Privacy Policy - heavytoolscompany.com

DATA MANAGEMENT Information

1. Name of Data Controller

Name of data controller: PREMIUM SPORT CORPORATION

Short name of the data controller: Premium Sport Kft.

Company registration number of the data controller: 01-09-888925

Data Controller's registered office: 1037 Budapest, Kunigunda útja 70/A

Data Controller's representative: László András Doroszlay, Managing Director

Data Protection Officer: Gábor Szentkatolnai

E-mail address: gabor.szentkatolnai@heavytools.com

Phone number: +36 30 684 5229

Premium Sport Kft. (hereinafter referred to as the Company or the Data Controller) informs you of the following in connection with the processing of data on the website:

By creating and making available this notice, the Company intends to ensure the exercise of the right to information of data subjects as set out in Article 12 of the GDPR.

The purpose of the information notice is to provide data subjects with adequate information about the data processed by the Company or by its data processors, their source, the purpose, legal basis and duration of the processing, the name and address of any data processor involved in the processing and its activities related to the processing, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer.

With this information, the Company intends to ensure the lawful operation of the registers, the constitutional principles of data protection and the requirements of data security, and to prevent unauthorised access to, unauthorised alteration of, and unauthorised disclosure of data.

The prospectus is valid from 25.05.2018 until its withdrawal.

2. Data management rules

As informational self-determination is a fundamental right of every natural person under the Fundamental Law, the Company shall only and exclusively process data in accordance with the provisions of the applicable legislation.

Personal data may only be processed for the exercise of a right or the performance of an obligation. The use of personal data processed by the Company for private purposes is prohibited. The processing must always comply with the purpose limitation principle.

The Company will process personal data only for specified purposes, for the exercise of rights and the performance of obligations, to the minimum extent and for the minimum time necessary to achieve those purposes. At all stages of processing, the purpose must be fulfilled - and if the purpose of the processing ceases to exist or the processing is otherwise unlawful, the data will be deleted. Deletion is carried out by the Company employee who actually processed the data. The erasure may be verified by the person who effectively exercises the powers of an employer over the employee and by the Data Protection Officer.

The Company will process personal data only with the prior consent of the data subject, in the case of special personal data, or on the basis of a law or legal authorisation.

The Company shall in all cases inform the data subject of the purpose of the processing and the legal basis for the processing before the data are collected.

3. Enforcement of data subjects' rights

The data subject may request information on the processing of his/her personal data, as well as the rectification, or - except for data processing required by law - the erasure or restriction of his/her personal data, at the contact details of the Company.

The data subject shall have the right to receive the personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller.

The Company is obliged to forward the received request or objection to the head of the department responsible for data processing within three days of receipt.

The head of the department responsible shall respond in writing and in an intelligible form to requests relating to the processing of personal data of the data subject within 25 days of receipt at the latest, or 15 days if the right to object is exercised.

At the request of the data subject, the controller shall provide information about the data of the data subject processed by the controller or by a processor appointed by the controller or on its behalf, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy it, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer.

As a general rule, the information is free of charge if the person requesting the information has not yet submitted a request for information to the Data Controller for the same data set in the current year. In other cases, a fee may be charged. The amount of the fee may be fixed in a contract between the parties. Any compensation already paid shall be refunded if the data have been unlawfully processed or if the request for information has led to a rectification.

The head of the department processing the data shall correct the inaccurate data, provided that the necessary data and the supporting documents are available, and, if the reasons set out in Article 17 of the GDPR apply, shall arrange for the erasure of the personal data processed.

Personal data must be deleted if.

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing or the data subject objects to the processing;
the personal data have been unlawfully processed;
the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
personal data are collected in connection with the provision of information society services to children under the age of 16;
if the controller has disclosed the personal data and the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, it shall erase them and shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.

The data subject may object to the processing of his or her personal data,

where the processing or transfer of personal data is necessary solely for compliance with a legal obligation to which the Controller is subject or for the purposes of the legitimate interests pursued by the Controller, the recipient or a third party, except in cases of mandatory processing;
if the personal data are used or disclosed for direct marketing, public opinion polling or scientific research purposes; and
in other cases specified by law.

The Data Controller shall examine the objection within the shortest possible period of time from the submission of the request, but not later than 15 days, shall decide on the merits of the objection and shall inform the applicant in writing of its decision.

If the Data Controller establishes that the data subject's objection is justified, the Data Controller shall terminate the processing, including further collection and transmission of data, block the data and notify the objection and the measures taken on the basis of the objection to all those to whom the personal data concerned by the objection were previously disclosed and who are obliged to take action to enforce the right to object.

If the data subject does not agree with the decision of the Data Controller or if the Data Controller fails to respond within the time limit, the data subject may, within 30 days of the notification of the decision or the last day of the time limit, have recourse to the courts.

If the data subject does not receive the data necessary to exercise his or her rights because he or she objects, he or she may, within 15 days of the notification, take legal action against the Data Controller in order to obtain access to the data. The Controller may also bring legal proceedings against the data subject.

If the Data Controller fails to notify the data subject, the data subject may request clarification from the Data Controller of the circumstances surrounding the failure to transfer the data, which clarification the Data Controller shall provide within 8 days of the delivery of the data subject's request. In the event of a request for clarification, the data subject may bring an action against the Controller before a court within 15 days of the date of the request for clarification, but no later than the expiry of the time limit for the provision of clarification. The Controller may also bring legal proceedings against the data subject.

The Controller may not delete the data of the data subject if the processing is required by law. However, the data may not be transferred to the data recipient if the controller has consented to the objection or if the court has ruled that the objection is justified.

If the assessment of the case is unclear in the exercise of the data subject's rights, the head of the department processing the data may request the DPO to give his or her opinion on the case by sending the file and his or her position on the case, and the DPO shall do so within three days.

The Company shall also compensate for the damage caused to others by the unlawful processing of the data subject's data or by the breach of data security requirements, as well as for the damages in the event of a personal data breach caused by the Company or its data processor. The Data Controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject's personality rights was caused by an unavoidable cause outside the scope of the processing. Likewise, it shall not compensate the damage if it was caused by the intentional or grossly negligent conduct of the injured party.

The data subject may exercise his/her right of redress or lodge a complaint with the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C.) or with the competent court of law of his/her place of residence or domicile.

4. Data processing during the use of the website of Premium Sport Kft.

The place of processing:

1037 Budapest, Kunigunda útja 70/A.

4.1. Data management of the website

The Company has its own websites, which can be accessed at the following addresses:

https://www.heavytools.hu/
https://www.heavytools.sk/
https://www.heavytools.cz/
https://www.heavytools.com/
https://www.heavytools.ro/
https://www.heavy-tools.pl/

The websites are operated by the Company. The webshop available on the websites is operated on behalf of an external service provider.

The Company provides the possibility for visitors to register on the websites operated by the Company. When registering, the data subjects are required to provide the relevant data. However, the data subjects will only be able to register if they accept the Company's data processing policy, which they can do by ticking a box, otherwise they will not be able to submit their registration.

the processing registration number: At the same time as the GDPR was implemented, the NAIH's record-keeping of data management processes ceased to exist, replaced by the obligation to keep records within the data controller's own organisation.

For the data management in this area, the data management registration number previously notified by the Company and registered by the NAIH: NAIH-91373/2015

the purpose of the processing: database management related to the operation of the webshop. Purchasing, invoicing, registering and distinguishing customers, fulfilling orders, documenting purchases and payments, accounting obligations

the scope of the data processed:

name, address, e-mail address, telephone number, gender,
billing details: billing name, billing address, delivery address, tax number (for companies)

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

the deadline for data storage:

until the registration account of the data subject is available, but if the data subject requests the deletion of his or her data, immediately after the request for deletion
billing data: 8 years under Act C of 2000

how the data is stored: electronic

name of the data processor: NETGO.HU Kft. (2100 Gödöllő, Kossuth Lajos u. 32.)

data processing activities: webshop operation

4.2. Sending newsletters

The Company operates a newsletter. The newsletter is sent by the Company at specified intervals to the e-mail addresses that are included in the database associated with the newsletter. As e-mail addresses are considered to be relative personal data according to current legal positions, the Company treats all e-mail addresses as protected personal data.

Therefore, as a general rule, an e-mail address may only be included in the database with the consent of the data subject and at his or her specific request. In order to obtain the consent of the data subject to the processing of his/her e-mail address by the Company, the Company will in any case inform the data subject in detail of all relevant facts concerning the processing.

In all cases, the Company ensures the right to prior information and the right to volunteer. This is achieved by making the information available and by using a checkbox to facilitate and demonstrate explicit consent to data processing.

In the case where the data subject does not provide his/her e-mail address electronically but on paper, the paper will contain the information on the processing of the data, to which the data subject consents by filling in the data collection form.

In all cases, the Company classifies the sending of newsletters as a separate data processing purpose and does not combine it with other purposes, such as the use of the service. Therefore, in all cases, the data subject will be informed separately of any different purposes, such as the use of the service and the consent to the sending of the newsletter, where the data may be provided via a single data collection interface (paper or online).

We use your: (i) first name, (ii) last name, (iii) email address, (iv) telephone number and (v) address to send you emails, SMS messages, or postal mailings and/or notifications about our newsletters and/or flyers, information about our discounts, updates, changes and offers, and other marketing materials.

We process this personal data with your consent, the legal basis for which is Article 6(1)(a) of the GDPR.

The user of the e-mail address concerned may unsubscribe directly from the newsletter at any time, free of charge.

The Company reserves the right, however, to send a request to an e-mail address that is not personal data. In this case, the following information will be sent in your newsletter:

„The e-mail address to which this newsletter is sent is taken from the public register, where it is indicated as the electronic contact details of the company. The information relating to the representation of the company is therefore not personal data, even if it (also) contains the name of the owner or representative of the company. Since, pursuant to Article 6(1) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising Activities, no prior consent is required for direct advertising contact using electronic mail or other equivalent means of communication in relation to the above data. However, if you do not wish to receive any further correspondence from our company, please click here to unsubscribe.”

The Company will create a „Robinson list” of opt-out mailings, in which it will build a separate database of email addresses whose users have requested to unsubscribe from these communications. However, since such e-mail addresses are not considered as personal data as previously, the „Robinson list” thus created does not constitute processing within the scope of this Policy.

For the data management in this area, the data management registration number previously notified by the Company and registered by the NAIH: NAIH-88006/2015

the purpose of the processing: communicating through marketing communication channels by sending newsletters to subscribing email addresses

the scope of the data processed: name (first and last name), e-mail address of the data subject

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

the deadline for data storage: until the end of the operation of the newsletter service, but if the data subject requests the deletion of his/her data (unsubscribes from the newsletter), immediately after the deletion request

how the data is stored: electronic

On behalf of Premium Sport Ltd (hereinafter referred to as the Company or the Data Controller), we inform you that in the context of the provision of our services, we process your personal data as follows:

5. Data processing in the course of the Company's operations

5.1. Processing of data related to service activities

The Company shall notify the customer of the arrival of products ordered in the Company's shops at the customer's request.

the processing registration number: with the application of the GDPR, the NAIH's record-keeping of data management processes ceased to exist and was replaced by the obligation to keep records within the data controller's own organisation

the purpose of the processing: contact information about the arrival of the product ordered by the buyer

the scope of the data processed: name, telephone number, e-mail address

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

the deadline for data storage: 90 days from the date of recording

how the data is stored: electronically

With regard to the data appearing on the invoices issued by the Company, the Company shall act as follows:

the processing registration number: with the application of the GDPR, the NAIH's record-keeping of data management processes ceased to exist and was replaced by the obligation to keep records within the data controller's own organisation

the purpose of the processing: invoicing

the scope of the data processed: name, address, tax number

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

the deadline for data storage: According to Act C of 2000 8 years

how the data is stored: electronic and paper-based

Products ordered through the webshop are delivered by an external service provider on a contract basis.

the recipient of the transfer: GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (2351 Alsónémedi, GLS Európa u. 2.)

the legal basis for the transfer: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

the scope of the data transmitted: name, address, telephone number, e-mail address

5.2. Data management in relation to arrears management

The Company's arrears are managed by its own staff. The Company sends payment reminders to the persons concerned who are in arrears.

the purpose of the processing: the processing of data of data subjects in arrears for the purposes of arrears management

the scope of the data processed: name, address, telephone number of the person in arrears

the legal basis for processing: legitimate interests of the company within the meaning of Article 6(1)(f) of the GDPR the deadline for data storage: settlement of the arrears or limitation period for civil claims relating to the arrears (5 years)

method of data storage: electronic

5.3. Complaint handling data management

In connection with the Company's service activities, data subjects have the possibility to lodge complaints. Complaints can be made in person, online, by post, by telephone or by e-mail.

Oral complaints will be promptly investigated by the Company and remedied as necessary. If the customer does not agree with the handling of the complaint or if it is not possible to investigate the complaint immediately, a record of the complaint will be made, a copy of which will be given to the customer.

The record of the complaint includes the following:

the name of the customer;
the customer's address, registered office and, where applicable, postal address;
where, when and how the complaint was lodged;
a detailed description of the customer's complaint, with a separate record of the objections raised in the complaint, in order to ensure that all the objections contained in the customer's complaint are fully investigated;
a list of documents, records and other evidence produced by the client;
the signatures of the person who took the minutes and the client (the latter is required in the case of an oral complaint made in person);
the place and time of recording of the minutes.

The tasks of the Consumer Protection Officer are carried out by the Company's own employees.

the purpose of the processing: receiving complaints from guests, dealing with service-related complaints

the scope of the data processed: the name of the customer, the customer's address/place of residence, postal address, telephone number, method of notification, the service complained about, the description of the complaint, the reason for the complaint, the complainant's claim, copies of documents in the customer's possession which are not available at the Company, other data necessary to investigate and respond to the complaint

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR and Article 17/A(6)-(7) of Act CLV of 1997 on Consumer Protection

the deadline for data storage: the Company must keep the record of the complaint and a copy of the reply for 5 years and present it to the supervisory authorities upon request [Consumer Protection Act, Article 17/A (7)]

data storage method: electronic and paper-based

5.4. Data processing in relation to the loyalty card

The Company provides a loyalty card for its customers. The loyalty card enables customers to benefit from discounts.

The data management in this area is based on the data management registration number previously notified by the Company and registered by the NAIH: NAIH-90951/2015

the purpose of the processing: loyalty card insurance

the scope of the data processed: name, address, telephone number

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

the deadline for data storage: until the data subject's request for erasure

how the data is stored: on paper and electronically

6. Issues not covered by this leaflet

For matters not covered by this notice, the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) apply.