Privacy Notice

Maximus HCD Limited Liability Company (hereinafter referred to as the “Data Controller”), as the operator of the website available under the domain name https://www.perfectacoustic.hu (hereinafter referred to as the “Website”), hereby publishes information on the data processing carried out in the context of the online shop available on the Website and other services available on the Website.

Users accessing the Website (hereinafter referred to as “User”) accept all the terms and conditions set out in this Privacy Policy (hereinafter referred to as “Policy”) and are therefore kindly requested to read this Policy carefully before using the Website.

The Data Controller is committed to protecting Users’ personal information. The Data Controller respects the right of Users to be informed about the collection of their personal data and other operations concerning them. The Data Controller applies the principle of strict necessity in the use of data that may directly or indirectly personally identify the User. It will not process personal data if it can provide the services using anonymous data or other means that allow the Controller to identify the User. An exception to this is if the Data Controller has to provide data at the request of the competent authorities or the police.

Data of the Controller

The data controller is XL Gasztrobusz Kft.

Headquarters: 2315 Szigethalom, Dob street 4.

Company registration number: 13-09-181969

Tax number: 25702228-2-13

E-mail: perfectacoustic.com@gmail.com

Information on individual data management

Ordering in the online store

Scope of processed data:

If the User selects a product on the Website, he has the opportunity to enter his data on the order interface so that the Data Controller can fulfill his order. During the purchase, it is possible to provide the following personal data (data marked with * is mandatory):

full name*;

e-mail address*;

telephone number*;

billing address (billing name, country, city, street, house number, postal code)*;

delivery address* (if it does not match the billing address);

company name, tax number – only for customers who are not natural persons;

comment;

coupon code.

During the purchase, it is also possible to enter the following data:

payment method*;

method of receipt*.

Purpose of data management: Providing the services of the online store, such as creating, defining, modifying, registering and fulfilling the contract created for the purpose of the order, delivering the ordered products, maintaining contact with the User in connection with the order, invoicing the fees arising from the contract, and any related enforcement of claims.

Duration of data management: In the case of a purchase, the necessary data is processed for 5 (five) years after the purchase in order to enforce the claims and rights arising from the concluded contract, Act V of 2013 on the Civil Code 6:22. § 169 of Act C on Accounting (hereinafter: Accounting Act), and in order to fulfill the data controller’s retention obligation, the Data Controller shall store the name and address of the User on the accounting certificate for 8 years, solely for the purpose of fulfilling the accounting obligation preserves.

Legal basis for data management: In relation to personal data processed during ordering and shopping in the online store, the legal basis for data management is the fulfillment of the contract between the User and the Data Controller, and the enforcement of the rights and obligations arising from the contract based on Article 6 (1) point (e) of the GDPR. The legal basis for data management related to accounting documents (name, billing address) is the statutory provision ordering mandatory data management, i.e. the Accounting Act. § 169.

Note: The data controller declares that, in the case of payment by bank card, it does not manage, collect, or store any card data necessary for the payment transaction, nor does it access this data in any way. The data controller declares that the transaction data is provided by OTP Mobil Kft. (1093 Budapest, Közraktár utca 30-32.; ugyfelszolgalat@simple.hu; +36 1/20/30/70 3-666-611; a hereinafter: Service Provider) assumes no responsibility for the legality of its handling. The User can obtain information about the Service Provider’s data management on the Service Provider’s website and other contact details. The data management policy of OTP Mobile Kft. is available at the following link: http://simplepay.hu/vasarlo-aff.

Complaint handling

Scope of processed data:

in the case of a written complaint:

name;

mailing address or electronic mail address;

subject and content of the complaint.

In the case of a verbal complaint or a verbal complaint made over the phone, if the complaint was not remedied immediately, the Data Controller will record a report containing the following information:

name;

Home address;

place, time, method, subject and content of complaint;

unique identification number of the complaint.

Purpose of data management: The purpose of data management is to document the identity of the complainant, the exact time of the complaint and the content of the complaint, as well as the information provided by the Data Manager regarding the complaint, for the purpose of processing and retrievability of complaints received by the Data Controller verbally, by telephone, in writing and by electronic mail.

Legal basis for data management: CLV of 1997 on consumer protection. Act 17/B. §-the.

Duration of data management: CLV of 1997 on consumer protection. Act 17/B. §, the Data Controller must keep the minutes of the oral complaint, the written complaint and the response to it for 3 (three) years.

Scope of persons entitled to access personal data, data processing

The Data Controller and the Data Processors used by it are entitled to access personal data in accordance with current legislation.

The data is processed by the following data processors acting on behalf of the Data Controller:

Courier service details: SPRINTER Futárszolgált Kft.

Name: SPRINTER Futárszolgált Kft.

Address: 1097 Budapest, Táblás utca 39.

E-mail: info@sprinter.hu

Telefon: +36 1 881 2615

Purpose of data processing: Delivery of products ordered in the online store to the User.

Data transferred: name, delivery address, telephone number, e-mail address

Data of hosting provider:

Name: ELIN.hu Kft

Headquarters: 9024 Győr, Déry T. u. 11.

Company registration number: 08-09-016359

Tax number: 14315754-2-08

E-mail: info@elin.hu

Name: Doubleclick

Detailed information about the service is available at the following link: https://policies.google.com/privacy

The Data Controller reserves the right to involve additional data processors in the data management in the future, of which it will inform the Users by amending this Notice.

In the absence of an express legal provision, the Data Controller will only transfer personal identification data to third parties with the express consent of the User in question.

Place of data management

Data management takes place on the www.perfectacoustic.hu website and on the server(s) operating the Website.

Rights of the User

Access to personal data

At the request of the User, the Data Controller provides information on whether the Data Controller continues data processing with regard to his personal data and, if so, gives him access to the personal data, as well as informs him of the following information:

purpose(s) of data management;

types of personal data involved in data management;

in case of transmission of the User’s personal data, the legal basis and recipient(s) of the data transmission;

planned duration of data management;

the rights of the User in connection with the correction, deletion and restriction of processing of personal data, as well as objections to the processing of personal data;

the possibility of turning to the Authority;

the source of the data;

relevant information related to profiling;

about the name, address and activity related to data management of the data processors.

The Data Controller provides the User with a copy of the personal data subject to data management free of charge. For additional copies requested by the User, the Data Controller may charge a reasonable fee based on administrative costs. If the User submitted the request electronically, the information must be provided in a widely used electronic format, unless the data subject requests otherwise.

The Data Controller is obliged to provide the information at the User’s request in an understandable form without undue delay, but at the latest within one month of the submission of the request. The user can submit his request for access to the contact details specified in point 1.

Correction of processed data

The User may apply to the Data Controller (at the contact details specified in point 1) for the correction of inaccurate personal data or the addition of incomplete data, taking into account the purpose of the data management. The data controller will carry out the correction without undue delay.

Deletion of processed data (right to be forgotten), blocking

The User may request that the Data Controller delete the personal data concerning him without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

the personal data are no longer needed for the purpose for which they were collected or otherwise processed;

the User withdraws his consent and there is no other legal basis for data processing;

the User objects to the handling of his personal data;

the processing of personal data was unlawful;

the personal data must be deleted in order to fulfill the legal obligation prescribed by the EU or Member State law applicable to the data controller;

the collection of personal data based on consent took place in connection with the offering of information society-related services to children.

If the Data Controller has disclosed (made available to a third party) the personal data and is obliged to delete it based on the above, it must take the reasonably expected steps and measures, taking into account the available technology and the implementation costs, in order to inform the concerned personal data controllers that the User has requested from them to delete the links to the personal data in question or the copy or duplicate of this personal data.

Personal data do not need to be deleted if data management is necessary:

for the purpose of exercising the right to freedom of expression and information;

for the purpose of fulfilling the obligation under the EU or Member State law applicable to the data controller requiring the processing of personal data, or for the execution of a task performed in the public interest or in the context of the exercise of public authority conferred on the data controller;

on the basis of public interest in the field of public health;

for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, if the right to erasure would likely make this data management impossible or seriously jeopardize it; obsession

for the presentation, enforcement and defense of legal claims.

Limitation of data management

The User has the right to request that the Data Controller limit the processing of personal data instead of correcting or deleting it, if one of the following conditions is met:

the User disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the data manager to check the accuracy of the personal data;

the data management is illegal and the User opposes the deletion of the data and instead requests the restriction of their use;

The Data Controller no longer needs the personal data for the purpose of data management, but the User requires them to submit, enforce or defend legal claims; obsession

the User objected to data management; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

If data management is subject to restrictions, such personal data may only be processed with the consent of the User, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a member state.

The Data Controller informs the User, at whose request the data processing was restricted, of the lifting of the data processing restriction in advance.

Notification obligation related to the correction or deletion of personal data or the limitation of data management

The Data Controller informs all recipients of the correction, deletion or restriction of personal data to whom or to whom the personal data was communicated, unless this proves to be impossible or requires a disproportionately large effort. Upon the User’s request, the data controller will inform the User about these recipients.

Right to data portability

The User has the right to receive the personal data concerning him/her provided to the Data Controller in a segmented, widely used, machine-readable format, and to forward this data to another data controller. If requested by the User, the Data Controller exports the processed data in PDF and/or CSV format.

Right to protest

The User may object to the processing of his personal data if the data processing

it is of public interest or necessary for the execution of a task performed in the context of the exercise of public authority granted to the Data Controller;

necessary to assert the legitimate interests of the Data Controller or a third party;

based on profiling.

In the event of the User’s objection, the Data Controller may no longer process the personal data, unless it proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the User, or that are related to the presentation, enforcement or defense of legal claims .

If personal data is processed for the purpose of direct business acquisition or related profiling, the User has the right to object at any time to the processing of his/her personal data for this purpose. If the User objects to the processing of personal data for the purpose of direct business acquisition, then the personal data may no longer be processed for this purpose.

Data controller action in connection with the User’s request

The Data Controller shall inform the User without undue delay, but at the latest within one month of the receipt of the request, of the measures taken following the request for access, correction, deletion, restriction, objection, and data portability. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The Data Controller shall inform the User of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. If the User submitted the request electronically, the information must be provided electronically, if possible, unless the data subject requests otherwise.

If the Data Controller does not take measures following the User’s request, it shall inform the User without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, as well as of the fact that the User may file a complaint with a supervisory authority and exercise his right to judicial redress.

In the case of the User’s request, the information, the information and the action taken based on the request must be provided free of charge. If the User’s request is clearly unfounded or – especially due to its repetitive nature – excessive, the Data Controller, taking into account the administrative costs associated with providing the requested information or information or taking the requested action, may charge a reasonable fee or refuse to take action based on the request. It is the responsibility of the Data Controller to prove that the request is clearly unfounded or excessive.

Data security

The Data Controller undertakes to ensure the security of the data, to take the technical and organizational measures and to establish the procedural rules that ensure that the recorded, stored and managed data are protected, as well as to prevent their destruction and unauthorized use and unauthorized alteration. It also undertakes to call on all third parties to whom the data is forwarded or transferred based on the consent of the Users to comply with the requirement of data security.

The data controller ensures that no unauthorized person can access, disclose, forward, modify, or delete the processed data. The managed data can only be seen by the Data Manager, its employees, or the Data Processor used by the Data Manager, and the Data Manager will not pass them on to third parties who do not have the right to access the data.

The data manager will do everything possible to ensure that the data is not accidentally damaged or destroyed. The above commitment is required by the Data Controller for its employees participating in data management activities.

The User acknowledges and accepts that in the case of entering personal data on the Website – despite the fact that the Data Controller has modern security tools to prevent unauthorized access to the data or their investigation – the protection of the data cannot be fully guaranteed on the Internet. In the event of unauthorized access or knowledge of data despite our efforts, the Data Manager is not responsible for this type of data acquisition or unauthorized access or for any damage caused to the User as a result of these reasons. In addition, the User may also provide his personal data to third parties, who may use it for illegal purposes or in a way.

Under no circumstances does the data controller collect special data, i.e. data related to racial origin, belonging to a national and ethnic minority, political opinion or party affiliation, religious or other worldview beliefs, interest-representative organization membership, health status, pathological they relate to passion, sex life, and criminal record.

Management and reporting of data protection incidents

A data protection incident is any event that involves the unlawful handling or processing of personal data managed, forwarded, stored or processed by the Data Controller, including, in particular, unauthorized or accidental access, alteration, communication, deletion, loss or destruction, as well as accidental destruction and result in injury.

The Data Controller is obliged to report the data protection incident to the NAIH without undue delay, but no later than 72 hours after becoming aware of the data protection incident, unless the Data Controller can prove that the data protection incident is not likely to pose a risk to the rights and freedoms of natural persons looking at. If the notification cannot be made within 72 hours, the reason for the delay must be indicated, and the required information can be provided in detail without further undue delay. The notification to the NAIH shall contain at least the following information:

the nature of the data protection incident, the number and category of data subjects and personal data;

Name and contact information of data controller;

likely consequences of the data protection incident;

the measures taken or planned to manage, prevent, remedy the data protection incident.

The Data Controller informs the data subjects about the data protection incident via the Data Controller’s website within 72 hours after the detection of the data protection incident. The information must contain at least the data specified in this point.

The Data Controller keeps a record of data protection incidents for the purpose of checking the measures related to the data protection incident and informing the affected parties. The register contains the following data:

scope of personal data concerned;

scope and number of stakeholders;

the date of the data protection incident;

the circumstances and effects of the data protection incident;

measures taken to prevent the data protection incident.

The data in the register is kept by the Data Controller for 5 years from the date of detection of the data protection incident.

Enforcement options

The Data Controller does everything possible to ensure that personal data is handled in accordance with the law, however, if the User feels that it has not complied with this, he has the option to write to the contact details specified in point 1.

If the User feels that his right to the protection of personal data has been violated, he can seek legal redress from the competent authorities according to the applicable laws.

At the National Data Protection and Freedom of Information Authority (cím: 1055 Budapest, Falk Miksa utca 9-11.; ugyfelszolgalat@naih.huwww.naih.hu)

at court.

Other provisions

This Information is governed by Hungarian law, especially Act CXII of 2011 on the right to self-determination of information and freedom of information. law and the GDPR are applicable.

Budapest, 2023.

XL Gastrobusz Kft.

Data controller