data, including the processing of data directly not associated with the recipient of the service.
VI. Transmission of data
1. On the basis of Subsection (1) of Section 20 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, the following shall be specified relating to the transmission of data of the website of the webshop:
a) an indication of the fact that data is being collected,
b) the data subjects targeted,
c) the purpose of data collection,
d) the duration of the proposed processing operation,
e) the potential data controllers with the right of access,
f) the right of data subjects and remedies available relating to data processing.
An indication of the fact that data is being collected, scope of data collected.
a) Scope of data transmitted in the interest of management of delivery: Shipping name, shipping address, phone number, amount payable.
b) Scope of data transmitted in the interest of management of online payment: Invoicing name, invoicing address, amount payable.
The data subjects targeted: All data subjects requesting home delivery/online purchase.
The purpose of the data processing: The delivery of goods ordered/management of online purchase.
The duration of the proposed processing operation, deadline for deletion of data: Runs until the delivery of goods/online payment handling.
The potential data controllers with the right of access: Personal data may be processed by the following persons, while respecting the principles referred to above:
Name: Magyar Posta Zrt.
Address: H-1138 Budapest, Dunavirág utca 2-6.
Name: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
Address: 2351 Alsónémedi GLS Európa u. 2.
The right of data subjects relating to data processing. The data subject may request the early deletion of his personal data from the controller providing the delivery of goods/online payment.
Legal basis of the data transmission: the User’s consent, Subsection (1) of Section 5 of the Info Act, and Subsection (3) of Section 13/A of the Act CVIII of 2001 on certain aspects of electronic commerce and information society services.
VII. Rights of data subjects
The data subject may request from the Service Provider to provide information when his personal data is being processed, the rectification of his personal data, and the erasure or blocking of his personal data, save where processing is rendered mandatory.
Upon the data subject’s request, the data controller shall provide information concerning the data relating to him, including those processed by a data processor hired by the data controller or by others based on its instructions, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, the circumstances surrounding the privacy incident, its impact, and the actions taken to rectify the situation, and – if the personal data of the data subject is made available to others – the legal basis and the recipients.
The data controller shall keep records for the purpose of monitoring actions taken in connection with privacy incidents and for information of the public and of data subjects, containing the data subjects’ personal data, the data subjects involved and their number affected by the privacy incident, the time when the privacy incident took place, its circumstances and impacts, the actions taken to rectify the situation, and other data provided for in the legislation on data processing.
With a view to exercising communication control and for the information of the data subject, the data controller shall maintain a transmission log, showing the date of time of transmission, the legal basis of transmission and the recipient, description of the personal data transmitted, and other information prescribed by the relevant legislation on data processing.
Data processors must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than 30 days. The information shall be provided free of charge.
Upon the User’s request, the Service Provider shall provide information concerning the data relating to him, its sources, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and – if the personal data of the data subject is transmitted – the legal basis of data transmission and its recipient. The Service Provider must comply with requests for information without any delay, and provide the information requested in writing, within not more than 30 days. The information shall be provided free of charge.
The Service Provider may order the revision of any personal data that is deemed inaccurate and if the accurate personal data is available for the Provider.
Personal data shall be blocked instead of erased by the Service Provider if so requested by the User, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose which prevented their erasure.
The Service Provider shall erase the personal data if it is processed unlawfully, so requested by the User, incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision, or the purpose of processing no longer exists or the legal time limit for storage has expired, or so instructed by court order or by the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
The User shall have the right to object to the processing of data relating to him:
a) if processing or disclosure is carried out solely for the purpose of discharging the Service Provider’s legal obligation or for enforcing the rights and legitimate interests of the Service Provider, the recipient or a third party, unless processing is mandatory;
b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
c) in all other cases prescribed by law.
In the event of objection, the Service Provider shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision. If, according to the findings of the Service Provider, the data subject’s objection is justified, the Service Provider shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
If the User disagrees with the decision taken by the Service Provider, the User shall have the right to bring action in the court of law within 30 days of the date of delivery of the decision. The court shall hear such cases in priority proceedings.
A complaint may be filed in connection with any infringement of the controller, to the National Authority for Data Protection and Freedom of Information.
National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Mailbox: 5.
Phone: +36 -1-391-1400
Budapest, 2014.május 1.