Privacy policy

1. Introduction
The aim of this current Privacy Policy is to define how Projekt Manufaktúra Ltd. (H-7400 Kaposvár, Orci str. 13., Building A.) as a data controller – hereinafter: Data controller – legally uses databases and registers kept by itself, and to specify the effectiveness of the principles of data protection, the right of informational self-determination and data security.

Data controller hereby acknowledges the current legal notice as obligatory and considers itself to be bound by these provisions. It also undertakes that all kinds of data management related to its operation comply with all the expectations defined in this current policy, legislations and legal acts of the European Union.
Data controller is committed to protect the personal data of its customers and partners, to keep personal data confidential, and implements all safety, technical and organizational measures that guarantee data security.


This Privacy Policy regulates the data managing activity of Projekt Manufaktúra Trading and Service Ltd. and that of the websites of www.roastopus.hu and www.roastopus.com.
The Privacy Policy is available on the following site: https://roastopus.com/en/privacy-policy


2. Data of the data controller

Projekt Manufaktúra Limited Company
registered office: H-7400 Kaposvár, Orci str., 13., Building A.
business registration number: 14-09-316608
VAT number:25459717-2-14
mobile: +3630/755-0146
e-mail address: info@roastopus.com


3. Data privacy laws

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the controlling of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: „GDPR”) 
Act CXII. of 2011 on Informational Self-determination and Freedom of Information (hereinafter: „Privacy Act”) 
Act V/2013 promulgating the Civil Code (hereinafter: „Civil Code”) 
Act CXXX/2016 – Code of Civil Procedure (hereinafter: „Civil Procedure”) 
Act CVIII of 2001 on certain issues of electronic commerce activities and information society services (hereinafter: „Act CVIII of 2001”) 
Act of XLVIII on the essential conditions and certain limitations of business advertising activity (hereinafter: „Act of XLVIII”).

4. Definitions on personal data and their interpretation

data subject: any natural person identified or - directly or indirectly – identifiable by any defined personal data;
personal data: any information relating to an identified or identifiable natural person („data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
data controlling: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
data controller: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the controlling of personal data; where the purposes and means of controlling are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 
data processing: fulfilling technical tasks related to data management, regardless of the methods and tools used for executing these actions, irrespective of the place of application, provided that the technical tasks are disposed on the data;
data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; 
personal data filing system: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis; 
recipient: a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients; the controlling of the above mentioned data by these authorities must comply with the data protection rules concerning the aims of data controlling;
third party: any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to control the data; 
the data subject's consent: any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being controlled; 
the data subject’s protest: statement of the data subject in which he objects to the controlling of his personal data, and calls for data control to be eliminated and the data controlled to be deleted;
transfer of data: making a data available to a determined third party;
disclosure: making a data accessible to anyone;
data erasure: making a data unrecognisable so that their reconstruction is no longer possible;
data marking: providing identification mark on the data in order to differentiate it;
data closure: providing identification mark on the data to limit its further controlling permanently or for a specified period;
data destruction: total physical destruction of the data medium that contains data;
personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise controlled;
third country: a non-EEA country.


5. Principles of personal data controlling

5.1.
Any controlling of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise controlled („lawfulness, fairness and transparency”); 
5.2.
Personal data may be collected only for specified, explicit and legitimate purposes and should not be further controlled in a way incompatible with those purposes; according to the Article 89 (1) controlling for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not regarded as incompatible with the original purposes („purpose limitation”);
5.3.
Personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are controlled. („data minimisation”); 
5.4.
Personal data shall be accurate and, where necessary, kept up to date; very reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are controlled, are erased or rectified without delay (‘accuracy’);
5.5.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are controlled; personal data may be stored for longer periods insofar as the personal data will be controlled solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); 
5.6.
Personal data shall be controlled in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful controlling and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). The controller shall be responsible for, and be able to demonstrate compliance (‘accountability’).
5.7.
Personal data can be transferred to a data controller doing data controlling in a third country or can be given to a data processor of a third country if the data subject explicitly gives his consent or if the conditions of data controlling explained above are fulfilled, and if during the time of data controlling and processing in the third country the adequate level of protection of personal data is ensured. Data transfer to EEA states must be regarded as the same as data transfer within the borders of Hungary.


6. Controlling of personal data

6.1.
Controller fulfils data controlling on the basis of the voluntary consent of data subject or if authorised by law. 
In case of voluntary contribution data subject can any time request for information about the data controlling and its use, furthermore he can repeal his consent except in defined cases when data controlling is based on legal order – in such cases data controller gives information about the further controlling of the data to those concerned. 
Personal data can also be controlled ed if obtaining the consent of data subject is impossible or would involve a disproportionate expense, where controlling is necessary to comply with a legal obligation on the controller or to enforce a legitimate interest of the controller or third party (if the enforcement of this interest is proportionate to the limitation of the right to the protection of personal data).

6.2.
The providers of data are obliged to provide accurate data, according to the best of their knowledge.
6.3.
If the provider of data does not provide his personal data, the provider of data is obliged to ensure a consent of the data subject.
6.4.
If the controller of data provides data to third parties, the controller runs a register of such actions. The register of providing data to third parties has to contain the address, the way, time and range of provided data. The controller runs a separate „Data Transfer Register” of data transferring actions.
6.5.
For the statement of a person legally incapable or a child with limited capacity under the age of 16 the contribution of his legal representative is necessary, except for those services when the statement targets data controlling that is common in everyday life and that does not require any special consideration. If the data subject is not able to give his consent due to his incapacity or any other insurmountable reasons, then to the extent necessary to protect the vital interest of the data subject or of another natural person, or to avert or prevent immediate threats endangering the life, physical safety or goods of the persons, during the obstacles of contribution the personal data of the data subject can be controlled.

7.Controlling data

7.1.
Connection in person, via phone or email 
The range of personal data controlled:   
name, phone number, e-mail address

The aim of controlling data: 
To identify the client/contracting entity, getting in connection in order to be able to offer satisfying quotation.

Legal basis of controlling data:
The data subjects’ consent based on Infotv. 5. § (1) paragraph a) section and the 2016/679 regulations of the European Parliament and Council 6. (1) a): „the data subject has agreed on controlling their data for one or more specific reasons”

Time span of controlling data: 
Until the quotation is given, maximum 6 months. 
In case after the possible client has been contacted and the quotation has been provided and using our services (shopping) has been realized, then the data subject’s data controlling is regulated by the rules in „Contract – using the services.

Registrations on the sites www.roastopus.hu and roastopus.com

The scope of personal data controlled: name, e-mail address, phone number, password, delivery address and billing address. 
Entering one’s own account is possible giving their username/e-mail address and password. If User provides these data on the website when registrating or when they provide these data when logging in, they accept the registration and controlling of their data.

The aim of controlling data: to identify the contracted client, creating an own account for the User, assessing their needs.

Legal basis of controlling data:
The User’s consent based on Infotv. 5. § (1) paragraph a) section and the 2016/679 regulations of the European Parliament and Council 6. (1) a). The User consents (accepts and allows) that by sending their registration to our Company their personal data - which they provide when registrating and logging in– will be controlled by our Company following the regulations outlined in this Privacy Policy. 
 

Time span of data controlling:
Until the data subject withdraws their consent, maximum 8 years.  
The declaration of consent can be withdrawn any time free of charge without any restrictions or specific reasons. In case the data subject does not claim their data to be deleted, these personal data will be controlled for 8 years. In case the controlling of these personal data is enabled by law, then the data subject will be informed about it.

Shopping on the website  

The scope of personal data controlled:
For fulfilling the order, after clicking on „basket” and then on „order” those data will be used which were earlier provided.:
name, e-mail address, phone number, billing address, delivery address.  

The aim of controlling data: 
To identify the contracted partner and fulfilling the obligation based on the sales agreement created, 
To fulfil the obligation that the delivery service has to deliver he packet to the right recipient and to issue a receipt, 
In case of a possible dispute and for remedies the data are used for checking and verification, as without using these data the order cannot be fulfilled. 
Legal basis of controlling data:
It is based on the 2016/679 regulations of the European Parliament and Council 6. (1) b)., which says that  „ controlling is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”,
After the contract has been performed the legal basis of data controlling is the 2016/679 regulations of the European Parliament and Council Article 6. (f) which says: „ controlling is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Time span of data controlling:
The Company stores the above mentioned data for 5+1 years (the forfeiture deadline of the claims in the contract) starting from the point when the sales agreement has been performed or the performance has failed.
They will be stored for 8 years based on the 2000/C. §169 in order to fulfil the accounting obligations starting from the point of issuing the receipt.

Payment through the website

The scope of personal data controlled: name, email address, transaction ID number, time point of transaction and state of transaction

The aim of controlling data: to run the online payment, to confirm the transactions 
and to do fraud-monitoring in order to protect the users (checking for any abuses), to manage the accounting of commissions.


The legal basis of controlling data: 
It is based on the user’s voluntary consent. The legal basis in this case is the Info tv 5.§ 1) a). and the 2016/679 regulations of the European Parliament and Council 6. (1) a). „the data subject has given consent to the controlling of his or her personal data for one or more specific purposes”. Further legal basis: law nr. 2001. CVIII. 13/A. § (3) referring to certain points of the electronic commercial services and services in connection with the information society.

Time span of data controlling: the service that manages the transaction provides data controller with a bill attachment related to the accounting of commissions. This attachment contains the above stated data which are necessary to identify the transaction.  The Company stores these data stated above for 8 years in order to fulfil the obligations based on the law 2000. C §169.

Transfer of data:
In case online payment method is chosen: the amount of the payment is transferred to SimplePay(OTP Mobilszolgáltató Kft 1093 Budapest, Közraktár u. 30-32.)  financial intermediary system. These systems transfer the above stated data as an attachment to the bill to the Service Provider while accounting the commissions connected to the transactions that are managed vie these systems.
During the online transaction no data which would make any misuse possible (concerning the bank card, e-wallet or bank account number) are given to data controller Buyers can be informed about the use and storing of these data in the governing Privacy Policy of the given financial service.
 

Bank transfer

The scope of personal data controlled: name, bank account number 
The aim of controlling data: 
To run the online payment and confirming the transaction
The legal basis of controlling data: 
It is based on the user’s voluntary consent. The legal basis in this case is the Infotv 5.§ 1) a). and the 2016/679 regulations of the European Parliament and Council 6. (1) a). „the data subject has given consent to the controlling of his or her personal data for one or more specific purposes”. Further legal basis: to certain points of law nr. 2001. CVIII. 13/A. § (3) referring of the electronic commercial services and services in connection with the information society.


Time span of controlling data:
It is 8 years based on the 2000/C. §169 in order to fulfil the accounting obligations.

"The receipt which directly or indirectly supports accounting in bookkeeping (meaning the general ledger bills, the analytic and detailed register) has to be stored in a legible form and in a retraceable manner based on the accounting notes for a minimum in 8 years."

7.6.Refund
In case money is refunded, Data controller starts the refund transaction reffering to the user’s data / bank card number which Data controller has previously retrieved from the OTP SimplePay system. The given bank card number / user’s data are stored by the above mentioned financial systems. The data which are necessary for the refund are provided to Data controller with less information content. Data controller uses these data exclusively to identify the buyer. During the online transaction no data which would make any misuse possible (concerning the bank card, e-wallet or bank account number) are given to data controller. Buyers can be informed about the use and storing of these data in the governing Privacy Policy of the given financial service.


Transferring back
Refund can also be done through bank transfer, for which it is necessary to ask for the account number of the consumer in an e-mail. Data linked to this transaction will be used only for the refund, these data will not be registered by Data controller.


Billing

Scope of personal data controlled:   
The Company issues a bill in order to fulfil the obligations listed in the law concerning VAT (2007. CXXVII.). The bills have to include the following data: 
In case of private individuals: name, address, tax number or tax ID. 
In case of companies with legal personality (enterprises): name, site address, tax number

Aim of controlling data: 
To fulfil the obligations in the law 2007. CXXVII. and the law 2000. C. concerning accounting and book keeping.

Legal basis of controlling data:
The 2016/679 regulations of the European Parliament and Council 6. (1) c). saying: „controlling is necessary for compliance with a legal obligation to which the controller is subject”. The related lawful obligations concerning VAT are listed in 2007. CXXVII., the related obligations concerning book keeping is in 2000. C.

Time span of data controlling: 
In order to fulfil the accounting obligations based on law 2000. C. § 169. : 8 years.

"The receipt which directly or indirectly supports accounting in bookkeeping (meaning the general ledger bills, the analytic and detailed register) has to be stored in a legible form and in a retraceable manner based on the accounting notes for a minimum in 8 years."


Transfer of data: 
The data of the client is transferred to a third party in the following cases: 
based on legal obligations to National Tax and Customs Administration.
the following company performing accounting tasks: „FARKAS” Adótanácsadó és Ügyviteli Szolgáltató Korlátolt Felelősségű Társaság
the following company performing enterprise resource planning:Innovip.hu Kft.


Data controlling concerning sending newsletters via the WEBSITE

Scope of personal data controlled:
name, e-mail address

Aim of controlling data: 
To notify User of commercial discounts, latest news and events. 
To send the interested e-mail newsletters which contain information about up-to-date news, sales and discounts and financial advertisements, too. Also to send direct marketing content, personalised offers and to keep in contact.

Legal basis of data controlling:
Data controlling in order to send newsletters is based on the User’s voluntary consent. The legal basis concerning this point is given by the Info tv. 5.§ 1) a) and the 2016/679 regulations of the European Parliament and Council 6. (1) a) which says „the data subject has given consent to the controlling of his or her personal data for one or more specific purposes„

Time span of data controlling:
The personal data controlled lawfully in order to send newsletters will be controlled by the Company until the data subject has withdrawn their consent. 
The consent can be withdrawn free of charge any time without any restrictions or specific reason. In case User does not ask for the withdrawal of their data, these data will be controlled for 8 years. In case any further controlling of personal data beyond this time span is made possible by law, User will be notified by the Company.


8. General rules of controlling data concerning the visit of the website:

Auditing is helped by the server of Google Analytics as external provider. These data rules can be reached via: www.google-analytics.com , where detailed information can be asked for.
The online helpdesk chat server is run by PromptSaaS Inc., (K7M 2J8 Ontario, Kingston, Baiden Street 48., Canada). Their data controlling rules can be reached through http://ugyfelchat.hu/ .
In order to be able to provide tailor-made services he external providers place and re-read a small data package (aka cookie). When the browser sends back a package that has previously been saved, the provider has the possibility to connect the user’s visit at that time with the previous ones, but only regarding their own content.
The cookie can be deleted by the user from their own computer and they can also disable the use of cookies. Usually cookies can be managed by naming the cookies in the browser’s menu, in Tools/Setup and then in Data protection setup.

The aim of controlling data: 
When the website is used, the data controller places small data files (cookies) on the user’s computer. These files are not in direct connection with the user. The aims of these are as follows:
to note data
to identify the user
to make future visits of the user easier 
to make service efficiency better
to send the user aimed advertisement or other aimed content in order to make market research
to identify users and to differentiate them
to identify the current work process of the users
to store the data given during the user’s workprocess
to prevent loss of data (PHPSESSID)
to run the chat connection (PCJSF_Processor_SURL, PCJSF_Tracker_Key, PCJSF)
to identify the visitors (PAPVisitorId).
The legal base of controlling data: data subject has consented
The scope of data controlled: ID number, date, time.
The time span of data controlling:
until the work process is closed (PHPSESSID),
2 hours (PCJSF_Processor_SURL)
1 hour (PCJSF_Tracker_Key, PCJSF),
2 years (PAPVisitorId).

In order to be able to provide tailor-made services, Projekt Manufaktúra Kft. (as the manager of the website roastopus,hu) placse and re-reads a small data package (aka cookie) on the user’s computer. When the browser sends back a cookie that has previously been saved, the provider has the possibility to connect the user’s visit at that time with the previous ones, but only regarding their own content.
The cookie can be deleted by the user from their own computer and they can also disable the use of cookies. Usually cookies can be managed by naming the cookies in the browser’s menu, in Tools/Setup and then in Data protection setup.


The data that are available for the data controller as a result of the use of data files are not connected by the data controller to the user’s ID data.


The so called session cookies are automatically deleted when they reach the deadline set in cookies.
The users have the following possibilities regarding cookies in the user’s browser:
1.user is notified when the data controller wishes to place a cookie on their computer
2.user can forbid the send of cookies any time

It is to be highlighted that when the cookies are not accepted, it will result in the inadequate work of certain webpages or function that are connected to these cookies. In addition, it is possible that the user will not be entitled to access certain data.


9. The use of Google Adwords conversion follow-up on the sites roastopus.hu and .com

9.1
In order to provide adequate management of the Service and to get information on the website’s attendance and visitors’ interest data controller uses Google Analytics measurement system. 
When the user reaches a website through a Google advertisement, then a cookie necessary for conversion follow-up will be placed on their computer. 
The validity of these cookies is limited and they do not contain any personal data, therefore the user cannot be identified through them.
9.2. 
When the User browses certain pages of the website and the cookie is still valid, then Google and the data controller can see that the User has clicked on the advertisement.
All Google AdWords clients get a different cookie; therefore they cannot be traced through the websites of AdWords clients.
9.3.
The information that arrives with the help of the conversion follow-up cookies serve the aim of creating conversion statistics for those clients that choose AdWords conversion follow-up. The clients can then be informed about the number of users who have clicked on their advertisement and then got to the website which has a conversion follow-up label. However, information that would make user identification possible is not available.
9.4.
If you do not wish to take part in conversion follow-up, you can decline it in your browser by forbidding the possibility of placing cookies. Following that step, you will not be part of conversion follow-up statistics.
Further information and the Google Data Protection Rules can be reached here: www.google.de/policies/privacy/


10. Using Google Analytics on the websites roastopus.hu and .com

10.1. 
The website uses the Google Analytics application which is a service of Google Inc. (Google web analyser) Google Analytics uses so-called cookies (word files) which are saved onto your computer and help the analysis of the webpage use of the User. 
The information coming from the use of the website by the User usually go to and are stored on one of the Google servers in the USA.
Ba activating IP anonymization Google previously shortens the IP address of the User within the EU member countries or other countries which are involved in the agreement on the EEA. 
10.2.
Transferring the full IP address to the Google server in the USA and shortening it there is only done in exceptional cases. The manager of this present website contracts Google 
to use this information to assess how the User has used the website and 
to send reports to the manager of the website on the activity of the website and 
to provide further services concerning the internet use and the use of the website.
10.3.
Within Google Analytics the IP address transferred by the User’s browser will not be commingled with other Google data. The User can prevent the storage of cookies by making the adequate settings in their browser. However, please note that in this latter case it might be possible that not all the functions of this current website will be fully available.


The User can also prevent Google from collecting and analysing the data from the User on this website, including the IP address by downloading and installing the browser plugin from this link: https://tools.google.com/dlpage/gaoptout?hl=hu


11. Social media site – Facebook/Instagram  

Data controller manages the Facebook profile: www.facebook.com/roastopus and also the Instagram page called „Roastopus”. 
Facebook privacy policy is available here: https://www.facebook.com/privacy/explanation
Instagram privacy policy is available here:
https://www.facebook.com/help/instagram/519522125107875

Scope of personal data controlled:   
The registered name of the User on Facebook and their public profile picture.

Group of data subjects: 
All data subjects who have registered on Facebook/Instagram, and pressed „like” / „follow” the mentioned pages, commented on the posts or have shared a post.

Aim of data controlling: 
To share certain contents, products of the website (or the www.roastopus.com website itself) on social media sites and
to enhance the popularity of the website.

Legal basis of data controlling:
The legal basis concerning this point is given by the Info tv. 5.§ 1) a) and the 2016/679 regulations of the European Parliament and Council article 6. (1) a) which says „the data subject has given consent to the controlling of his or her personal data for one or more specific purposes„


Time span of data controlling
Data subject can find information about the source of data, how they are controlled and transferred, what the legal basis is via the above mentioned contact details. 
Data controlling runs on the social media sites, therefore the time span and methods of data controlling, the possibilities of altering or deleting data is subject to the regulations of the given social media site.

Collecting other data: 
When managing prize draws through social media, an external marketing consultant is applied. They contact the winner through the platform linked to the Service provider. The aim of getting in contact with the winner is to deliver prize to them. Therefore, the following data are collected from the winner: name, delivery address, phone number. These data are stored only until the prize is delivered. 
Only the following personnel is allowed to contact the winner: 
Balázs Edina Ev. (53656337; 69767814-1-42; 1156 Budapest, Páskomliget utca 18. 3/15)
Rozgics Kornél (55496397; 56808571-1-42; 1156 Budapest, Páskomliget utca 18. 3/15)
Other data controlling 
Data controller gives information about that data controllings which are not listed in this current policy when collecting the data. Certain authorities may contact Data controller in order to get information or data, transfer data or documents from data controller. These authorities may include: court, prosecutor, investigation authorities, infraction authorities, administrative authorities, a Hungarian National Authority for Data Protection and Freedom of Information, The Hungarian National Bank, and based on other regulatory bases also other authorities.
Data controller provides personal data to authorities – provided that the authority has defined the exact aim and scope of data needed – only to the extent and amount which is absolutely necessary in order to fulfil the aim for which it is needed.


12. Data processors / storers

Provider of storage space

Name of company: RATIOR Kft.
TAX number: 22782874-2-14
company registry number: 14-09-310576
email: fogarasi@fogarasi.com

Scope of data controlled: Storage of all the personal data given by the data subject.
Scope of data subjects: All the data subjects using the website. 
The aim of data controlling: to make the website available, to run the website adequately.
Time span of data controlling, deadline of deleting data: Until the agreement between data controller and storage space provider is valid or until the data subject send the request to storage space provider to delete their data.
Legal basis of data processing: the consent of the data subject, Infotv. 5. § (1), article 6 (1) a), and the law 2001.CVIII. 13/A. § (3) concerning certain issues of electronic commerce activities and information society services.


Accountant  
Name:„FARKAS” Adótanácsadó és Ügyviteli Szolgáltató Kft.
company registry number: 07-09-001661
tax number: 10604801-2-07
site address: 8152 Kőszárhegy, Honvéd u. 8.
email: info@konyvelofehervar.hu
telephone: 06-22/503-538

Scope of data controlled: processing and storing billing data.
The aim of data controlling: To fulfil the obligations in the law 2007. CXXVII. and the law 2000. C. concerning billing, accounting and book keeping.
Time span of data controlling, deadline of deleting data: 
In order to fulfil the accounting and book keeping obligations based on the law 2000. C 169. § it is 8 years.
"The receipt which directly or indirectly supports accounting in bookkeeping (meaning the general ledger bills, the analytic and detailed register) has to be stored in a legible form and in a retraceable manner based on the accounting notes for a minimum in 8 years."

Legal basis of data processing: 
The 2016/679 regulations of the European Parliament and Council 6. (1) c). saying: „controlling is necessary for compliance with a legal obligation to which the Company is subject”. The related lawful obligations concerning VAT are listed in 2007. CXXVII., the related obligations concerning book keeping is in 2000. C.


Enterprise resource planning system operator

Name:Innovip.hu Kft.
company registry number:07-09-001661
Tax number:24901376-2-06
Site address:6723 Szeged, Gát utca 7/B
email:iroda@innovip.hu
telephone:+36203676755

Scope of data controlled: storage of billing data.
The aim of data controlling: To fulfil the obligations in the law 2007. CXXVII. and the law 2000. C. concerning billing, accounting and book keeping.
Time span of data controlling, deadline of deleting data: 
In order to fulfil the accounting and book keeping obligations based on the law 2000. C § 169. it is 8 years.
"The receipt which directly or indirectly supports accounting in bookkeeping (meaning the general ledger bills, the analytic and detailed register) has to be stored in a legible form and in a retraceable manner based on the accounting notes for a minimum in 8 years."

Legal basis of data processing: 
The 2016/679 regulations of the European Parliament and Council 6. (1) c). saying: „controlling is necessary for compliance with a legal obligation to which the company is subject”. The related lawful obligations concerning VAT are listed in 2007. CXXVII., the related obligations concerning book keeping is in 2000. C.

Tax authorities

name: National Tax and Customs Administration
site address: 1054 Budapest, Széchenyi u. 2.
email: nav_kozpont@nav.gov.hu
telephone: +36 (1) 428-5100

Scope of data controlled: processing billing data.
The aim of data controlling: To fulfil the obligations in the law 2007. CXXVII. and the law 2000. C. concerning billing, accounting and book keeping.

Time span of data controlling, deadline of deleting data: 
In order to fulfil the accounting and book keeping obligations based on the law 2000. C § 169. it is 8 years.
"The receipt which directly or indirectly supports accounting in bookkeeping (meaning the general ledger bills, the analytic and detailed register) has to be stored in a legible form and in a retraceable manner based on the accounting notes for a minimum in 8 years."

Legal basis of data processing: 
The 2016/679 regulations of the European Parliament and Council 6. (1) c). saying: „controlling is necessary for compliance with a legal obligation to which the company is subject”.


Marketing

Name:Balázs Edina Ev.
Registry number:53656337
Tax number:69767814-1-42
site address:1156 Budapest, Páskomliget utca 18. 3/15
email:info@peaberry.hu
telephone:06-70/378-0309

name:Rozgics Kornél Ev.
registry number: 55496397
tax number:56808571-1-42
site address:1156 Budapest, Páskomliget utca 18. 3/15
email:rozgicskornel@gmail.com
telephone:06-70/378-0309


Scope of data controlled: processing Facebook profile name, e-mail address, telephone number, delivery address
The aim of data controlling: To share certain content elements, products or the website (roastopus.com) itself on social media sites, to make the website more popular, to collect „likes” or in certain cases to send prizes.
Time span of data controlling, deadline of deleting data: 
Data subject can gain information about the source, controlling, method of transfer and legal basis of data on the given social media sites, via the above mentioned contact details. 
Data controlling is done on the social media sites, therefore the time span, method and the deleting and change of data is subject to the rules of the social media sites. 
Legal basis of data processing: 
Infotv. 5. § (1) paragraph a) section and the 2016/679 regulations of the European Parliament and Council 6. (1) a): „the data subject has agreed on controlling their data for one or more specific reasons”


Newsletters service

Name:MailerLite
site address:Jono Basanavičiaus g. 15, Vilnius 03108, Lithuania
email:info@mailerlite.com

Scope of data controlled: storage of name, email address

The aim of controlling data: 
to inform the User about commercial sales/discounts, up-to-date news and events, 
to send e-mail newsletters (also containing commercial advertisements) to the data subjects, 
to let them know about up-to-date information, discounts, 
to send direct marketing content, 
to make personalised offers
to keep in contact

Time span of data controlling and deadline of deleting data: 
The personal data controlled lawfully in order to send newsletters will be controlled by the Company until the data subject has withdrawn their consent. 
The consent can be withdrawn free of charge any time without any restrictions or specific reason. In case User does not ask for the withdrawal of their data, these data will be controlled for 8 years. In case any further controlling of personal data beyond this time span is made possible by law, User will be notified by the Company.

Legal basis of data processing: 
Data controlling in order to send newsletters is based on the User’s voluntary consent. The legal basis concerning this point is given by the Info tv. 5.§ 1) a) and the 2016/679 regulations of the European Parliament and Council 6. (1) a)  which says „the data subject has given consent to the controlling of his or her personal data for one or more specific purposes„

Package delivery

name:GLS General Logistics Systems Hungary Csomag-Logisztikai Kft
tax number:12369410-2-44
site address:2351 Alsónémedi, GLS Európa utca 2.
email:info@gls-hungary.comT
telephone:+36 29) 88 66 70
The privacy policy is available here:
https://gls-group.eu/HU/hu/adatkezelesi-tajekoztato


name:FoxPost Zrt.
tax number:25034644-2-10
site address:3300 Eger, Pacsirta utca 35 A
email:info@foxpost.hu
telephone:06-1-999-0-369
The privacy policy is available here:
https://foxpost.hu/uploads/documents/hu/foxpost_adatkezeles.pdf

Name:FÜRGEFUTÁR.HU Szolgáltató Kft.
tax number:22966331-2-41
site address:1133 Budapest Árbóc utca 6.
email:ugyfelszolgalat@furgefutar.hu
telephone:06-1-900-96-69
The Privacy Policy is available here:
https://furgefutar.hu/aszf/#10-adatkezelesi-szabalyok-adat-es-titokvedelem


Scope of data controlled: processing and storage of name, e-mail address, telephone number, delivery address.

The aim of data controlling: 
to identify the contracted partner and to fulfil the obligations derived from the sale and purchase agreement, 
to send the package to the right addressee (by the delivery service) and to fulfil billing obligations, 
in case of possible disputes or satisfying claims: to make the data retraceable and justifiable as without these data no contract can be made, the delivery is not performed.

Legal basis of data controlling: the legal basis in this field is the regulation 2016/679, Article 6, 1 (b) of the European Parliament and Council which says: " controlling is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
After the sale and purchase agreement has been performed the legal basis of data controlling is the regulation 2016/679, Article 6, (f) which says: „ controlling is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Time span of data controlling: The Company stores the above mentioned data for 5+1 years (the forfeiture deadline of the claims in the contract) starting from the point when the sales agreement has been performed or the performance has failed.
In order to fulfil the accounting obligations, data are stored for 8 years based on the law 2000. C. §169.


13.  Methods of storing personal data, data controlling security

Data controlling
The data given by the User when contacting through the website is stored by data controller in Hungary on the above listed server of the data processor’s storage space providing service, and (in an electronic way) on its site address. 
The data are accessible exclusively for Data controller. Data are controlled exclusively by the co-workers of Data controller. Data are only used in order to getting in contact and to provide quotation.

Data controller chooses the IT tools for data controlling while providing service so that the data controlled:
a) are accessible for the entitled ones (availability);
b) is surely authenticated and certified (authentication of data controlling);
c) are surely not changed, it can be certified that they are unchanged (data integrity);
d) is secured against unjust access (confidential nature of data).
Data controller secures the data with adequate steps against unjust access, change, transfer, publicity, deleting or erasure, and non-defaulting erasure, corruption or inaccessibility due to changes in the IT tools used.

Data controller ensures that the data stored in their different registries cannot be directly connected or assigned to the data subjects (with the exception when law allows this). This is done by using adequate technological solutions.
Data controller ensures the security of data controlling by staying up-to-date regarding technological advancements and uses such technological and organisational possibilities which provide the adequate level of security compared to the risks in connection with data controlling.

When controlling data, Data controller ensures secrecy, protects information, so that only the entitled can access them. Data controller ensures integrity, secures the precision and completeness of data processing methods and information, protects availability, ensures that when entitled necessity arises, the information and the tools necessary are accessible.

Data controller claims that their IT system and net are secured against 
computerised fraud, espionage, sabotage, vandalism;
fire and flood;
computer viruses and computerised invasion,
and attacks leading to performance refusal. 
Operator ensures security by using server and application level defence measures.

Data controller stores all the data they control – in both paper-based and electronic format – at its site with the exception of the data which are stored at the Data controller ’s data processors. The place of storage in case of these data is at the data processors’ site. 
Data controller uses such an IT system that ensures 
the accessibility of data for those entitled (availability); 
the authenticity of data (data controlling authenticity);
that the unchanged nature of data can be certified (data integrity);
the protection against unjust access (confidentiality of data).


14. Rights of data subjects, possibilities of remedy

Personal data can only be controlled with defined aims, in order to exercise rights, and to fulfil obligations. These aims have to complied with at each stage of data controlling. Only those personal data can be controlled which are strictly necessary to fulfil the aims of data controlling and ensures the realization of the aims. Personal data can be controlled only during the extent and time span that are strictly necessary to realize the aims.

The right to be informed: 
You can ask for information about how your personal data are controlled. You can also ask for the rectification, deleting and withdrawal of your personal data with the exception of the compulsory data controlling. You are entitled to the right of transferring data, the right of protest in the ways you are notified of when the data are collected, and via the contact details specified in this privacy policy of Data controller.
You must be clearly, understandably and in details informed about all facts related to the controlling of your data, especially about 
the aim and legal basis of data controlling, 
the person(s) entitled to processing and controlling your data, 
the time span of data controlling 
the case when data controller controls your personal data with your consent and with the aim of fulfilling their legal obligations or those of a third party with the consent of the data subject,
who can know the data.

The right to access:  
You are entitled to get feedback from data controller if your personal data are being controlled. If so, you are entitled to access your personal data and the information listed in the regulations.
In case you ask for it, we provide information about the question if data controlling concerning you is running, with regard to the following points:
- personal data in connection with you
- the aims of controlling data; 
- the categories of such personal data; 
- the person(s) who got or will get the data of the subject; 
- the time span of data storage; 
- the right to rectify, delete or restrict data controlling; 
- the right to turn to supervisory authorities or court; 
- the source of data controlled; 
- the creation of profile and/or automated decision making, and the details and effects if these are applied; 
- the transfer of controlled data to a third country or international organisation.

In case you require data, we are obliged to provide a complying copy of the data we control. 
The deadline to do so is 30 days starting from when the request is received.

The right to rectification: 
You are entitled to expect the data controller to immediately rectify your imprecise personal data without any unjustified delay. Considering the aim of controlling data, you are entitled to ask for the completion of missing personal data, e.g. through a claim for completion. 
 

The right to delete: 
You are entitled to ask data controller to immediately delete your personal data without any unjustified delay. Data controller is obliged to delete your personal data without any unjustified delay when the following conditions are met: 
the personal data are not necessary any more to fulfil those aims for which they were collected or controlled; 
data subjects withdraw their consent that is the base of data controlling  and there is no other legal base for controlling the data; 
data subject protests against data controlling and there is no legal right that overrides this; 
the personal data have been controlled tortiously; 
the personal data must be deleted in order to fulfil EU or EU member country legal obligations that apply to the data controller; 
the personal data have been collected in connection with services concerning informational society. 
Deleting data cannot be required if data controlling is necessary in order to:
exercise the right to getting information and the freedom of express opinion;
fulfil EU or EU member country obligations that are connected to data controller;
to fulfil a task which is based on public interest or on the data controller ‘s authorisation to exercises public authority
fulfil aims of connected to public health,
archive, to fulfil scientific and history-related or statistical aims; 
support public interest; 
protect, implement, submit legal demands.

The right to restrict data controlling: 
You are entitled to ask data controller to restrict data controlling if one of the following conditions are met: 
You challenge the precision of data, in this case restriction refers to that time span which makes it possible for the data controller to check the precision of the personal data; 
data controlling is unlawful and you protest against deleting the data. Instead, you ask for the restrictions of their use; 
the data controller no longer needs your personal data to be controlled but you require them to submit, protect or present legal demands; 
you protested against data controlling; in this case the restriction refers to the time span until it is stated if the data controller’s lawful reasons override your lawful reasons.

The right to transferring data: 
You are entitled to be provided with the data that are connected to you and you have given them to the data controller in a well-outlined, widely used format that can be read on computer. You are also entitled to transfer these data to another data controller without being prevented by that data controller who has provided you with the personal data.


The right to protest: 
If the personal data are controlled with the aim of obtaining business, you are entitled to protest any time against the control of your personal data for this aim. This includes creating profiles, if it is connected to obtaining business.
If you protest against your personal data being controlled in order to obtain business, your personal data cannot be further controlled for this aim. 
Should you have any reasons concerning your own personal situation, you are entitled to protest any time against the controlling of your personal data regarding the following cases: 
controlling personal data based on the data controller’s fulfilling tasks while exercising public powers, 
data controlling when data controller or a third party lawfully exercises rights, including the creation of profiles based on the above mentioned regulations.
In case of protest data controller is no longer allowed to control personal data, except for the situation when data controlling is reasoned by such coercive lawful reasons which override your interests, rights and freedoms, or which are related to the submission, protection or exercising legal demands.


Automated decision making in specific cases, including the creation of profiles: 
You are entitled not to be the subject of such fully automated data controlling – including the creation of profiles – which would have a legal effect on you or which would significantly concern you.


The previous paragraph is not to be applied in case: 
it is necessary in order to perform or make a contract between you and the data controller; 
it is made possible by such an EU or EU member country law that refers to data controller and which also determine adequate steps to protect also your rights, freedoms and lawful interests; or 
it is based on your express consent.

Right to withdraw: 
You are entitled to withdraw your consent any time. The withdrawal of consent does not concern the lawfulness of data controlling before the withdrawal of consent.


15. Informing data subject about data breach

If the data breach is likely to be highly risky concerning the rights and freedoms of natural persons, then data controller informs data subjects about the breach without any unjustifiable delay.

In the information that is provided, data subject has to be notified clearly and understandable about the nature of the breach concerning data protection. The name and contact details of the administrative officer or of any other contactable person has to be provided.  Data subject also has to be informed of the possible consequences of the breach. Data subject also has to be notified of the steps taken or planned by data controller which aim at rectifying the breach or lessening the possible negative effects of the data protection breach on data subject.

Data subject does not have to be informed in case any of the following conditions are met: 
data controller has taken the adequate organisational and technological protective step and these steps have been used concerning the data which are involved in the breach, including specific steps such as encryption.
such steps have been taken which make the personal data indecipherable for those who do not have the right to access the data; 
following the breach, data controller has taken such further steps which ensure that the high risk concerning data subject’s rights and freedoms is not likely to be realized; 
giving information would mean disproportionate efforts. In such cases data subjects are to be notified through publicly available information, or such similar steps are to be taken which ensure that data subjects are informed with similar efficacy. 
if data controller has not informed the data subjects of the breach yet, after due consideration of how likely the high the risk of the breach is, the supervisory authority can order data controller to inform data subjects.

Data controller is to report the data protection breach to the concerned supervisory authority (based on article 55) without any unjustifiable delay, and if possible, maximum 72 hours after data controller has noticed the breach, except for cases where the breach is not likely to mean high risk concerning the rights and freedoms of natural persons. If the breach is not reported within 72 hours, the reasons for the delay are to be attached to the report.

 

16. Rules of procedure

16.1.
In case data controller receives any request based on the articles 15-22 of GDPR, data controller informs data subject in writing as soon as possible on the steps taken, but maximum within 30 days. 
16.2.
In case the request is so complex or there are any other objective circumstances which reason the lengthening of the deadline, the above mentioned 30 days can once be lengthened with 60 days. If the deadline is lengthened, data controller informs data subject about it in writing, together with the adequate reasoning. 
16.3.
Information is provided by data controller free of charge, with the exception of the following cases: 
a. data subject repeatedly requests information/steps to be taken about the same, unchanged content; 
b. the request is clearly unfounded; 
c. the request exaggerates.

Data controller is entitled to: 
a.) refuse the request; 
b.) charge the related and reasonable fees to comply with the request.

16.4.
In case data subject requests, the data to be given in a paper-based form or stored on an electronic device (CD or DVD), then data controller provides a copy of the requested data in the requested method free of charge, except for cases when the chosen platform would mean disproportionate difficulties. Data subjects will be charged 500 HUF per page or per CD/DVD administration fee for any further copies. 
16.5.
In case data controller performs rectification, delete or restrictions, then data controller notifies all the data subjects who have earlier been provided with their data except for cases when giving information is impossible or it would mean disproportionate difficulties.
16.6.
In case data subject requests, data controller gives information on to whom data subject’s data have been transferred. 
16.7.
Data controller answers the requests in electronic format, except for the following cases: 
data subject requests it in a different way and it does not mean unjustifiably high extra costs to data controller; 
data controller does not know the data subject’s electronic contact details. 
16.8.
Practising the right to protest: 
Data controller examines the request within the shortest time possible, but maximum within 15 days starting from when the request was handed in. Data controller decides about how reasonable the request is and informs data subject about the decision.
In case the User’s protest is found reasonable, data controller stops data controlling – including any further data collection and transfer – and locks-up the data. Data controller also notifies all persons that are relevant (have earlier received the personal data which are involved in the objection) and obliged to take steps so that the right to protest can be exercised.


17. Remedies


Should you have any problems or pleas in connection with our Company’s data controlling, please contact us directly via the following contact details:

Projekt Manufaktúra Korlátolt Felelősségű Társaság
site address:7400 Kaposvár, Orci út 13. A. ép. 
phone number:+36-30/755-0146
E-mail:info@roastopus.com

Compensation for damages and tort
Any person that suffers a material or non-material adverse effect due to the violation of the privacy policy regulations is entitled to be compensated by data controller or data processor. 
Data processor is only liable for the damage caused by the controlling of data when they did not oblige to the rules described in the relevant laws that apply especially to them, or when they did not act in accordance with Data controller’s instructions – either ignored them or acted adversely. 
Data controller and data processor are cleared of liability in case they can prove that the event causing damage can in no way be linked to their liability.

Right to take the case to court: 
In case data subject is of the opinion that their rights have been violated by Data controller and/or processor, based on the Code of Civil Procedure data subject is entitled to take the case to a competent court with the relevant jurisdiction. The court starts the proceedings out of turn.

Proceedings of Authority of Data Protection: 
Complaints can be handed in to the National Authority of Data Protection and Freedom of Information: 
name: Nemzeti Adatvédelmi és Információszabadság Hatóság / Hungarian National Authority of Data Protection and Freedom of Information
site address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. 
postal address: 1530 Budapest, Pf.: 5. 
telephone: 06-1/391-1400; fax: 06-1/391-1410
E-mail: ugyfelszolgalat@naih.hu 
website: http://www.naih.hu

Cooperation with authorities 
In case a relevant authority contacts Data controller, they are obliged to transfer the specified personal data to the authority.

Data controller only transfers data that are absolutely necessary for the given authority in order to fulfil their aim.

This policy provides information to data subjects by describing data controller’s practice. Data controller maintains the right to modify this policy.
Data subjects will be then notified and the modified privacy policy will be publicly available. 
The date when the modified privacy policy comes into effect will be specified in the modifications.

Kaposvár, 2021.10.01. 
          
Projekt Manufaktúra Kft