PRIVACY POLICY

Boombury Kft. (hereinafter: Service Provider or Controller) shall comply with the following regulation:

REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

This Privacy Policy shall govern data processing for the following websites:

www.butorszerelok.eu

The Privacy Policy can be accessed at: butorszerelok.eu/adatvedelmi-szabalyzat/

Any modification to the Privacy Policy shall enter into force upon announcement at the above website.

Controller’s name and contact details:

Name: Boombury Kft.
Registered office: 1102 Budapest, Szent László tér 24/B 1. em. 7.
Email: info@butorszerelok.eu
Telephone: +36 20 936 1778
Data Protection Officer:

Name: Lóránt Ménesi
Registered office: 1102 Budapest, Szent László tér 24/B 1. em. 7.
Email: info@butorszerelok.eu
Telephone: +36 20 936 1778

DEFINITIONS:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
Personal data shall be:

1/ processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2/ collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
3/ adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4/ accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5/ kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
6/ processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
7/ The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
8/ The Controller declares that any data processing shall be performed in accordance with the above principles.

DATA PROCESSING

Initial contact
1/ Collection of personal data, scope of processed data and purpose of processing:

Personal data Purpose of data processing
Name Identification
Telephone Communication, consultation
Email address Communication, quotation (reply)
Message Drafting and customising quotes
Date/time of request for quote Technical operation
IP address of request for quote Technical operation
The email address does not have to contain personal information.

2/ Data subject: Any person requesting a quote through the website.

3/ Duration of data processing, deletion deadline: Until request submitted by the data subject for erasure. The controller shall communicate any erasure of personal data to the data subject in accordance with Article 19 of the GDPR by electronic means. If the deletion request includes the supplied email address, the controller shall delete the email address upon fulfilling its notification obligation.

4/ Controller(s) entitled to request personal data, data recipients: all personal data shall be processed by the authorised personnel of the controller in accordance with the provisions set out herein.

5/ Rights of the data subject in relation to processing:

The rights of the data subject shall include: right to access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to withdraw consent at any time.
6/ In respect of personal data you may request access, erasure, rectification, restriction of processing, or data portability by the following means:

mail: 1102 Budapest, Szent László tér 24/B 1. em. 7.
email: info@butorszerelok.eu
telephone: +36 (+36) 20,9361778
7/ Legal grounds for data processing: Article 6 (1) b) of the General Data Protection Regulation.

Please note that data processing shall be required for the purpose of sending price quotes.
Your personal data shall be requested so we can provide you with an appropriate quotation.
Failure to provide your personal data shall result in our inability to supply a customised quote or to answer your questions.
8/ Utilised processors

Provided services: Hosting services

Processor’s name and contact details:

Name: Lóránt Ménesi
Address: 1102 Budapest, Szent László tér 24/B 1. em. 7.
Contact details: telephone: +36 20 936 1778, email: info@butorszerelok.hu

Hosting provider:
Godaddy.com LLC. (14455 N Hayden Rd, Scottsdale, Arizona, USA, https://uk.godaddy.com/)

Processing, scope of processed data: Any personal data provided by the data subject.

Data subject: any user of the website.

Purpose of data processing: To facilitate access to, and ensure suitable operation of the website.

3/ Duration of data processing, deletion deadline: Until termination of agreement between the controller and the hosting provider, or the data subject’s request for erasure sent to the hosting provider.

Legal grounds for data processing: Article 6 (1) f) of the General Data Protection Regulation; Article 13/A of Act CVIII of 2001 on e-commerce and certain issues regarding Information Society services.
Rights of the data subject:

To request information on the circumstances of data processing;
To be informed if any processing is being performed, and to access any information relating to data processing;
To receive the relevant personal data in a structured, commonly used and machine-readable format;
To have any inaccurate personal data rectified by the controller without undue delay, as requested;
To object to the processing of personal data.
Management of cookies

The utilisation of cookies typical for web stores, such as password protected session cookies, shopping cart cookies, security cookies, strictly necessary cookies, functional cookies and analytical cookies requires no prior consent from the data subject.

Processing, scope of processed data: unique identifier, dates/times.

Data subject: Any visitor to the website.

Purpose of data processing: User identification, shopping cart registration, visitor tracking.

Duration of data processing, deletion deadline:
Type of cookie
Legal grounds for data processing
Duration of

data processing
Scope of processed data
Session cookies

Article 13/A (3) of Act CVIII of 2001 on e-commerce and certain issues regarding Information Society services.
Until the relevant

session is closed.
connect.sid

Persistent (saved) cookies
Article 13/A (3) of Act CVIII of 2001 on e-commerce and certain issues regarding Information Society services.
until deletion of data subject information
Controller(s) entitled to request personal data: the utilisation of cookies shall not result in data processing performed by the controller.

Rights of the data subject in relation to processing: to clear/delete cookies in the Tools/Settings menu of the browser generally available under the Privacy menu item.

Legal grounds for data processing: consent by the data subject shall not be required if the cookies are exclusively used for the purpose of disclosure by transmission via electronic communications network, or it is necessary for the provider to supply information society services specifically requested by the subscriber / user.
Google Ads conversion tracking

1/ The controller utilises Google Ads and Google Ads conversion tracking services. Conversion tracking is supplied by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; ‘Google’).
2/ Upon reaching the website by a Google advert, a temporary cookie is placed on the computer or device of the user. This cookie contains no personal information, and it does not allow for user identification.
3/ While browsing certain pages of the website, both Google and the controller can see the user clicking on the advert, provided the cookie is still active.
4/ Each Google AdWords customer is assigned a different cookie so they cannot be traced through the AdWords customer websites.
5/ The information gathered by means of conversion tracking cookies are used for analytical purposes for the AdWords conversion customers. It provides access to information on the number of users clicking on the customer’s advert so as to be redirected to its website supplied with a conversion tracking tag. However, it will not provide access to information suitable to identify any users.
6/ You can reject conversion tracking by disallowing cookie installation in your browser. By doing so you will not be affected by conversion tracking.
7/ Further information and Google’s Privacy Policy can be accessed at google.de/policies/privacy/
Google Analytics

1/ This website uses Google Analytics, a service supplied by Google Inc. (‘Google’). Google Analytics tracks and analyses website traffic by means of cookies (text files) stored on the user’s computer/device.
2/ The information generated through cookies as a result of user activity on the website is generally transferred to and stored on Google’s server in the USA. IP anonymization activated on the website allows shortening of the user IP addresses in the EU Member States and other countries party to the EEA Agreement.
3/ Transfer of a full IP address to Google’s server in the USA for subsequent anonymization occurs in exceptional cases only. Authorised by the website’s operator, Google shall use the information to analyse user activity on the website and to provide the website operator with analytical reports and other services relating to website and internet usage.
4/ In Google Analytics the IP address obtained through the user’s browser shall not be combined or cross-referenced with any other Google information. You can choose to disable any or all cookies in your browser. By doing so, however, you may not be able to enjoy the full functionality of the website. You can also prevent Google from collecting and processing information on website usage (including your IP address) generated through cookies if you download and install the plugin accessible via the link https://tools.google.com/dlpage/gaoptout?hl=hu
Facebook pixel

1/ Facebook pixel is a code placed on the website that helps track conversions, build targeted audiences and provide detailed analysis on website usage. Facebook remarketing uses a tracking pixel code to offer personalised ads for the website users via Facebook. The remarketing list does not allow user identification. Further information on Facebook Pixel can be accessed via the link https://www.facebook.com/business/help/651294705016616
Social media

1/ Processing, scope of processed data: User’s registered name and profile picture accessible on Facebook, Youtube, Instagram, etc.
2/ Data subject: Any user registered on Facebook, Youtube, Instagram, etc. who liked the website.
3/ Purpose of data collection: To share and promote the website or certain website contents, products and offers via social media sites, and to attract likes.
4/ Duration of data processing, deletion deadline, controller(s) entitled to request personal data, rights of the data subject in relation to processing: Information on the source of data, data management, and the method of and the legal basis for data transfer can be accessed at the specific social media site. The processing of data shall be performed via social media sites therefore any issues relating to the duration and method of processing and the erasure and rectification of personal data shall be governed by the rules of the specific social media site.
5/ Legal grounds for data processing: data subject’s voluntary consent to the processing of personal data via social media sites.
Customer relationship and other data management issues

1/ In the event of any questions or problems on the part of the data subject while using the controller’s services the controller can be contacted by the means published on the website (telephone, email, social media sites, etc.).
2/ The controller shall delete any received email or message and any information provided by phone, Facebook, etc., containing the name, email address or other voluntarily supplied personal data after a maximum period of 2 years.
3/ Detailed information on data processing, other than listed herein, shall be given at the time of recording the data.
4/ In exceptional cases, upon request by an authority or other body authorised by the law, the Service Provider may be obliged to disclose/transfer information and documents containing personal data.
5/ In such cases the Service Provider shall disclose personal data to the requesting party upon indication of the specific purpose and scope of disclosure only to the extent strictly necessary for fulfilling the objective thereof.
Rights of the data subject

1/ Right of access

You will be entitled to obtain from the controller confirmation as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and information specified in the GDPR.
2/ Right to rectification
You will be entitled to obtain from the controller without undue delay the rectification of any inaccurate personal data. Taking into account the purposes of the processing, you will be entitled to have incomplete personal data completed, including by means of providing a supplementary statement.

3/ Right to erasure
You will be entitled to obtain from the controller the erasure of your personal data without undue delay and the controller shall have the obligation to erase personal data without undue delay where any of the specified grounds applies.

4/ Right to be forgotten
Where the controller has made the personal data public and is obliged to erase such data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5/ Right to restriction of processing:
You will be entitled to obtain from the controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.
6/ Right to data portability
You will be entitled to receive your personal data provided to a controller in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (…)
7/ Right to object
You will be entitled to object, on grounds relating to your particular situation, at any time to processing of personal data (…), including profiling, in accordance with the relevant provisions.
8/ Objection to direct marketing
Where personal data are processed for direct marketing purposes, you will have the right to object at any time to processing of personal data, which includes profiling, to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9/ Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant affects relating to you.

The foregoing shall not apply if the decision:

is necessary for entering into, or performance of, a contract between you and the data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests; or
is based on your explicit consent.
Time frame for action

The controller shall provide information on any action taken on a request without undue delay, and in any even within 1 month of receipt of the request.

That period may be extended by additional two months where necessary. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia, as appropriate: 1/ the pseudonymisation and encryption of personal data;
2/ the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3/ the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4/ a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject referred above shall not be required if any of the following conditions are met:

the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Right to lodge a complaint

In the event of any infringement by the controller you may lodge a complaint to the National Authority for Data Protection and Freedom of Information (NAIH):

National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf.: 5.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

CLOSING REMARKS
This notice has been prepared taking into account the following:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Act CXII of 2011 on informational self-determination and freedom of information;
Act CVIII of 2001 on certain aspects of electronic commerce and information society services (with particular regard to Article 13/A);
Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers;
Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (with particular regard to Article 6);
Act XC of 2005 on the freedom of information by electronic means;
Act C of 2003 on electronic communications (Article 155);
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on online behavioural advertising.
NAIH recommendation on requirement of prior notification to the data subject;
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.