Privacy Policy

 

Privacy Policy

Effective from: 14.01.2021

 

Contents:

In this Privacy Policy, you will find information on the processing of your personal data in the following sections:

  1. General provisions. Among other general information, this chapter contains data on the Data Controller and certain data processors.
  2. data processing. In this chapter you will find separate information regarding each purpose of data processing, about whose personal data we process and for what purpose, on what legal basis and for what period of time we process personal data.

II/1. Orders

II/2. Invoicing

II/3. Complaint handling

II/4. Cookies

II/5. Data of body painters, resellers and other contract partners

II/6. Personal details of contractual partners’ contacts

II/7. Newsletters

II/8. Contact, request for individual quotation

II/9. Proof of consent

 

III. Users’ rights in relation to data processing and their enforcement. Here you will find a detailed description of the user’s (your) data processing rights and the relevant procedures.

  1. Legal remedy. This section provides a detailed description of the remedies available to the user (you) in the event of a breach of your personal data rights.

 

  1. General provisions

1.1. Regarding this Privacy Policy, the customer according to the GTC, the person registering on the website or booking training, or the visitor of the website, as well as other persons indicated in each Ways of data processing (Chapter II) are considered ’User’.

User: a natural person identified or identifiable on the basis of any information. Identifiable natural person: a natural person who, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, a location data, an online identifier or a natural person identifiable by one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity;

 

 

1.2. The Data Controller:

Data Controller: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

Company name: TyToo Body Art Limited Liability Company

Headquarter, postal address: H-4064 Nagyhegyes, Ady Endre str. 10.

Customer service, personal collection and administration: H-4025 Debrecen, Nyugati str. 5-7. 9. building

E-mail: sales@tytoo.hu

Tel: + 36 (20) 253-18-38

Company registration number: 09-09-012453

Maintains records: Debrecen Court of Registration

Tax No.: 13702599-2-09

  

 

1.3. The aim of the Data Controller is to ensure the protection of the personal data of the persons using the Website under the address www.tytoo.eu as much as possible. This Privacy Notice applies only to the Website and does not apply to websites operated by third parties, even if those websites are directly accessible from the Website.

1.4. The Data Controller has the right to unilaterally change the content of this data processing Information at any time, of which it will notify the users by e-mail.

1.5. The Data Controller carries out its activities by protecting the privacy rights of its visitors and customers, in compliance with the provisions of the relevant legislation, in particular the following:

– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation, GDPR);

– the Civil Code of Hungary;

– and the right to information self-determination and freedom of information; CXII of 2011 Act (hereinafter: Information Act)

1.6. Please note that the User consents to the data processing at the same time as accepting the terms and conditions of this data processing Information. The processing of personal data is lawful with the consent of the user if the child has reached the age of 16. In the case of a child under the age of 16, the processing of children’s personal data is lawful only if and to the extent that the consent has been given or authorized by the person exercising parental control over the child.

1.7. Our employees, whose work and data processing is necessary to carry out our activities, are considered recipients of each type of data processing. If the Data Controller is approached by a court, prosecutor’s office, investigating authority, infringement or administrative authority, e.g. the National Data Protection and Freedom of Information Authority, or other bodies, it shall provide the Data Controller with personal data necessary for the realization of the purpose of the request, in addition to indicating the exact purpose, legal basis and scope of data and shall inform the person concerned without delay. In the course of its activities, the Data Controller also transmits personal data to data processors as recipients solely in order to fulfill it and to the extent necessary for that purpose. „Processor” means any natural or legal person, public

 

authority, agency or any other body which processes personal data on behalf of the controller. For each data processing method (Chapter II), some additional data controllers and recipients are also indicated separately.

1.7.1. The personal data we process through the Website is stored by the hosting provider as a data processor:

Company name: Tarhely.Eu Service Ltd.

Contacts: +36 1 789 2 789; support@tarhely.eu

Headquarters: H-1144 Budapest, Ormansag str. 4.

Activity: hosting service, in case of failure to provide data, the Data Controller cannot perform the home delivery service.

Data transmitted: personal data provided through the Website.

 

1.7.2. Our web developer, as a data processor, may have access to the personal data we manage on the Website:

Name: Skylon Enterprise Ltd.

Headquarters: H-4064 Nagyhegyes, Bartok Béla str 32.

Activity: hosting service, in case of failure to provide data, the Data Controller cannot perform the home delivery service.

Data transmitted: data recorded during registration and ordering.

 

1.7.3. We store personal data in the MiniCRM system at our data processor:

Name: MiniCRM Ltd.

Headquarters: H-1075 Budapest, Madach Imre rd. 13-14.

https://www.minicrm.hu/adatvedelem/

Activity: data storage, storage of invoicing, ordering, marketing and other data provided through the Website, without which we will not be able to perform the contract.

 

  1. Ways of data processing:

II/1. Orders

2.1.1. When placing an order and fulfilling it, the Data Controller processes personal data.

2.1.2. The purpose of data processing is to perform the service.

2.1.3. Legal basis for data processing: performance of the contract. [data processing under Article 6 (1) (b) GDPR].

2.1.4. Duration of data processing: the statute of limitations for civil law, 5 years, according to the conditions set out in the Civil Code.

2.1.5. The scope of data involved in data processing: name (surname and first name), billing address, delivery address, telephone number, e-mail address.

2.1.6. Data processors:

In the case of delivery orders for personal data contained in orders, they are forwarded to the courier as a data processor in order to fulfill the orders. The provision of data is a precondition for concluding the contract, in the event of its non-compliance the Data Controller will not be able to perform the delivery service.

Data transmitted: data required for delivery and contact; name, address, telephone number.

2.1.7. Other recipients: our colleagues involved in fulfilling orders.

 

II/2. Invoicing

2.2.1. The Data Controller stores and manages the personal data on the accounts.

2.2.2. The purpose of data processing is invoicing, compliance with accounting rules.

2.2.3. The legal basis of data processing is the fulfillment of the legal obligation, the CXXVII. pursuant to Section 159 (1) of Act C of 2000 and Section 169 (2) of Act C of 2000 on Accounting [data processing pursuant to Section 6 (1) (c) of the GDPR].

2.2.4. The scope of data affected by data processing: name, address.

2.2.5. The persons concerned are the natural persons on the invoice.

2.2.6. Duration of data processing: 8 years after the issuance of the accounting document.

2.2.7. A company that provides accounting services to us qualifies as a data processor.

Personal data transmitted: data, name and address required for invoicing.

 

II / 3. Complaint handling

2.3.1. The data processing takes place for the purpose of complaint handling, the Data Controller is obliged to keep the complaint in accordance with the relevant legislation.

2.3.2. The person concerned is the complainant and the contact person.

2.3.3. The legal basis for data processing is the fulfillment of a legal obligation, the 1997 CLV. Act 17 / A. § (7) [data processing pursuant to Article 6 (1) (c) GDPR].

2.3.4. The scope of personal data involved in data processing: name, address, e-mail address, telephone number.

2.3.5. Duration of data processing: 5 years, in accordance with the legal retention obligation.

2.3.6. Recipients: our colleagues dealing with the complaint.

 

II/4. Cookies

2.4.1. What are cookies? In order to monitor the Website, the Data Controller uses an analytical tool („cookie”), which generates a flow of data and tracks how visitors use the Internet pages. When a page is viewed, the system generates and installs a cookie on the visitor’s computer in order to record the information related to the visit (the pages visited, the time spent on the pages of the Data Controller, browsing data, etc.), but this data is not can be linked to the person of the visitor. This tool helps to improve and improve the ergonomic design of the website and the online experience of the visitors by creating a user-friendly website, preventing data loss. Cookies recognize a visitor’s computer and manage their IP address.

2.4.2. How can you handle cookies? Most Internet browsers accept cookies, but visitors have the option to delete or automatically reject or allow them. The visitor has the option to refuse the installation of cookies. Because each browser is different, visitors can set their cookie settings individually using the browser toolbar. Users may not be able to use certain features of the Website if they choose not to accept cookies. The use of cookies can be used to monitor the websites visited by the visitor and the visitor’s internet usage habits. Only by revisiting the Website and only the service provider concerned can this data be linked to the visitor. The storage time of such data depends on the type of cookies. The „Help” function in the menu bar of most browsers provides information on how to

– how to disable cookies,

– how to accept new cookies,

– how to instruct your browser to set a new cookie, or

– how to turn off other cookies.

2.4.3. The legal basis for data processing is Article 6 (1) (a) of the GDPR the voluntary consent of the user (the visitor).

2.4.4. The range of personal data managed: IP address, visited page.

2.4.5. The purpose of data processing is to facilitate shopping and analytical evaluation of visit data.

2.4.6. The individual cookies used by the data controller, the purpose of their use and their expiration date:

Source:

Name:

Function, purpose:

Expiry:

Facebook

https://www.facebook.com/policies/cookies/

c_user

Social sharing and data collection for Facebook (user ID)

365 days

datr

This cookie identifies the browser that connects to Facebook. It is not directly related to individual Facebook users. According to Facebook, it is used for security purposes and to detect suspicious login activities, especially robots trying to access the service. In addition, Facebook said the behavioral profiles associated with each datr cookie will be deleted after 10 days. This cookie can also be read via the Like and other Facebook buttons, as well as tags placed on many different websites.

2 years

fr

Stores encrypted Facebook and browser IDs.

100 days

sb

Community sharing and data collection for Facebook

until closing the browser or ending the session

xs

Information about sharing content with Facebook.

5 months

_fbp

Facebook Pixel marketing cookies

30 days

 

 

 

Google

It measures the traffic data of the website, in which the transmitted data is not suitable for identifying the users. The information generated by cookies about your use of the website is usually stored on a Google server in the USA and stored there.

http://www.google.com/analytics/learn/privacy.html ;

 www.google.com/analytics/

1P_JAR

This cookie collects website statistics and measures conversions.

1 month

ANID

They are used to link the user’s activities on different devices to display ads that are more relevant to you.

5 months

CONSENT

Indicates that it complies with the google.com privacy statement.

20 years

NID

This will help us show you customized ads on Google.

6 months

_Secure-3PAPISID

They are used for targeting purposes to create a profile of the interests of website visitors to display relevant and personalized Google ads.

2 years

_Secure-3PSID

They are used for targeting purposes to create a profile of the interests of website visitors to display relevant and personalized Google ads.

2 years

 

II / 5. Details of resellers and other contractual partners

2.5.1. The Data Controller manages the contact details of resellers and the contractual partners of the natural person or sole proprietor.

2.5.2. Scope of personal data processed: personal data requested at the time of concluding the contract and provided by the partner.

2.5.3. The purpose of data processing: performance of the contract.

2.5.4. Legal basis for data processing: performance of the contract. [data processing under Article 6 (1) (b) GDPR].

2.5.5. Duration of data processing: 5 years, in accordance with the rules of civil statute of limitations.

2.5.6. Recipients: Personal data is accessed by employees whose involvement is necessary for the performance of the contract.

 

II / 6. Personal details of the contacts of the contractual partners

2.6.1. The Data Controller manages the data of the contacts of the non-natural person in relation to the contractual partners of the non-natural person.

2.6.2. Scope of personal data processed: name of contact persons, telephone number, e-mail address, position, job title).

2.6.3. The purpose of data processing is to liaise with the relevant contractual partner in order to perform the contract.

2.6.4. The legal basis for data processing is the legitimate interest of the contractual partner in the performance of the contract. [data processing pursuant to Article 6 (1) (f) GDPR]. This legitimate interest takes precedence over the employee’s right to dispose of personal data in a given case, as it is a necessary and proportionate restriction for the performance of the employee’s job.

2.6.5. Duration of data processing: 5 years, in accordance with the rules of civil statute of limitations.

2.6.6. Recipients: Personal data is accessed by employees whose involvement is necessary for the performance of the contract.

 

II / 7. Contact, individual request for quotation

2.7.1. When someone, as a natural person (eg by e-mail or telephone), first contacts the Data Controller without any other data processing at its contact details (for the purpose of creating a custom template or for other requests or offers), the Data Controller handles personal data.

2.7.2. The purpose of data processing is to keep in touch.

2.7.3. The legal basis for data processing is the voluntary consent of the user. [data processing pursuant to Article 6 (1) (a) GDPR].

2.7.4. Duration of data processing: up to 60 days after the end of the communication or until the change of legal basis (e.g. conclusion of a contract).

2.7.5. The provision of personal data is not a condition for concluding a contract, however, in the event of failure to do so, contact cannot be ensured.

2.7.6. Scope of personal data involved in data processing: personal data voluntarily provided by the user when contacting him / her, in particular his / her name, e-mail address, telephone number, position, position.

2.7.7. The recipient of the data processing is the recipient of the customer relations employee or the message sent by the user, or our colleague dealing with the issue.

 

II/8. Proof of consent

2.8.1. If the data processing is based on the user’s consent, the Data Controller must be able to prove that he or she has consented to the processing of the user’s personal data. To this end, the Data Controller stores and, if necessary, uses the personal data of the user before the acting authority / court.

2.8.2. The person concerned is the person giving the consent.

2.8.3. Article 7 (1) of the GDPR provides for this obligation [data processing under Article 6 (1) (c) GDPR].

2.8.4. The scope of the data involved in the data processing: the date of granting the consent, the IP address, the data required for identification, such as the e-mail address and the surname or first name.

2.8.5. Duration of data processing: statutory limitation period.

2.8.6. As recipients, personal data is accessed by our colleagues who are involved in data processing procedures.

 

 

III. Users’ rights in relation to data processing and their enforcement

The user may exercise his / her rights at the above contact details of the Data Controller:

– requesting information on the processing of your personal data and the right of access;

– requesting the correction of your personal data,

– a request for erasure of personal data, with the exception of mandatory data processing,

– withdrawal of personal data,

– the right to carry data,

– the right to protest;

– the right to be exempted from automated decision-making.

 

III/1. Right to information, right of access:

3.1.1. The Data Controller shall provide the user with information on the processing of his / her personal data in a concise, transparent, comprehensible and easily accessible form, clearly and intelligibly worded.

3.1.2. Requests for information may be made in writing at the above-mentioned contact details of the Data Controller. At the request of the user, if he proves his identity, information may be given orally.

3.1.3. The user has the right to receive feedback from the Data Controller as to whether the processing of his / her personal data is in progress, and if such data processing is in progress, he / she has the right to access the personal data and the following information: purposes of data processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular recipients in third countries or international organizations; the intended period for which the personal data will be stored; the right to rectify, erase or restrict data processing and to protest; the right to lodge a complaint with the supervisory authority; information on data sources; the fact of automated decision-making, including profiling, and comprehensible information on the logic used and the significance of such data processing and the expected consequences for the user. In the event of a transfer of personal data to a third country or to an international organization, the user shall be entitled to be informed of the appropriate guarantees for the transfer.

3.1.4. The Data Controller shall provide the user with a copy of the personal user to data processing. The Data Controller may charge a reasonable fee based on administrative costs for additional copies requested by the user. where the user has submitted the request by electronic means, the information shall be provided in a widely used electronic format, unless the user requests otherwise.

3.1.5. The Data Controller shall provide the information within a maximum of one month from the submission of the request.

 

III/2. Right of rectification:

The user may request the correction of inaccurate personal data processed by the Data Controller and the addition of incomplete data.

 

III/3. Right of cancellation („right to be forgotten”):

3.3.1. The user shall have the right to delete personal data concerning him / her at his / her request without undue delay if one of the following reasons exists:

– personal data are no longer required for the purpose for which they were collected or otherwise processed;

– the user withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;

– the user objects to the processing and there is no overriding legitimate reason for the processing;

– personal data have been processed unlawfully;

– personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the Data Controller;

– personal data were collected in connection with the provision of information society services.

3.3.2. Deletion of data may not be initiated if the processing is necessary for: the exercise of the right to freedom of expression and information; to fulfill an obligation under Union or Member State law applicable to the Data Controller to process personal data or to carry out a task carried out in the public interest or in the exercise of a public authority conferred on the Data Controller; in the field of public health, or for archival, scientific and historical research or statistical purposes, in the public interest; or to bring, assert or defend legal claims.

III/4. Right to restrict data processing:

3.4.1. At the request of the user, the Data Controller shall restrict the data processing if one of the following conditions is met:

– the user disputes the accuracy of the personal data; in which case the restriction shall apply for a period which allows the accuracy of the personal data to be verified;

– the processing is unlawful and the user opposes the deletion of the data and instead requests that their use be restricted;

– the Data Controller no longer needs the personal data for the purpose of data processing, but the user requests them in order to submit, enforce or protect legal claims; obsession

– the user has objected to the processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the user.

3.4.2. Where data processing is restricted, personal data may be processed, with the exception of storage, only with the consent of the user or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the European Union or a Member State.

3.4.3. The Data Controller shall inform the user in advance of the lifting of the restriction of data processing.

 

III/5. Right to carry data:

3.5.1. The user has the right to receive the personal data concerning him / her made available to the Data Controller in a structured, widely used, machine – readable format and to transmit this data to another Data Controller.

III/6. Right to protest:

3.6.1. 3.6.1. The user shall have the right to object at any time, for reasons related to his situation, to the processing of his personal data in the public interest or in the exercise of public authority or to the processing of users or third parties, including profiling based on those provisions. is. In the event of a protest, the Data Controller may not further process the personal data, unless it is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the user or which are related to the submission, enforcement or protection of legal claims.

3.6.2. Where personal data are processed for the purpose of direct business acquisition, the user shall have the right to object at any time to the processing of personal data concerning him for that purpose, including profiling, in so far as it relates to direct business acquisition. In the event of an objection to the processing of personal data for the purpose of direct business acquisition, the data may not be processed for this purpose.

III/7. Right to exemption from automated decision-making:

The user shall have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects on him or her or would be similarly significant. This right shall not apply if the data processing is necessary for the conclusion or performance of the contract between the user and the Data Controller; or is governed by Union or Member State law applicable to the controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the user; or with the express consent of the user.

III/8. Right of withdrawal:

The user has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal.

III/9. Procedural rules for enforcement:

3.9.1. Deadline for administration: The Data Controller shall, without undue delay, but in any case within one month from the receipt of the request, inform the user of this Annex III. on the action taken on requests under Chapter. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Data Controller shall inform the user of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request. If the user has submitted the request electronically, the information shall be provided electronically, unless the user requests otherwise.

3.9.2. If the Data Controller does not take action on the user’s request, it shall inform the user without delay, but no later than one month after receipt of the request, of the reasons for the non-action and of the user’s right to appeal to a supervisory authority.

3.9.3. The Data Controller shall provide the requested information and information free of charge. If the user’s request is manifestly unfounded or, in particular due to its repetitive nature, excessive, the Data Controller may charge a reasonable fee or refuse to act on the request, taking

 

into account the administrative costs of providing the requested information or action or taking the requested action.

3.9.4. The Data Controller shall inform all data recipients concerned of any rectification, erasure or restriction on the processing of personal data to which the personal data have been communicated, unless this proves impossible or requires a disproportionate effort.

 

  1. Remedies

4.1. At the National Authority for Data Protection and Freedom of Information (http://www.naih.hu/; registered office: H-1055 Budapest, Falk Miksa str. 9-11., Postal address: H-1363 Budapest, Pf .: 9., Phone: +36 (1) 391 -1400), anyone may initiate an investigation on the grounds that a breach of law has occurred or is imminent in connection with the processing of personal data or the exercise of rights of access to data of public interest or public interest. The Authority’s investigation is free of charge, and the costs of the investigation are advanced and borne by the Authority.

4.2. The user in case if his/her rights gets violated by the Data Controller, he/she may take legal action against it. The court is acting out of turn in the case. The trial falls within the jurisdiction of the tribunal. The action may, at the option of the person concerned, also be brought before the court of the place where the person concerned is domiciled or resident. The Data Controller is obliged to compensate the damage caused to others by the illegal handling of the data of the user or by violating the data security requirements. The Data Controller is also liable to the user for the damage caused by the data processor. The Data Controller is released from liability if it proves that the damage was caused by an unavoidable cause outside the scope of data processing. The damage shall not be compensated to the extent that it resulted from the intentional or grossly negligent conduct of the injured party. If the Data Controller violates the user’s right to privacy by illegally handling the user’s data or violating the data security requirements, the Data Controller may claim damages from the Data Controller.