Privacy notice

Under the EU Single Data Protection Regulation (Regulation 2016/679; “GDPR”)

 

VALID:

FROM 01.12.2020 UNTIL THE REVOCATION

 

1. Data controller data:

Company name: Beauty 303 Kft.

Head office: 1149 Budapest, Nagy Lajos király útja 108.

Location: 1149 Budapest, Nagy Lajos király útja 108. 1. 4-8 floors.

Company registration number: 01-09-724577

Tax identification number: 13226754-2-42

Representative: László Mátrai – Managing Director

E-mail address: info@lashandlashes.hu

1. Purpose of this privacy notice:

The controller acknowledges that it is bound by the contents of this legal notice. The purpose of this privacy notice is to inform your customers, partners and clients about the processing of their personal data.

The data controller processes personal data only under the provisions of applicable law and in strict compliance with the provisions on data management and data protection, taking into account the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and limited storage.

The data controller shall take all technical and organisational measures to ensure that the personal data of its partners are processed securely as required by Regulation (EU) 2016/679 of the European Parliament and the Council.

The data controller has adapted its day-to-day activities and developed its rules, registers and standard documents in line with the above.

The privacy policy relating to data processing by the controller is permanently available at the controller’s head office, on the controller’s website and app. The controller reserves the right to amend this policy at any time and shall inform its public of any changes in due course.

The data controller is committed to protecting the personal data of its customers and partners and attaches the utmost importance to respecting customers’ right to self-determination of information. The data controller treats personal data confidentially and takes all security, technical and organisational measures to ensure data security. The data controller describes its data management practices below.

1. Personal, material and temporal scope of the privacy notice:

The personal scope of this privacy notice extends to the controller and the natural persons whose data are included in the processing that is the subject of this notice, as well as to persons whose rights or legitimate interests are affected by the processing.

The scope of this notice covers all data processing that takes place in the course of the controller’s activities on lashandlashes.com.

This policy shall become effective upon approval and shall remain in force indefinitely until further notice.

1. Important definitions:

Personal data: any information relating to an identified or identifiable natural person. An identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data: any data falling within the special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data revealing the identity of natural persons, data concerning health and personal data concerning the sex life or sexual orientation of natural persons.

Data processing: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction or destruction.

Controller: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Joint controllers: where the purposes and means of processing are jointly established by two or more controllers, they are considered joint controllers.

Third-party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the data subject: a voluntary, specific, informed and unequivocal expression of the data subject’s wishes by which the data subject signifies his or her agreement to the processing of personal data relating to him or her by making a statement or unequivocal affirmation.

Data breach: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed.

1. Lawful processing by the controller:

Personal data are processed by the controller only in the following cases:

1. where the data subject has consented to the processing of his or her personal data for one or more specific purposes,
2. the processing is necessary for the performance of a contract to which the data subject is a party,
3. the processing is necessary for compliance with a legal obligation to which the controller is subject,
4. the processing is necessary for the protection of the vital interests of the data subject or of another natural person,
5. the processing is necessary for legitimate interests pursued by the controller or by a third party.

The controller examines the lawfulness of data processing at all stages of its activities and only processes data for which it can justify the purpose and legal basis. If the conditions of a legal basis cease to apply, processing may only be resumed if the controller can demonstrate an

As a general rule, the way to prove the legal basis is in writing, but it must be examined whether it can be proved ex-post even in the case of a legal basis created by implicit conduct. In case of doubt, written confirmation of imputability should be required for reasons of reasonableness and economy.

In the case of processing based on consent, the data subject consents in writing to the processing of his/her personal data. Consent is not formally required, but written consent on paper or in electronic format is necessary to obtain further evidence.

Processing based on a legal basis to fulfil a legal obligation is independent of the data subject’s consent as the processing is defined by law.

Regardless of the mandatory nature of the processing, the natural person concerned must be informed before the start of the processing that the processing is mandatory and cannot be avoided and must be provided with clear and detailed information on all relevant facts concerning the processing of his or her data before the start of the processing.

Under the GDPR (General Data Protection Regulation), personal data may also be processed if the processing is necessary for the performance of a contract to which the data subject is a party or if the processing is necessary for taking measures at the request of the data subject before entering into a contract. The controller may process personal data for concluding, performing or terminating the contract on a legal basis for the performance of the contract.

1. Processing of personal data by the controller:

The data controller is involved in the retail and wholesale of own-brand fake eyelash products. The products are sold in its stores and online. Personal data of natural persons are processed in carrying out this activity. It carries out the following processing activities:

1. 1. The data controller also sells its products in its stores. In this case, the customer expresses his/her intention to buy and selects the product he/she wants to buy. The data controller issues the customer a receipt or invoice for the value of the product. The receipt does not contain any personal data. The invoice shall contain the name, address and possibly the tax identification number of the data subject. Issuing the invoice is a legal obligation of the controller. The legal basis for processing personal data relating to the invoice is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The controller acts under the legal provisions regarding the storage of personal invoice data and stores them for 8 years.
   2. The data controller also receives orders for the sale of its products via social media sites, by telephone, by e-mail or via its website (hu). Customers can be both natural and legal persons. In the case of purchases from the website, the customer can choose to buy from the online store after registration or without registration. Once registered, customers can view their previous orders (by entering their email address and password), the status of their current orders, and it is easier for them to place a new order without having to re-enter their details. Both during the registration process and for orders without registration, the customer’s name (including the name of the contact person in the case of legal persons), (billing, delivery) address, e-mail address, telephone number, possibly company name and tax identification number shall be requested by the data controller. The legal basis for processing personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). In the case of a legal person, the personal data of the contact person are processed based on the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The controller issues an invoice for the value of the products it has distributed. The invoice must contain the name, address and, if applicable, the tax identification number of the data subject. Issuing the invoice is a legal obligation of the controller. The legal basis for processing personal data in the invoice is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). Personal data from the invoice are stored by the controller for 8 years under the retention obligation under Article 169 of the Accounting Act.
2. In the performance of its tasks, the data controller shall process the e-mail addresses and telephone numbers of its customers, partners and clients to fulfil its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) or based on their consent (Article 6(1)(a) of the General Data Protection Regulation).
3. The controller may also have contractual relationships with subcontractors, suppliers and service providers in the course of its business, which also constitute a basis for processing personal data. In this case, the legal basis for processing personal data is (in the case of a natural person or a sole trader) the performance of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), and in the case of personal data of a contact person of a legal person, the explicit, prior and informed consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
4. Natural persons applying for the data controller may submit a CV to the company. Personal data from the CV shall also be processed. The legal basis for processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
5. The data controller operates the hu website. The legal basis for the processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
6. On the website, registered customers can comment on the products marketed by the data controller. To leave a review, prior registration is required and it is possible to leave a review after logging in to your account. By leaving a review and entering personal data, the visitor consents to the processing of his/her personal data and its publication on the website. The legal basis for processing personal data is the informed consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The data subject declares that he/she has read and understood the Privacy Policy of the Data Controller and has taken note of the information contained therein. The controller does not use the personal data for any other purpose and does not make it available to third parties. The controller shall process the personal data thus recorded until the consent of the data subject is withdrawn. If the data subject withdraws his or her consent, the controller shall delete the recorded personal data from its system without undue delay and at the latest within 3 working days.
7. The data controller’s website also offers the visitor the possibility to register as a resale partner. Application is possible by filling in a form. During the application process, the data controller asks for the name, e-mail address and telephone number of the data subject. The purpose of the processing of personal data is to contact the website visitor and the person interested in the controller’s products. In the absence of an agreement between the parties following the contact, the personal data of the data subject shall be deleted without delay and at the latest within 3 working days. The controller processes personal data for the contract and on this legal basis (Article 6(1)(b) of the General Data Protection Regulation). By filling in the form, the data subject declares that he/she has read and accepted the privacy notice of the controller.
8. The data controller also offers the possibility to subscribe to a newsletter by providing your name and e-mail address. By subscribing to the newsletter, the data subject declares that he/she has read the Privacy Policy of the Data Controller and consents to the processing of his/her personal data for marketing purposes. The data subject has the rights set out in the Data Protection Notice and may exercise these rights in the manner and at the places indicated therein. Accordingly, the legal basis for processing personal data in the context of sending the newsletter is the explicit and written consent of the subscriber (Article 6(1)(a) of the General Data Protection Regulation).
9. The data controller also operates social media sites where personal data are also processed. The controller also uses social media to promote its activities, the products it sells and the courses it organises. These sites are used by the controller for marketing purposes, with the additional aim of familiarising interested parties with its products and services. Prize draws may be occasionally organised on social media. In this case, the personal data of the winner (name, address, telephone number, e-mail address) shall be processed. The legal basis for processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
10. The data controller occasionally takes photographs or video recordings of its customers, partners and clients. If the images show an identifiable person, the images shall only be taken and used – in connection with the controller’s website, social media or other appearances – with the prior, informed, written and voluntary consent of the data subject. The legal basis for processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).
11. A camera system is in place at the controller’s head office to protect assets. Personal data are also processed during the recording of images by the cameras. The legal basis for this is always the legitimate interest of the controller (Article 6(1)(f) of the General Data Protection Regulation).
12. The purpose of data processing in the course of handling complaints concerning the activities of the data controller is to enable the communication of the complaint, to identify the data subject and his/her complaint, to record the data required to be recorded by law, to investigate the complaint and to maintain contact concerning its resolution. In the event of a complaint, the handling of the complaint and therefore the processing of personal data is mandatory under the CLV Act of 1997 on consumer protection. The legal basis for processing personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

The data controller shall keep a record of the processing described above. The register shall also include the time limits for the deletion of personal data. The register is attached to this privacy notice.

7. Data processors associated with the data operator:

If the processing is carried out on behalf of the operator, the operator may only use operators who offer adequate guarantees of compliance with the requirements of the General Data Protection Regulation or who implement appropriate technical and organizational measures to ensure the protection of the rights of data subjects.

The data operator declares that, in the course of its activity, it will only collaborate with data operators that have adequate guarantees of compliance with the GDPR Regulation and that implement appropriate technical and organizational measures to ensure the protection of the rights of data subjects. The relevant declarations of the data controllers are available to you.

By reading and confirming this Privacy Notice, data subjects consent to the operator transferring their personal data to the operators authorized by the operator and joint operators listed below.

– The person authorized by the operator is the accounting firm hired by the data operator:

SZEP-END Korlátolt Felelősségű Társaság

1106 Budapest, Fehér út 10

Company registration number: 01 09 888713

– The courier company employed by the operator is the person authorized by the operator (and also an independent data operator in the performance of its tasks):

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

2351 Alsonémedi, GLS Európa u. 2

Company registration number: 13-09-111755

– The data operator’s partner for issuing invoices:

Ambrits Information Technology Consulting Ltd.

9400 Sopron, Csengery u. 32-36.

Company registration number: 08-06-009574

– In the case of payment by credit card, the data controller is the person authorized by the operator, who is also an independent data controller:

PayPal

Barion Payment Inc

Budapest, Infopark stny. 1, 1117

Company registration number: 01 10 048552

The legal basis for the processing of personal data is the execution of the contract and, subsequently, the legal obligation to retain the data.

– The company that hosts the websites of the data controller is also a data controller:

RackForest Kft RackForest Kft RackForest Kft

1132 Budapesta, Victor Hugo utca 18-22. 3. etaj.

Company registration number: 01-09-914549

– The operator’s e-mail system server is also a data controller:

Microsoft 365 (Office 365)

– Additional authorized person for sending the newsletter:

 

SendinBlue

55rue d’Amsterdam Paris, 75008 France

VAT registration number: FR80498019298

MailChimp

Based in Atlanta, Georgia, USA

– The IT partner employed by the data operator is also considered a data operator:

László Sztancs E.V.

4034 Debrecen Nagyszalonta utca 14/2

– A partner with access rights to the operator’s social networks is also considered an operator/cooperator:

ZONE IT Solutions, ITM Creative Group Kft.

2800 Tatabánya, Mártírok útja 99. 1st floor 3.a.

Company registration number: 11 09 027970

-The legal basis for the processing of personal data is the execution of the contract and, subsequently, the fulfillment of the legal obligation to keep the data.

• Data operator due to the use of the Google Analytics service on the operator’s website::
  • Google Ireland Limited
  • Gordon House, Barrow Street, Dublin 4, Ireland
• The use of social networks and social plug-ins embedded in the website makes us a data processing partner and joint data controller:
  • Facebook Ireland Ltd.
  • 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland

The owner of the video social site YouTube:

• Google Ireland Limited
• Gordon House, Barrow Street, Dublin 4, Ireland
• The operator also transfers the personal data of its customers to the National Administration of Taxes and Customs.

The partners contracted for the processing and management of the data will process the personal data of the partners only on the basis of the instructions given by the data controller (except where this is provided by law) and under an obligation of confidentiality.

8. Data processing related to the contracts concluded by the operator:

Contracts with customers:

The data controller also sells its products in its stores. In this case, the customer expresses his intention to buy, selects the product he wants to buy. The data controller issues a receipt or invoice to the customer for the value of the product. The receipt does not contain any personal data. The invoice will contain the name, address and possibly the tax identification number of the person concerned. Issuing the invoice is a legal obligation of the operator. The legal basis for the processing of personal data regarding the invoice is therefore the fulfillment of a legal obligation [Article 6(1)(c) of the General Data Protection Regulation]. The operator acts in accordance with the legal provisions regarding the storage of personal data regarding the invoice and stores it for a period of 8 years.

The data controller also receives orders for the sale of its products via social media sites, by telephone, by e-mail or via its website (lashandlashes.com). Customers can be both individuals and legal entities. When shopping on the site, the customer can choose to buy from the online store after registration or without registration. Once registered, customers can view their previous orders (by entering their email address and password), the status of their current orders, and it’s easier for them to place a new order without having to re-enter their details. Both during registration and in the case of orders without registration, the data controller requests the customer’s name (including the name of the contact person in the case of legal entities), address (invoicing, delivery), e-mail address, telephone number, possibly the name of the company and the tax identification number. The legal basis for the processing of personal data is the fulfillment of contractual obligations [Article 6 paragraph (1) letter (b) of the General Data Protection Regulation]. In the case of a legal entity, the personal data of the contact person are processed based on the data subject’s consent [Article 6(1)(a) of the General Data Protection Regulation]. The operator issues an invoice for the value of the products he has distributed. The invoice must contain the name, address and, if applicable, the tax identification number of the person concerned. Issuing the invoice is a legal obligation of the operator. The legal basis for the processing of personal data from the invoice is therefore the fulfillment of a legal obligation [Article 6(1)(c) of the General Data Protection Regulation]. Personal data from the invoice are stored by the operator for 8 years, in accordance with the retention obligation provided for in Article 169 of the Accounting Law.

 

 

Contracts with suppliers:

 

The data controller may also process the contact data of the suppliers (name, email address, telephone number) and contact service providers and subcontractors. In these cases, personal data (personal data of the contact person or of the natural person or individual entrepreneur) may also be processed to contact the partners. The legal basis for the processing of personal data is the fulfillment of a contractual obligation [Article 6 paragraph (1) letter (b) of the GDPR] or the consent of the contact person [Article 6 paragraph (1) letter (a) of the GDPR].

The data controller will complete a consent form with the companies’ contact persons, informing them of their rights in relation to personal data and requesting their consent to the processing of their data. In such cases, the legal basis for the processing of personal data is the explicit, written and duly informed consent of the data subject [Article 6(1)(a) of the General Data Protection Regulation]. If the contract with the partner has been terminated and the legal obligation to keep the data and documents no longer applies, the phone numbers and email addresses will be deleted. The personal data contained in the contract and invoice will be stored by the operator for 8 years, in accordance with the retention obligation provided for in Article 169 of the Accounting Law.

9. Processing invoices issued to customers and the personal data contained therein:

The data controller issues a receipt or invoice to the customer for the product he has sold. The receipt does not contain personal data. The invoice will contain the name, address and possibly the tax identification number of the person concerned. Issuing the invoice is a legal obligation of the operator. The legal basis for the processing of personal data from the invoice is therefore the fulfillment of a legal obligation [Article 6(1)(c) of the General Data Protection Regulation]. The personal data recorded in this way are stored by the operator for a period of 8 years, in accordance with the retention obligation provided for in Article 169 of the Accounting Law.

10. Children’s data, processing of special categories of personal data:

The data subject declares on the website of the data controller that he is over 16 years old in terms of subscribing to the newsletter, reviewing products and consenting to the operation of cookies used by the website. A person under the age of 16 cannot subscribe to newsletters, review products or consent to the collection of data through the cookies used by the website, given that in accordance with Article 8 paragraph ( 1) of the General Data Protection Regulation (GDPR), the validity of his declaration of consent for the processing of personal data requires the consent of his legal representative. The operator is not able to verify the age and right of the person who gives his consent, so the data subject guarantees that the data he has provided is correct.

 

Special data brought to the knowledge of the operator or which have been brought to the knowledge of the operator are not recorded by the operator. If such data has been entered into any system without the operator’s knowledge, the operator shall delete it from the system immediately upon detection..

11. Storage of e-mail addresses and telephone numbers by the data controller.:

In the course of its activities, the data controller also obtains the e-mail addresses and telephone numbers of its partners, clients and customers. The personal data thus entered into its system are processed mainly for the purpose of fulfilling its contractual obligations [Article 6(1)(b) of the General Data Protection Regulation]. If the contract with the partner has been terminated and the legal obligation to keep the data and documents is no longer valid, the phone numbers and email addresses will be deleted. In some cases, the data controller will still have a legitimate interest in the retention of the data and will require the explicit and written consent of the data subject for the retention of his personal data [Article 6(1)(a) of the General Regulation on data protection].

12. Processing of applications and CVs received by the data controller:

Individuals applying for the operator can submit a CV to the company. If the CV is sent because the operator is looking for an employee and has advertised the position, the CV can only be used in relation to that position.

If the candidate does not meet the requirements for the vacancy and another candidate is selected, the CV will be destroyed immediately. The operator may retain the request only on the basis of the explicit, unequivocal and voluntary consent of the data subject [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation], provided that its retention is necessary for the purpose of processing.

The data operator does not post “anonymous” job advertisements (job advertisements in which the employer does not reveal his name, so that at the time of sending the job application, candidates may not know the employer to whom they are applying for a job), as this contravenes the requirement of prior information regarding the identity of the data controller. In any case, the operator informs the persons concerned about the identity of the job advertisements.

If the candidate voluntarily sends a CV to the operator without an advertisement, he declares whether he agrees or not with the processing of his personal data by the operator. Submitting a CV does not imply that the data subject agrees that the operator will keep his/her application file. It is also important to note that the operator can only use the CV in relation to the vacancies indicated by the job seeker. As a general rule, CVs will be kept for 3 months, unless the data subject specifies a longer period in their consent.

The data controller will only check and obtain information from the candidate’s profile page on the social media site if it has informed the data subjects in advance. Even in such cases, only public data will be consulted and only information relevant to the job application or position will be considered in the selection process. Under no circumstances will the candidate’s profile page be saved or stored and transmitted to third parties.

If the person concerned is not selected for the post in question, the operator will inform him of this and the reasons for the refusal.

13. Taking photos, video recordings at the data operator:

 

The data controller occasionally takes photos or videos of its customers, partners and clients. If the images show an identifiable person, the images will be retrieved and used – in connection with the operator’s website, social networks or other appearances – only with the prior, informed, written and voluntary consent of the person concerned. The legal basis for processing is the data subject’s consent [Article 6(1)(a) of the General Data Protection Regulation].

If the data subject withdraws his consent and requests the termination of use of the record or the deletion of the record, the operator shall comply with that request without delay.

14. Operation of a security camera system at the premises of the data operator:

The data controller operates a camera system at its head office for the purpose of protecting the products. The use of the surveillance camera system and the security of the data processed in this way are regulated by a separate information document, called Information regarding the operation of the surveillance camera system.

The data controller uses the cameras exclusively for the purpose of protecting assets, based on its legitimate interest [Article 6(1)(f) of the General Data Protection Regulation], and not for the primary and explicit purpose of monitoring employees and their activities. The operator has, of course, fulfilled its obligation to inform employees and carried out the necessary balancing of interests test.

15. Website of the data controller:

The data controller presents its activities and the products it sells to interested parties on its website.

Operator’s website:

lashandlashes.com

The data operator uses cookies in the operation of its website. The legal basis for the processing of personal data obtained from them is the consent of the visitor [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation].

• The website lashandlashes.com uses the following cookies:
• _fbp
• term: 3 months
• type: marketing – Facebook
• No no.
• term: 2 years
• type: statistics – Google Analytics
• _gcl_au
• term: 3 months
• type: statistics – Google Analytics
• _guide
• time interval: 1 day
• type: statistics – Google Analytics
• _hjAbsoluteSessionInProgress
• Duration: 30 minutes
• type: absolutely necessary
• _hjIncludedInPageviewSample
• Duration: 5 minutes
• type: statistics – Google Analytics
• No no.
• duration: 1 year
• type: statistics – Google Analytics
• _icl_visitor_lang_js
• duration: 3 days
• type: absolutely necessary
• cookie_notice_accepted
• duration: 3 months
• type: absolutely necessary
• mailchimp_landing_site
• duration: 1 month

 

• type: marketing
• woocommerce_cart_hash
• duration: until the end of the browsing session
• type: absolutely necessary
• woocommerce_items_in_cart
• duration: until the end of the browsing session
• type: absolutely necessary
• wp-wpml_current_language
• duration: 1 day
• type: other
• wp_woocommerce_session_36a17ace0c40b9525a7bb8d0ef5065b8
• duration: 2 days
• type: absolutely necessary
• wpml_browser_redirect_test
• duration: until the end of the browsing session
• type: marketing

Cookie :

The purpose of cookies is:

• collect information about visitors and their devices;
• to retain the individual preferences of visitors, which are (are) used;
• make the website easier to use;
• provide a quality experience for users.

 

 

In order to provide a personalized service, a small piece of data called a “cookie” is placed on the user’s computer and read again during a subsequent visit. When the browser returns a previously saved cookie, the cookie provider has the ability to link the user’s current visit to previous visits, but only in relation to its own content.

Strictly necessary session cookies:

The purpose of these cookies is to allow visitors to navigate the website, use its functions and services fully and without problems. This type of cookie is valid until the end of the (browsing) session and is automatically deleted from the computer or other browsing device when the browser is closed.

The choice of the data subject in relation to the Cookie:

Web browser cookies:

In the browser settings, the data subject can accept or reject new cookies and delete existing cookies. You can also set your browser to notify you each time a new cookie is placed on your computer or other device. You can find more information on how to manage cookies in the “Help” function of your browser.

If a visitor chooses to disable some or all cookies, they will not be able to use all features of the website.

Cookies placed by third parties (analysis, statistics, marketing):

The website of the data controller also uses Google Analytics as a third-party cookie. By using Google Analytics, a web analysis service for statistical purposes, the operator collects information about how visitors use the website. Data is used to improve the website and user experience. These cookies will also remain on the visitor’s computer or other browsing device in their browser until they expire or are deleted by the visitor.

When websites or applications use Google Analytics in combination with other Google advertising products, such as Google Ads, they may also collect other advertising identifiers. Users can disable this service or change their cookie settings in Advertisement Settings.

Google Analytics collects users’ IP addresses to protect the security of the service and to allow website owners to get an idea of the country, state or city their visitors come from (also known as “IP geolocation”). Google Analytics offers the ability to mask collected IP addresses, but website owners can see users’ IP addresses even if they do not use Google Analytics.

In the context of Google Analytics, the IP address transmitted by the visitor’s browser is not combined with other Google data. You can refuse the use of cookies by selecting the appropriate settings in your browser, but please note that in this case you may not be able to use all the functionalities of this website.

In addition, the visitor can prevent the collection of data (including his IP address) generated by cookies and related to the use of the website by Google and the processing of this data by Google by downloading and installing the browser plug-in at the link below.

The current link is https://www.google.com/policies/privacy/ads/.

Google acts as a data processor for Google Analytics and therefore as a data controller.

In accordance with the provisions of the General Data Protection Regulation (GDPR), Google Analytics is the data controller, as Google Analytics collects and processes data on behalf of its customers (such as the data controller) according to the instructions of these customers. Google can use the data only in accordance with the terms of the contracts with Google Analytics customers and with the settings provided by customers in the interface of its products.

Google Analytics collects internal cookies, device/browser information, IP addresses and website/app activity. This data is collected so that it can be used to measure and report statistically the actions taken by users on websites and/or applications that use Google Analytics. Customers can customize cookies and the scope of collected data through features such as Cookie Settings, User ID, Data Import and Measurement Protocol.

For customers using the Google Analytics Apps SDK, Google collects an app instance identifier. This is a randomly generated number by the system when a user installs an app for the first time.

Google Analytics uses IP addresses to determine the geographic location of visitors and to protect the service and its customers. Customers can enable a feature called IP masking, which allows Google Analytics to use only a subset of the IP address instead of the entire IP address collected. In addition, customers can replace IP addresses on demand using the IP replacement feature.

Google uses the data processed in Google Analytics to provide its customers with the Google Analytics measurement service. It uses identifiers, such as cookies and application instance identifiers, to measure the actions users take on customer sites and/or applications. It uses IP addresses to keep the service secure and to give website owners an overview of where their users are coming from around the world.

Use of social plug-ins:

The operator’s website also uses embedded content from social networks. In these cases, the processing is carried out together with the operator of the social network. The legal basis for the processing is the consent of the data subject [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation], which he gives by accepting information on the collection of data regarding cookies and by consenting to the collection data.

 

Facebook pixel (Facebook cookie):

A Facebook pixel is a code that allows the website to report conversions, build audiences and provide the website owner with a detailed analysis of how visitors use the website. The Facebook pixel is used to display personalized offers and ads to website visitors on the Facebook interface. The Facebook pixel is used by the website of the data operator. The legal basis for the processing is the consent of the data subject [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation], which he gives by accepting information on the collection of data regarding cookies and by consenting to the collection data.

On the website of the operator, the data subject declares that he has reached the age of 16 in terms of accepting the use of cookies. A person under the age of 16 cannot make a declaration of acceptance or refusal of cookies used by the website, given that, in accordance with Article 8(1) of the General Data Protection Regulation (GDPR) , the validity of his declaration of consent to processing requires the consent of his legal representative. The operator is not able to verify the age and right of the person who gives his consent, so the data subject guarantees that the data he has provided is correct.

Processing of personal data related to purchases and registration:

The data controller also accepts orders for the sale of the products it distributes through its website (lashandlashes.com). Customers can be both individuals and legal entities. When shopping on the site, the customer can choose to buy in the online store after registration or without registration. Once registered, customers can view their previous orders (by entering their email address and password), the status of their current orders, the status of their current order and find it easier to place a new order without having to re-enter their data their. Both during registration and in the case of orders without registration, the data controller requests the customer’s name (including the name of the contact person in the case of legal entities), address (invoicing, delivery), e-mail address, telephone number, possibly the name of the company and the tax identification number. The legal basis for the processing of personal data is the fulfillment of contractual obligations [Article 6 paragraph (1) letter (b) of the General Data Protection Regulation]. In the case of a legal entity, the personal data of the contact person are processed based on the data subject’s consent [Article 6(1)(a) of the General Data Protection Regulation]. The operator issues an invoice for the value of the products he has distributed. The invoice must contain the name, address and, if applicable, the tax identification number of the person concerned. Issuing the invoice is a legal obligation of the operator. The legal basis for the processing of personal data from the invoice is therefore the fulfillment of a legal obligation [Article 6(1)(c) of the General Data Protection Regulation]. Personal data from the invoice are stored by the operator for 8 years, in accordance with the retention obligation provided for in Article 169 of the Accounting Law.

 

 

 

Processing of personal data during the registration process as a reseller partner:

The website of the data controller also offers the visitor the possibility to register as a reseller partner. The request is possible by filling in a form. During the application process, the data controller requests the name, email address and telephone number of the data subject. The purpose of processing personal data is to contact the website visitor and the person interested in the operator’s products. If no agreement is reached between the parties after contact, the personal data of the interested party will be deleted without delay, but within no more than 3 working days. The operator processes personal data for the purpose of concluding the contract on this legal basis [Article 6 paragraph (1) letter (b) of the General Data Protection Regulation]. By completing the form, the data subject declares that he has read the operator’s Privacy Notice and that he is aware of its content.

Processing of personal data in connection with “Product Reviews” on the website:

On the website, customers registered on the website have the opportunity to make comments on the products sold by the data operator. To leave a review, you need to register in advance and you can leave a review after logging into your account. By leaving a comment and entering personal data, the visitor gives his consent to the processing of his personal data and their publication on the site. The legal basis for the processing of personal data is the informed consent of the data subject [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation]. The data subject declares that he has read and understood the Data Controller’s Privacy Policy and has taken note of the information contained therein. The operator does not use the personal data for any other purpose and does not make it available to third parties. The operator processes the personal data recorded in this way until the data subject’s consent is withdrawn. If the data subject withdraws his consent, the operator deletes the recorded personal data from his system without undue delay and at the latest within 3 working days.

The data subject declares on the website of the data controller that he is over 16 years of age in relation to the review of the products. A person under the age of 16 cannot comment on the products in this way, given that, according to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of his declaration of consent to processing requires the consent of his representative legal. The operator is not able to verify the age and right of the person who gives his consent, so the data subject guarantees that the data he has provided is correct.

16. Subscription to the newsletter:

The data controller also offers the possibility to subscribe to a newsletter. By subscribing to the newsletter, the data subject declares that he has read the Data Controller’s Privacy Policy and consents to the processing of his personal data for marketing purposes (submitting the newsletter). The data subject has the rights set out in the Data Protection Notice and can exercise these rights in the manner and at the places indicated therein. Therefore, the legal basis for the processing of personal data in the context of sending the newsletter is the explicit and written consent of the subscriber [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation].

The purpose of data processing in connection with the sending of newsletters is to provide the recipient with complete information, general or personalized, about the latest news and news published by the operator, in accordance with the applicable and valid legislation. Subscription to the newsletter and/or sending the newsletter for DM purposes is based on voluntary consent, the operator will of course offer the data subject the possibility to withdraw his consent and unsubscribe from the newsletter at any time.

The data subject declares on the website of the operator that he is 16 years of age or older when subscribing to the newsletter. A person under the age of 16 cannot subscribe to the newsletter, given that, in accordance with Article 8(1) of the General Data Protection Regulation (GDPR), the validity of his declaration of consent to the processing of personal data requires the consent of his legal representative. The operator is not able to verify the age and right of the person who gives his consent, so the data subject guarantees that the data he has provided is correct.

17. Operator’s social networks:

The data controller also operates a Facebook page, where personal data is also processed. The data controller also promotes its activities on the Facebook page, presenting its products and training courses. This page is used by the operator for marketing purposes, to inform interested parties about the products and services they offer.

https://www.facebook.com/lashandlashes/

The operator also offers comprehensive personal support via Facebook. If you ask a question through Facebook, they will try to answer you as soon as possible. It will use the data received on Facebook only to answer your question and not for other promotional purposes.

The purpose of using the Facebook page is to advertise and provide information on social networks. Facebook can also use the data for its own purposes, including creating profiles and targeting advertising to the data subject.

To contact the operator via Facebook, you must log in. To do this, Facebook may request, store and process personal data. The operator has no control over the type, scope and processing of this data and receives no personal data from the Facebook operator. For more information on this, please visit the Facebook page.De asemenea, operatorul de date organizează ocazional o extragere de premii pe pagina sa de Facebook. În astfel de cazuri, datele cu caracter personal ale câștigătorului vor fi prelucrate în scopul transmiterii premiului. Operatorul de date va prelucra datele câștigătorului pe baza consimțământului persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor] și le va păstra pentru perioada legală de păstrare.

The personal data of the followers of the Facebook page are processed by the data operator based on their consent [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation], which is considered to be given by the fact that the person in cause like, follow or comment on the page and its posts.

The data controller is also present on the Instagram social network with the following profile:

https://www.instagram.com/lashandlashes/

Followers’ personal data is processed on the Instagram page. The processing is based on the consent given by the tracker [Article 6(1)(a) of the General Data Protection Regulation].

Other community pages of the operator, if the legal basis of the processing is also the consent of the data subject [Article 6 paragraph (1) letter (a) of the General Data Protection Regulation]:

https://www.youtube.com/channel/UC_8sPtsEB-SAtLWGmkXCbGg

18. Management of complaints regarding the activities of the operator:

The purpose of data processing in the course of handling complaints in connection with the activities of the data operator is to enable the communication of the complaint, to identify the data subject and his complaint, to record the data whose registration is provided by law, to investigate the complaint and to maintain contact regarding its resolution.

In the event of a complaint, the processing of the complaint and therefore the personal data is mandatory under the CLV Consumer Protection Act 1997. The legal basis for the processing of personal data is therefore the fulfillment of a legal obligation [Article 6(1)(c) of the General Data Protection Regulation].

The data controller will keep the record of the complaint and a copy of the response for 5 years and will also process the personal data on this basis for this period.

19. Data processing security:

The data operator undertakes to ensure data security, take technical and organizational measures and maintain procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorized use or unauthorized modification. It also undertakes to require any third party to whom it transfers or discloses data to comply with data security requirements.

The operator ensures that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorized persons. The processed data can only be accessed by the data operator and the person (persons authorized by him/her) and are not disclosed to third parties who do not have the right to access the data.

The data controller takes great care to ensure the security of the personal data of its partners, clients and customers. It acts in full compliance with the legal provisions and requires all its partners to do the same. Personal data protection includes physical protection (storing documents in a lockable room, protected by a surveillance camera and an alarm) and IT protection (using an antivirus and password protection)

The operator stores the personal data provided by the data subject, primarily on the servers of the person authorized by the operator (persons authorized by the operator) specified in this Privacy Notice, equipped with the usual protection systems, and partly on its own IT equipment or, in the case of paper media, at its head office in a proper and locked manner.

Data subjects acknowledge and accept that, if they provide their personal data, data protection cannot be fully guaranteed on the Internet and in the IT system. In the case of unauthorized access or unauthorized disclosure, despite the efforts of the operator, it is necessary to proceed as described in this notice.

20. The rights of data subjects:

• Transparent notifications:

The purpose of this privacy notice is also to provide clear, concise, transparent and easy to understand information about the processing activities of the operator.

• The right of access:

The data subject has the right to obtain from the operator information on whether his personal data is or is not being processed and, if such processing takes place, he has the right to have access to the personal data and to the following information:

• purpose of processing,
• the categories of personal data in question,
• recipients to whom personal data were disclosed,
• expected duration of personal data storage.

 

You can request information regarding the above data from the data controller at the following address, e-mail address:

Beauty 303 Kft. 1149 Budapest, Nagy Lajos király útja 108.

Email: matrai@lashandlashes.hu 

The operator hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post and those sent by email will be answered by email.

 

• The right to rectification:

The data subject has the right to obtain from the operator, at his request, the rectification of inaccurate personal data concerning him.

You can request information regarding the above data from the data controller at the following address, e-mail address:

Beauty 303 Kft. 1149 Budapest, Nagy Lajos király útja 108.

Email: matrai@lashandlashes.hu 

The operator hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post and those sent by email will be answered by email.

• The right to erasure:

The data subject has the right to obtain, at his request, the deletion of personal data concerning him. Based on such a request, the operator deletes the personal data if one of the following reasons applies:

• the personal data are no longer necessary for the purposes for which they were collected,
• the data subject withdraws his prior consent and there is no other legal basis for the processing,
• the data subject objects to the processing and there are no legitimate reasons that prevail for the processing,
• personal data were processed illegally,
• necessary to comply with a legal obligation under EU or national law.

 

You can request information regarding the above data from the data controller at the following address, e-mail address:

Beauty 303 Kft. 1149 Budapest, Nagy Lajos király útja 108.

Email: matrai@lashandlashes.hu 

The operator hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post and those sent by email will be answered by email.

• The right to restrict processing:

The data subject has the right to request the operator to restrict the processing, in particular if:

• dispute the accuracy of the data,
• considers that the processing is illegal, but, for some reason, does not request the deletion of the data.

 

You can request information regarding the above data from the data controller at the following address, e-mail address:

Beauty 303 Kft. 1149 Budapest, Nagy Lajos király útja 108.

Email: matrai@lashandlashes.hu 

The operator hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post and those sent by email will be answered by email.

• The right to data portability:

The data subject has the right to receive personal data concerning him/her in a structured, commonly used and machine-readable format, as well as the right to transmit this data to another controller.

You can request information regarding the above data from the data controller at the following address, e-mail address:

Beauty 303 Kft. 1149 Budapest, Nagy Lajos király útja 108.

Email: matrai@lashandlashes.hu 

The operator hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post and those sent by email will be answered by email.

• The right to opposition:

The data subject has the right to object at any time, for reasons related to his particular situation, to the processing of his personal data, as provided for in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

You can request information regarding the above data from the data controller at the following address, e-mail address:

Beauty 303 Kft. 1149 Budapest, Nagy Lajos király útja 108.

Email: matrai@lashandlashes.hu 

The operator hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post and those sent by email will be answered by email.

• The right of the data subject in the case of automated decision-making:

The data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects concerning or significantly affects him. Automated decision-making is any process or methodology by which a technical automation evaluates personal aspects concerning the data subject and which produces legal effects concerning or significantly affects the data subject. The operator will not use automated IT mechanisms, including the creation of profiles, which produce legal effects regarding the rights of the data subject.

You can request information regarding the above data from the data controller at the following address, e-mail address:

Beauty 303 Kft. 1149 Budapest, Nagy Lajos király útja 108.

Email: matrai@lashandlashes.hu 

The operator hereby informs you that it will respond to your request within 30 days. Requests for information sent by post will be answered by post and those sent by email will be answered by email.

The operator undertakes to inform any recipient of the requests sent to him in relation to the above rights and to whom he has disclosed his personal data, unless this proves impossible. It also undertakes to notify the data subject (the applicant) of the decision regarding the processing of the above-mentioned applications within 30 days at most.

21. Data Protection Incident:

A personal data security breach is a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

In the case of a data breach, the level of the data breach must be at a level of serious risk, i.e. the breach must be of a level that affects personal data, such as:

 

• destruction,
• loss,
• change,
• unauthorized disclosure or
• unauthorized access.

An incident is considered to occur if it is any of the above, but this does not exclude the possibility that more than one of these may occur at the same time. This includes not only malicious conduct but also negligent injuries. Therefore, an incident occurs when it is caused by an accidental or illegal act.

Examples of data security breaches include:

• the illegal transmission of personal data on a document, portable device, storage medium or computer system (for example, by mail),
• unauthorized access to a computer system or an application that processes personal data,
• damage or partial or total loss of a database containing personal data,
• part or all of the computer system has become unusable due to a virus or other malicious software, etc.

A data breach may cause physical, pecuniary or non-pecuniary harm to individuals, including loss of control over their personal data or restriction of their rights, discrimination, identity theft, if not addressed in an adequate and timely manner, or the use misuse of identity, financial losses, unauthorized impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy or other significant economic or social disadvantages suffered by the natural persons concerned.

In the event of a potential data breach (unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons), the operator immediately notifies the National Authority for Data Protection and Freedom of Information. As soon as the operator becomes aware of the incident, it shall notify it without undue delay and, if possible, within no more than 72 hours from the date on which it became aware of the personal data breach. If the notification cannot be made within 72 hours, the notification must indicate the reason for the delay and provide the information requested in detail without further undue delay.Autoritatea Națională pentru Protecția Datelor și Libertatea Informației operează un sistem dedicat pe site-ul său web pentru notificarea încălcărilor de date, prin intermediul căruia notificările pot fi făcute în format electronic.

The data controller keeps a record of data breaches, indicating the facts related to the data breach, its effects and the measures taken to remedy it. The operator keeps a record of incident data, including the causes, events and personal data involved. In addition, the record should also include the effects and consequences of the incidents and the measures taken to remedy them, as well as the operator’s conclusions (for example, the reason why it considers that the incident should not be reported or, if the notification is delayed, the reason for the delay).

An incident that is unlikely to pose a risk to the rights and freedoms of natural persons need not be notified to the supervisory authority.

If the data breach is likely to lead to a high risk to the rights and freedoms of the partners, customers, clients and partners of the data controller, we will inform the affected partner without delay. The information provided to the data subject clearly describes the nature of the personal data breach and provides essential information and measures.

The data subject need not be informed in the manner described above if any of the following conditions are met:

• the operator has implemented appropriate technical and organizational protection measures and these measures have been applied with respect to the data affected by the personal data security breach, in particular measures to make the data unintelligible to persons who are not authorized to access the data personal;
• the operator has taken additional measures following the breach of personal data security to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
• information would require a disproportionate effort. In such cases, the data subjects should be informed by means of information made public or a similar measure should be taken to ensure that the data subjects are informed in an equally effective way..

22. Information on relevant legislation:

• Law CXII of 2007 regarding the right to informational self-determination and freedom of information (Info. tv.);
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) no. 95/46/EC (General Data Protection Regulation, RGPD);
• Law V of 2007 – on the Civil Code (Civil Code);
• Law LXXVII of 2006 on adult education;
• Accounting Act C of 2006 (Accounting Act).

23. The right to address the courts:

The data subject can take the operator to court if his rights are violated. The court rules on the case incidentally.

24. Procedure of the data protection authority:

You can file a complaint with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, Pf.: 5.

Phone: 0613911400

Fax: 0613911410

Email: ugyfelszolgalat@naih.hu

Website: https://www.naih.hu

25. Other provisions:

The data controller provides information on data processing that is not listed in this notice at the time of data registration. In such cases, the provisions of applicable law prevail.

The data operator informs its clients, partners and customers that the court, prosecutor, investigative authority, law enforcement authority, administrative authority, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary or other bodies authorized by law may contact the operator of data to provide information, data, transfers or documents. The data operator discloses to the authorities – if the authority has indicated the precise purpose and scope of the data – the personal data only to the extent that it is strictly necessary for the purpose of the request.

The website of the Data Protection Authority contains further information on the data protection rights mentioned in this Privacy Notice.

Budapest, 2020. ………………………………..

László Mátrai

CEO

 

ANEX   No.1

No. crt.	Name of personal data processing	Purpose of data processing	Temeiul juridic pentru prelucrare	Termenul de ștergere a datelor cu caracter personal
1.	Personal data provided during purchase and registration in the online store.	For the purpose of executing the contract, for the purpose of contracting.	Executarea contractului [articolul 6 alineatul (1) litera (b) din Regulamentul general privind protecția datelor].	În termen de 30 de zile de la apariția obligației legale de a păstra datele (8 ani).
2.	Personal data of the contact person of the legal entity when shopping and registering in the online store.	To fulfill a contractual obligation.	Pe baza consimțământului persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	În caz de retragere a consimțământului, fără întârziere. În termen de 10 zile lucrătoare de la încetarea contractului, cu excepția cazului în care legea prevede o obligație de menținere a contractului (în termen de 30 de zile de la expirarea obligației).
3.	Personal data regarding the invoice issued to customers (natural persons, sole proprietorships).	Fulfilling a legal obligation, issuing an invoice.	Respectarea unei obligații legale [articolul 6 alineatul (1) litera (c) din Regulamentul general privind protecția datelor].	În termen de 30 de zile de la apariția obligației legale de a păstra datele (8 ani). Pentru învățământul pentru adulți, 30 de zile după încheierea celui de-al 8-lea an.
4.	Processing of received e-mails (sender’s e-mail address), telephone numbers.	To fulfill a contractual or consent obligation.	Executarea unei obligații contractuale [articolul 6 alineatul (1) litera (b) din Regulamentul general privind protecția datelor] sau consimțământul persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	În termen de 10 zile lucrătoare de la finalizarea sarcinii sau imediat după retragerea consimțământului, până la maximum 3 zile lucrătoare.
5.	Personal data of suppliers, service providers, subcontractors (in the case of a natural person or an individual entrepreneur).	To fulfill a contractual obligation.	Îndeplinirea unei obligații contractuale [articolul 6 alineatul (1) litera (b) din Regulamentul general privind protecția datelor].	În termen de 30 de zile de la apariția obligației legale de a păstra datele (8 ani).
6.	Personal data of contact persons of suppliers, service providers, subcontractors.	To fulfill a contractual obligation.	Pe baza consimțământului persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	În caz de retragere a consimțământului, fără întârziere. În termen de 10 zile lucrătoare de la încetarea contractului, cu excepția cazului în care legea prevede o obligație de menținere a contractului (în termen de 30 de zile de la expirarea obligației).
7.	Personal data provided by job applicants in their CVs.	To fill the advertised vacancy or to fill a possible vacancy at a later date. Finding a quality employee.	Consimțământul persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	În cazul unui post vacant anunțat, CV-ul unui candidat nereușit va fi distrus de către operator fără întârziere. CV-ul voluntar al persoanei vizate va fi stocat cu consimțământul acesteia până la termenul limită specificat în consimțământ.
8.	Personal data recorded during the collection of data from the cookies processed by the website.	To improve the user experience, to improve the website, for statistical purposes.	Pe baza consimțământului persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	Fără întârzieri nejustificate după retragerea consimțământului, dar în termen de cel mult 3 zile lucrătoare.
9.	Personal data (name, email address) provided when someone leaves a review about products on the site.	To promote products.	Consimțământul persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	Fără întârzieri nejustificate după retragerea consimțământului, dar în termen de cel mult 3 zile lucrătoare.
10.	Personal data provided during registration as a reseller partner.	For the purpose of contracting the interested person to discuss the terms of cooperation.	Pentru a stabili un contract [articolul 6 alineatul (1) litera (b) din Regulamentul general privind protecția datelor].	Imediat după contact, dar nu mai târziu de 3 zile lucrătoare, cu excepția cazului în care se stabilește o relație contractuală.
11.	Personal data (name, e-mail address) provided when signing up for the newsletter.	To send a newsletter.	Pe baza consimțământului persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	Imediat după retragerea consimțământului.
12.	Personal data that came to the knowledge of the data controller through the use of social networks.	Promotion of activity, products and services.	Consimțământul persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	Imediat după retragerea consimțământului.
13.	Processing of prize winners’ personal data.	To conduct the lottery and prize draw, to select and notify the winner, to deliver the prize.	Consimțământul persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	Ținând cont de obligația legală de a păstra datele (8 ani), în termen de 30 de zile de la expirarea obligației.
14.	Images from photos and videos taken with customers.	Promotion of services, products and activities and use of images on websites, social networks and elsewhere.	Consimțământul persoanei vizate [articolul 6 alineatul (1) litera (a) din Regulamentul general privind protecția datelor].	Fără întârzieri nejustificate după retragerea consimțământului, dar în termen de cel mult 3 zile lucrătoare.
15.	Images recorded by the camera system at the operator’s headquarters.	Asset protection.	Pe baza interesului legitim al operatorului [articolul 6 alineatul (1) litera (f) din Regulamentul general privind protecția datelor].	Înregistrările neutilizate vor fi șterse de către operatorul de date în termen de 3 zile lucrătoare de la data înregistrării. În caz de utilizare, înregistrările vor fi păstrate timp de maximum 30 de zile lucrătoare.
16.	Personal data collected during the handling of complaints.	Complaint identification and resolution.	Respectarea obligației legale [articolul 6 alineatul (1) litera (c) din Regulamentul general privind protecția datelor].	În termen de 30 de zile de la apariția obligației legale de a păstra datele (5 ani).