The purpose of this Privacy Notice is to set out the data protection and data processing principles applied by ADRIENNE FELLER Cosmetics Zártkörűen Működő Részvénytársaság (hereinafter the “Company” or “Data Controller”), and the Company’s data protection and processing policy, which the Company, as data controller, acknowledges as binding upon itself.
When drafting the provisions of this Notice, the Company paid particular attention to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (“Info Act”), Act V of 2013 on the Civil Code (“Civil Code”), and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (“Advertising Act”).
The scope of this Notice extends to data processing activities related to the website available at www.panarom.hu or www.adriennefellerwebshop.hu (hereinafter the website affected by the User’s activity: the “Website”). The provisions of this Notice shall apply to the Website.
In the event of the use of other services, this Notice shall be interpreted together with the data processing rules related to the services used.
With respect to data processing related to trainings falling under the scope of Act LXXVII of 2013 on Adult Education, the data processing rules contained in the Student Declaration shall apply.
Unless otherwise communicated, the scope of this Notice does not extend to services and data processing activities related to the promotions, prize draws, services, other campaigns or content published by third parties advertising on the Website or appearing there in any other manner. Unless otherwise communicated, the scope of this Notice does not extend to the services and data processing activities of websites or service providers to which a link on the Website leads. The scope of this Notice does not extend to the data processing activities of persons (organisations, companies) from whose information, newsletter or advertising letter the User became aware of the Website. The provisions contained in the privacy notice of the third party operating such services shall apply to such services, and the Data Controller assumes no responsibility whatsoever for such data processing activities.
Data Processing: irrespective of the procedure applied, any operation or set of operations performed on Personal Data, including in particular the collection, recording, organisation, structuring, storage, adaptation, alteration, use, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, publication, alignment or combination (including profiling), restriction, erasure and destruction of Personal Data.
Data Controller: the person specified in Section 3 who, alone or jointly with others, determines the purposes and means of Data Processing.
Personal Data or data: any data or information by means of which a natural person User can be identified directly or indirectly.
Data Processor: a service provider that processes Personal Data on behalf of any Data Controller.
User: a natural person who registers on the Website as a Customer or Professional Customer and, in this context, provides the data specified in Sections 8 and 9 of this Notice.
External Service Provider: third-party service provider partners used by the Data Controller or the operator of the Website, either directly or indirectly, in connection with the provision of certain services, to whom Personal Data are or may be transferred for the purpose of providing their services, or who may transfer Personal Data to the Data Controller. Service providers that are not in cooperation with either the Data Controller or the operators of the services, but which, by accessing the Website, collect data about Users that may, either independently or in combination with other data, be suitable for identifying the User, shall also qualify as External Service Providers. Furthermore, in the course of providing hosting services, the Data Controller also considers the User to be an External Service Provider from the perspective of the data processing activity carried out on the storage space used by the User.
Newsletter: an electronic mail in which the Data Controller sends advertisements, promotions and offers to Users by means of direct communication (direct electronic communication, EDM).
Notice: this Privacy Notice of the Data Controller.
3.1. Data Controller:
Name: ADRIENNE FELLER Cosmetics Zártkörűen Működő Részvénytársaság (also as “ADRIENNE FELLER”)
Registered seat: 5126 Jászfényszaru, Albert Einstein út 3.
Telephone: 061-336-0466
E-mail: info@adriennefeller.com
Data protection officer/person responsible for data protection: László Pál Weninger
Position of the person responsible for data protection: Chief Executive Officer
3.2. The Data Controller is a business company registered in Hungary.
3.3. The Data Controller operates the Website, which was created for the purpose of purchasing ADRIENNE FELLER and Panarom products online. Certain products available for order are accessible exclusively to professional customers, while other products are available to all registered customers.
3.4. The Data Controller is a business company also entitled to perform advertising sales and organisational tasks. Users of the Website operated by the Data Controller may, upon registration or independently thereof, on the interface of the Website or through another electronic channel provided by the Data Controller, consent to the Data Controller sending them EDM pursuant to Section 6(1) of the Advertising Act, enabling and targeting the display of the Data Controller’s advertisements as advertiser on the EDM interfaces.
3.5. By accepting the Notice, the User accepts that they may receive system messages from time to time in connection with the operation of the Website. These system messages may contain information and advice relating to the use of the system, as well as information concerning system errors, malfunctions and troubleshooting.
3.6. The User accepts that, in the case of application for trainings falling under the scope of Act LXXVII of 2013 on Adult Education, data processing is carried out on the basis of a statutory obligation; consequently, withdrawal of consent to data processing shall not result in the termination of data processing during the period authorised by law.
4.1. In the course of Data Processing, the Data Controller acts in accordance with the requirements of good faith, fairness and transparency, in cooperation with the Users. The Data Controller processes only data specified by law or provided by Users, for the purposes set out below. The scope of Personal Data processed is proportionate to the purpose of data processing and may not extend beyond it.
4.2. In every case where the Data Controller intends to use Personal Data for a purpose other than the original purpose for which they were obtained, it informs the User thereof and obtains their prior, explicit consent, or provides them with the opportunity to prohibit such use.
4.3. The Data Controller does not verify the Personal Data provided to it. The person providing the Personal Data is solely responsible for the adequacy and authenticity of the Personal Data provided.
4.4. Personal Data of a data subject under the age of 16 may be processed only with the consent of the adult person exercising parental authority over them. The Data Controller is not in a position to verify the authorisation of the consenting person or the content of their statement; therefore, the User or the person exercising parental authority over them warrants that the consent complies with applicable laws and the provisions of this Notice. In the absence of a consent statement, the Data Controller does not collect Personal Data relating to data subjects under the age of 16.
4.5. The Data Controller does not transfer the Personal Data it processes to third parties other than the Data Processors specified in this Notice and, in certain cases referred to in this Notice, External Service Providers.
An exception to the provision set out in this section is the use of data in statistically aggregated form, which may not contain any other data suitable for identifying the User concerned in any form and therefore does not qualify either as Data Processing or as data transfer.
In certain cases, including court or police requests, legal proceedings due to infringement of copyright, property or other rights, or reasonable suspicion thereof, prejudice to the interests of the Data Controller, or jeopardising the provision of the service, etc., the Data Controller makes the available Personal Data of the User concerned accessible to third parties. Unless prohibited by law or an authority decision, the Data Controller shall notify the data subject of the transfer of their data.
The Data Processors and External Service Providers listed in this Privacy Notice record, process or otherwise process the Personal Data transferred to them by the Data Controller and processed or handled by them in accordance with the applicable statutory provisions, regarding which they have made a declaration to the Data Controller.
4.6. The information technology systems of the Data Controller may collect data about Users’ activity which cannot be linked to the Personal Data provided by Users during registration or to data generated when using other websites or services. By way of exception, if the User consents to the Data Controller sending or publishing marketing offers to them, the User accepts that, within the framework of this service and solely for the purpose of providing the service, the data collected about the User’s activity will be linked to other Personal Data provided by the User during registration.
4.7. The Data Controller notifies the User concerned and all persons to whom the Personal Data were previously transferred for the purpose of Data Processing of the rectification, restriction or erasure of the Personal Data processed by it. Notification may be omitted if, having regard to the purpose of Data Processing, this does not prejudice the legitimate interest of the User.
4.8. In view of the applicable statutory provisions, the Data Controller is not obliged to appoint a data protection officer.
4.9. The Data Controller processes Personal Data in accordance with the applicable legislation. The legislation governing data processing includes in particular:
5.1. Having regard to the nature of the Data Controller’s activities, the legal basis of Data Processing is the User’s voluntary, explicit consent based on appropriate information (Section 5(1)(a) of the Info Act, Article 6(1)(a) GDPR), the conclusion of a contract and steps prior to the conclusion of a contract pursuant to Article 6(1)(b) GDPR, and, in the case of profiling, appropriate information provided to the User in accordance with the provisions of the GDPR, as well as Article 6(1)(f) GDPR. Users contact the Data Controller voluntarily, register on the Website voluntarily and use the Data Controller’s service voluntarily. In the absence of Users’ consent, the Data Controller processes data only if clearly authorised to do so by law.
5.2. In the case of Data Processing based on consent, the User is entitled to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of data processing based on consent prior to the withdrawal.
5.3. When the User enters the Website, the Data Controller records the User’s IP address in connection with the provision of the service, having regard to the Data Controller’s legitimate interest and for the lawful provision of the service (for example, in order to filter out unlawful use and unlawful content), even without the User’s separate consent.
5.4. Data transfer to the Data Processors specified in this Notice may be carried out without the User’s separate consent; the User consents thereto by accepting this Notice. Disclosure of Personal Data to third parties or authorities may be carried out, unless otherwise provided by law, only on the basis of a final and binding authority decision or with the User’s prior, explicit consent.
5.5. When providing any User’s e-mail address and data provided during registration (e.g. username, identifier, password, etc.), the User also assumes responsibility for ensuring that services are used exclusively by them from the e-mail address provided or with the use of the data provided by them, and that such use does not constitute any infringement. In view of this assumption of responsibility, all liability in connection with logins made with a given e-mail address and/or data shall be borne exclusively by the User who registered the e-mail address and provided the data.
5.6. In certain cases, the legal basis for Data Processing is a statutory provision. If the User pays a fee to the Data Controller, the Data Controller processes the data included on the accounting document issued by it in accordance with the provisions of the Accounting Act. In the case of application for trainings falling under the scope of Act LXXVII of 2013 on Adult Education, data processing is carried out on the basis of a statutory obligation.
5.7. The legal basis of Data Processing may be the substantial legitimate interest of the Data Controller; in such cases, in accordance with the applicable statutory provisions, the Data Controller has carried out and may in the future carry out a balancing of interests test which demonstrates that the given Data Processing is necessary for the enforcement of the Data Controller’s legitimate interests, and that the rights and freedoms of the data subject requiring the protection of Personal Data do not override these interests.
The Data Controller processes Personal Data exclusively for specified purposes, in order to exercise rights and fulfil obligations. At every stage of Data Processing, the processing complies with the purpose of data processing. Data are collected and processed fairly and lawfully. The Data Controller endeavours to ensure that only Personal Data that are indispensable for achieving the purpose of Data Processing and suitable for achieving that purpose are processed. Personal Data may be processed only to the extent and for the time necessary to achieve the purpose.
The primary purpose of data processing is the operation of the Website and the provision of the Data Controller’s services.
The purposes of Data Processing are:
In relation to its core activity, the Data Controller processes exclusively the Personal Data provided by Users and does not collect data from other sources (except for IP addresses and cookies under Section 14).
The data are provided during the User’s registration, subscription to the Newsletter, or joining the loyalty programme. During registration, the User provides their name, e-mail address, password, residential address, telephone number and date of birth.
When subscribing to the Newsletter, the User provides their name and e-mail address.
Joining the loyalty programme is conditional upon registration; therefore, no further data beyond the data provided during registration are required.
The User may register using their existing profile on a social networking site (Facebook, LinkedIn). In this case, the User selects the social networking site with whose profile they wish to register and provides the login name and password used on that social networking site. Thereafter, the Data Controller imports the data contained in the profile on the given social networking site. The User may register with a social media profile only if they consent to the Data Controller processing the data contained in that profile.
If the User has given their consent by subscribing to the Newsletter to receive direct marketing and marketing offers, the Data Controller processes the following Personal Data from the following sources:
8.1. In relation to its core activity and Newsletter sending service, the Data Controller processes exclusively the personal data provided by Users. The processed data are as follows:
In the case of “guest checkout” specified in Section 9, with respect to a non-registered natural person purchaser, the Data Controller processes the following data: surname, first name, tax number (if any), e-mail address, telephone number and residential address.
If the User has consented to marketing communications, in addition to the above data, the following data are processed:
If the User has applied for the Loyalty Programme, in addition to the above data, the following data are processed:
8.2.1. The Data Controller uses the Klaviyo Inc. marketing automation platform for its newsletter sending and direct marketing activities. The Klaviyo system, subject to the User’s appropriate prior consent, carries out the following automated data processing activities:
8.2.2. The legal basis for automated profiling and behaviour-based marketing data processing carried out in the Klaviyo system is the User’s voluntary, explicit consent based on appropriate information pursuant to Article 6(1)(a) GDPR. The Data Controller processes data for profiling purposes only in respect of Users who have expressly consented to this (by subscribing to the newsletter or by giving consent to marketing communication).
8.2.3. Segmentation and personalisation carried out by the Klaviyo system do not result in a decision that is binding on the User; they serve exclusively to determine the content and timing of marketing communications. The Data Controller does not apply automated decision-making that would have legal effects significantly affecting the User; therefore, the prohibition and safeguards under Article 22 GDPR are not mandatory in this case. If the Data Controller intends to apply such automated decision-making in the future, it shall amend the Notice accordingly and inform the data subjects in advance.
9.1. The source of the Personal Data is the User, who provides the data during registration or later, by logging into the Website, or during subscription to the Newsletter or application for the loyalty programme. The provision of Personal Data marked with an asterisk on the registration form is mandatory, unless expressly indicated otherwise.
9.2. The User provides the data independently; the Data Controller does not give any mandatory guidance in this respect and does not set any content requirements; the User is fully responsible for the data provided. The User expressly consents to the processing of the data provided by them. In addition to the data requested by the Data Controller, the User is entitled to provide other data in their profile; the legal basis for processing such data is also the User’s voluntary consent.
9.3. If products are purchased on the Website by a natural person data subject without completing registration (“guest checkout”), the legal basis for processing the Personal Data of the natural person is partly a statutory provision and partly that the data processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. The Data Controller processes certain Personal Data of the natural person purchaser (in particular e-mail address and telephone number) on the basis of the natural person purchaser’s explicit, voluntary consent based on appropriate information.
9.4. If the User registers for a promotion organised by the Data Controller (e.g. on Facebook) and provides the data requested there, the User accepts the separate privacy notice related to the given promotion.
In this case, by providing the data, the User does not register on the Website but consents to the processing of the data provided in accordance with the privacy notice of the promotion.
9.5. By registering on the Website as a Customer or Professional Customer, the User consents to the Data Controller and the business partners commissioned by the Data Controller to perform specified activities in connection with the purchase (e.g. courier service), as data processors or External Service Providers, storing, processing and using the Personal Data provided during registration and purchase for the fulfilment of the order, market research, direct marketing and/or advertising purposes in accordance with the statutory provisions in force at all times.
The User has the opportunity to subscribe to the Newsletter sent by the Data Controller. The User may declare their intention to subscribe to the Newsletter by ticking the available checkbox after acknowledging the information relating to the Newsletter.
In the course of subscribing to the Newsletter within the retail loyalty programme, the User consents to the Data Controller sending them the retail newsletters of the Websites.
If the User consents, the Data Controller contacts the User at the contact details provided and sends advertising to them by means of direct communication. In the case of Newsletter subscription, advertising may be sent by e-mail. Sending the Newsletter is always subject to the User’s consent.
The User may withdraw their consent at any time without giving reasons.
The Data Controller occasionally organises prize draws, the purpose of which is to increase the number of registrations and to refresh (update) registrations. Participation in the prize draw is not subject to payment of a stake or to purchase; therefore, the prize draw does not qualify as a prize draw subject to authorisation or notification.
The legal basis for Data Processing is the User’s consent. If the User applies for the prize draw or registers for the purpose of participating in the prize draw, provides their data and consents to their processing, this shall take place in accordance with this Notice. The acceptance statement and the provision of data shall qualify as consent. Participation in the prize draw may take place:
The purpose of Data Processing is to conduct the prize draw, draw lots, inform the winners and deliver the prizes.
After the prize draw, the Data Controller processes the User’s data as specified in this Notice.
The data subjects are registered Users who have applied for the retail loyalty programme.
The legal basis for data processing in the loyalty programme is Article 6(1)(b) GDPR (contract conclusion and steps prior to contract conclusion), as well as the User’s consent (Article 6(1)(a) GDPR).
Duration of Data Processing: until the purpose of data processing is achieved, or until the explicit declaration of the participant in the loyalty programme stating that they wish to leave the loyalty programme.
The purchaser may review the product(s) purchased on the Website in text form and by giving 1 to 5 stars. The product review appears under the name provided by the User when submitting the review, which may differ both from the username and from the User’s real name.
The purchaser’s review may be published on the Website, on the Data Controller’s advertising surfaces, social media and other communication interfaces.
After the purchase, the Data Controller sends an e-mail to the purchaser offering them the opportunity to review the product purchased by them.
Purpose of data processing: sales promotion, analysis of purchasing habits and measurement of customer satisfaction, monitoring product turnover and product popularity, and providing information regarding the quality of the products distributed.
Legal basis of data processing: the voluntary consent of the data subject pursuant to Article 6(1)(a) GDPR.
Scope of data processed: any name provided by the User, review with 1 to 5 stars and text.
The Data Processor ensures that the product review takes place in accordance with the Terms of Use and the Moderation Policy.
The Data Controller’s information technology system automatically records the IP address of the User’s computer, the starting time of the visit and, in certain cases depending on the settings of the computer, the type of browser and operating system. The data recorded in this way, except in cases of User consent relating to marketing communication and profiling, cannot be linked to other Personal Data. Processing of these data serves exclusively statistical purposes.
The User acknowledges that cookies operate on the Website operated by the Data Controller, including, among others, browser cookies, tracking cookies and computer cookies.
Cookies enable the Website to recognise previous visitors. Cookies assist the Data Controller, as operator of the Website, in optimising the Website and in adapting the Website’s services to the User’s habits. Cookies are also suitable for:
If various content is displayed on the Website by the Data Controller with the help of external web services, this may result in the storage of some cookies that are not controlled by the Data Controller; therefore, the Data Controller has no influence over what data these websites or external domains collect. Information on such cookies is provided by the policies relating to the given service.
The Data Controller uses cookies to display advertisements to Users through Google and Facebook. Data Processing is carried out without human intervention.
The User may set their web browser to accept all cookies, reject all cookies, or notify the User when a cookie is sent to their computer. The setting options can generally be found in the “Options” or “Settings” menu of the browser. By prohibiting the use of cookies, the User acknowledges that without cookies the operation of the Website is not fully functional.
The Data Controller transfers Personal Data to a third party only if the User has clearly consented to it, knowing the scope of data transferred and the recipient of the data transfer, or if the data transfer is permitted by law.
The Data Controller is entitled and obliged to transfer to the competent authorities all Personal Data available to it and lawfully stored by it where it is required to transfer such Personal Data by law or by a final and binding authority decision. The Data Controller cannot be held liable for such Data Transfer or for the consequences arising therefrom.
The Data Controller documents data transfers in every case, keeps records of data transfers, and notifies the User concerned thereof, provided that such notification is not prohibited by law or an authority decision.
The Data Controller is entitled to use Data Processors for the performance of its activities. Data Processors do not make independent decisions and are entitled to act exclusively in accordance with the contract concluded with the Data Controller and the instructions received from the Data Controller. The Data Controller monitors the work of the Data Processors. Data Processors may use additional data processors only with the prior consent of the Data Controller.
Data Processors used by the Data Controller:
16.1. Distinction between the roles of Data Processors
For its electronic direct marketing communication, the Data Controller uses two Data Processors, whose roles are separated as follows:
The data subject may exercise their rights in relation to their data stored in both systems at the Data Controller by contacting adatkezeles@adriennefeller.com. In accordance with the request, the Data Controller ensures that the measures relating to the data (erasure, restriction, rectification) are implemented in both data processor systems.
16.2. Transfer of data to third countries
The following Data Processors used by the Data Controller have their registered seats outside the European Union, in the United States of America (“third country”):
Pursuant to Articles 44-49 GDPR, Personal Data may be transferred to a third country only if an adequate level of protection is ensured. The Data Controller ensures the transfer of Personal Data to a third country by applying the standard contractual clauses (“SCC”) approved by the European Commission pursuant to Article 46(2)(c) GDPR.
The Data Controller has concluded the SCCs with both affected Data Processors (Mailchimp and Klaviyo), or has acceded to them within the framework of the data processing agreement. The SCCs and the privacy notices of the Data Processors are available at the following links:
At the request of the data subject, the Data Controller provides information on the content of the safeguards applied, and a copy thereof may be made available to the data subject. Requests may be submitted to adatkezeles@adriennefeller.com.
During the operation of the Website and the provision of its services, the Data Controller uses External Service Providers with whom the Data Controller cooperates.
With respect to Personal Data processed in the systems of External Service Providers, the provisions contained in the privacy policies of the External Service Providers shall apply. The Data Controller makes every effort to ensure that the External Service Provider processes the Personal Data transferred to it in accordance with the law and uses them exclusively for the purpose specified by the User or set out below in this Notice.
The Data Controller ensures the security of the data and takes the technical and organisational measures and establishes the procedural rules necessary to enforce the applicable legislation and data and confidentiality protection rules. The Data Controller protects the data by appropriate measures against unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage, and against becoming inaccessible as a result of changes in the technology used.
The Data Controller keeps records of the data it processes in accordance with the applicable legislation, ensuring that the data may be accessed only by those employees and other persons acting within the Data Controller’s sphere of interest (data processors) who need such access for the performance of their job or task. Employees of the Data Controller perform individual searches and individual operations on data only at the User’s request or if this is necessary for the provision of the service.
When determining and applying measures serving data security, the Data Controller takes into account the state of the art at all times. From among several possible data processing solutions, the Data Controller chooses the one that ensures a higher level of protection of Personal Data, unless this would involve disproportionate difficulty.
In the course of its tasks relating to IT protection, the Data Controller ensures in particular:
Employees and other persons acting in the interest of the Data Controller are obliged to securely store data carriers used by them or in their possession that contain Personal Data, irrespective of the method of recording the data, and to protect them against unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage.
The Data Controller operates the electronic records by means of an IT program that complies with data security requirements. The program ensures that data may be accessed only for specified purposes, under controlled conditions, and only by those persons who need such access for the performance of their tasks.
The Data Controller erases Personal Data if:
If it becomes apparent that data are being processed unlawfully, the Data Controller shall carry out the erasure without delay.
The User may request the erasure of data processed on the basis of the User’s voluntary consent. In this case, the Data Controller erases the data. Erasure may be refused only if a law authorises the processing of the data. The Data Controller shall in every case provide information on the refusal of an erasure request and the law permitting the data processing.
Erasure may be refused (i) for the purpose of exercising the right to freedom of expression and information, or (ii) if a law authorises the processing of Personal Data; and (iii) if the data processing is necessary for the establishment, enforcement or defence of legal claims.
The Data Controller shall in every case inform the User of the refusal of the erasure request, indicating the reason for refusing erasure. After the fulfilment of a request for erasure of Personal Data, the previous (erased) data can no longer be restored.
Newsletters sent by the Data Controller may be unsubscribed from via the unsubscribe link included therein, in the user account, or by sending a message to adatkezeles@adriennefeller.com. In the event of unsubscribe, the Data Controller deletes the User’s Personal Data from the Newsletter database.
Since the Data Controller provides a continuous service to the User, the relationship between the Parties is not limited in time. Accordingly, in the absence of the User’s request, the Data Controller processes the data for as long as the relationship between the Data Controller and the User exists and for as long as the Data Controller may provide services to the User.
The Data Controller erases all other data if it is clear that the data will not be used in the future, i.e. the purpose of Data Processing has ceased to exist.
If a court or the National Authority for Data Protection and Freedom of Information orders the erasure of data by final decision, the Data Controller shall carry out the erasure.
Instead of erasure, the Data Controller, while informing the User, restricts the Personal Data if the User so requests or if, on the basis of the information available to it, it may be presumed that erasure would prejudice the User’s legitimate interests. Personal Data thus restricted may be processed only for as long as the data processing purpose that precluded the erasure of the Personal Data continues to exist. The Data Controller marks the Personal Data processed by it if the User disputes its correctness or accuracy but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.
In the case of data processing ordered by law, the provisions of the law shall govern the erasure of data.
In the event of erasure, the Data Controller renders the data unsuitable for personal identification. If required by law, the Data Controller destroys the data carrier containing the Personal Data.
20.1. The Data Controller informs the User about data processing at the same time as contact is established. In addition, the User is entitled at any time to request information about data processing.
At the User’s request, the Data Controller provides information on the User’s data processed by it or by the data processor commissioned by it or acting pursuant to its instructions, on the source of those data, the purpose, legal basis and duration of data processing, the name and address of the data processor and its activities related to data processing, the circumstances and effects of any data protection incident and the measures taken to remedy it, and, in the event of transfer of the User’s Personal Data, on the legal basis and recipient of the data transfer. The Data Controller is obliged to provide the information in writing, in an intelligible form, upon the User’s request, within the shortest possible time from the submission of the request, but no later than within 25 days. The information is free of charge if the person requesting information has not yet submitted a request for information concerning the same scope of data in the current year. In other cases, reimbursement of costs may be determined. Any reimbursement already paid must be refunded if the data were processed unlawfully or if the request for information led to rectification.
20.2. The User may request that the Data Controller rectify any Personal Data recorded incorrectly. If regular data provision is made on the basis of the data to be rectified, the Data Controller shall, if necessary, inform the recipient of the data provision of the rectification, or draw the User’s attention to the fact that they must also initiate rectification with another data controller.
20.3. With the exception of data processing ordered by law, the User may request the erasure of their Personal Data. The Data Controller informs the User of the erasure.
20.4. The User may object to the processing of their Personal Data as specified in the Info Act.
20.5. The User may submit a request for information, rectification or erasure in writing, by letter addressed to the registered seat or premises of the Data Controller, or by e-mail sent to adatkezeles@adriennefeller.com.
20.6. The User may request that the Data Controller restrict the processing of their Personal Data if the User disputes the accuracy of the Personal Data processed. In this case, the restriction applies for the period enabling the Data Controller to verify the accuracy of the Personal Data. The Data Controller marks the Personal Data processed by it if the User disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.
The User may also request that the Data Controller restrict the processing of their Personal Data if the Data Processing is unlawful but the User opposes the erasure of the Personal Data processed and instead requests the restriction of their use.
The User may further request that the Data Controller restrict the processing of their Personal Data if the purpose of Data Processing has been achieved but the User requires their processing by the Data Controller for the establishment, enforcement or defence of legal claims.
20.7. The User may request that the Data Controller provide to the User, in a structured, commonly used, machine-readable format, the Personal Data concerning the User which were provided to the Data Controller and processed by automated means, and/or transmit those data to another data controller.
20.8. If the Data Controller does not comply with the User’s request for rectification, blocking or erasure, it shall communicate the reasons for refusal in writing within 25 days of receipt of the request. In the event of refusal of a request for rectification, erasure or blocking, the Data Controller informs the User of the possibility of judicial remedy and of turning to the National Authority for Data Protection and Freedom of Information.
20.9. The User may make the above statements concerning the exercise of their rights through the contact details of the Data Controller specified in Section 3.
20.10. The User may lodge a complaint directly with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11.; telephone: +36-30-549-6838; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu). In the event of infringement of their rights, the User is entitled to turn to court pursuant to Section 22(1) of the Info Act. The action falls within the competence of the regional court. At the User’s choice, the action may also be brought before the regional court of the User’s place of residence or place of stay. Upon request, the Data Controller provides the User with detailed information on the possibility and means of legal remedy.
21.1. The Data Controller reserves the right to amend this Notice at any time by unilateral decision.
21.2. If the Data Controller intends to amend this Notice in a manner affecting the purpose or legal basis of data processing based on consent, the scope of the data processed, the identity of the data processors, or the conditions of transfer to a third country, the Data Controller shall notify the affected Users at least 30 days before the amendment enters into force. Notification shall be made by e-mail, system message, or by means of clearly visible information placed on the homepage of the Website.
Budapest, 08 May 2026