PRIVACY POLICY

Privacy Policy

Nonplusz Fashion Ltd. (hereinafter referred to as the "Data Controller"), as the operator of the website available under the domain name www.nonplusz.com (hereinafter referred to as the "Website") hereby publishes information on the data processing carried out in the context of the services available on the Website.

Users visiting the Website (hereinafter referred to as the "User") accept all the terms and conditions set out in this Privacy Policy (hereinafter referred to as the "Policy"), and are therefore kindly requested to read this Policy carefully before using the Website.

1. Data of the Data Controller

The data controller is Nonplusz Fashion Kft.

1087 Budapest, Százados út 3-13.

Represented by Sarolta Kiss, Managing Director

E-mail address: info@nonplusz.hu

2. Scope of the data processed

During registration

In order to be able to use the services of the Website, in particular to make purchases in the online shop, the User has the possibility to register on the Website. To do so, the following personal data must be provided:

full name*;
e-mail address*;
personal details.

User account

After registration, the system will create a User Account for you, which will contain the following information:

the data provided by the User during registration,
the User's details of previous purchases.
When using the User Account, the User has the possibility to track his/her orders, enter the data required for the purchase, modify the data provided.

When shopping in the online shop

If the User selects a product on the Website, he/she has the possibility to enter his/her data in the shopping interface in order to allow the Data Controller to fulfil his/her order. During the purchase, the following personal data are required (data marked with * are mandatory):

-full name*;
-delivery address (country, city, street, house number, -postal code)*;
-e-mail address*;
-billing address (if different from the billing address)*;
-telephone number*;
-note;
-coupon code;
-payment method*.

The Data Controller declares that in the case of payment by credit card, it does not process, collect, store or access in any way any card data necessary for the payment transaction. The Data Controller declares that it shall not be liable for the lawfulness of the processing of transaction data and credit card data by OTP Mobil Kft. (1093 Budapest, Közraktár utca 30-32.; ugyfelszolgalat@simple.hu; +36 1/20/30/70 3-666-611; hereinafter referred to as the "Service Provider"), which provides the payment by credit card. The User may obtain information about the Service Provider's data processing from the Service Provider's website or other contact details. OTP Mobile Kft.'s policy on data processing is available at the following link: http://simplepay.hu/vasarlo-aff.

Newsletter

During the purchase in the webshop, the User has the possibility to subscribe to the newsletter of the Data Controller, in the course of which the Data Controller uses the following personal data:

-full name*;
-e-mail address*.

Complaint during treatment

in case of a written complaint:
-name;
-mailing address or e-mail address;
-subject and content of the complaint.

in the case of a verbal complaint or, in the case of a telephone complaint, if the complaint is not immediately resolved, the Data Controller will keep a record of the complaint, which will include the following information:
-name;
-address;
-place, time, manner, subject and content of the complaint;
-unique identification number of the complaint.

Only persons aged 18 or over are entitled to submit data on the Website.

3. Purpose and duration of processing

The Data Controller uses the data for the following purposes:

-During the registration on the Website and the use of the Website (ordering): the purpose of the processing is to provide the services of the Website The purpose of the processing is to provide the services of the Website and the online store available on the Website, such as the registration and performance of the contract for the purchase, the delivery of the purchased products, the contact with the Users in connection with the purchase.

-In case of creation of a User Account: management, modification, deletion of the data stored in the User Account, purchases, use of the data to facilitate the ordering on the Website.

-In case of subscribing to a newsletter: sending an electronic newsletter or advertising message about offers, services, actions, promotions related to the Data Controller and its activities to the e-mail address provided by the User (hereinafter jointly referred to as the Newsletter).

-In the case of complaint handling: the purpose of data processing is to handle complaints received by the Data Controller orally, by telephone, in writing and by e-mail, to document the identity of the User, the exact time of the complaint and the content of the complaint, as well as the information provided by the Data Controller regarding the complaint, for the purpose of retrieval.

4. Duration of processing

The Data Controller shall process personal data for the duration of the purpose of processing, such as in the case of registration, sending newsletters, until the User requests the deletion of his/her data or withdraws his/her consent to the processing of his/her personal data.

In the case of purchases made in the online store available on the Website, the necessary data for the enforcement of claims and rights arising from the contract between the User and the Data Controller shall be processed for 5 (five) years after the purchase, in accordance with Act V of 2013 on the Civil Code, Act 6:22. § In addition, in order to fulfil the retention obligation of the Data Controller, the Data Controller shall retain the name and address of the User on the accounting voucher for 8 years, solely for the purpose of fulfilling the accounting obligation, pursuant to Article 169 of Act C. on Accounting (hereinafter referred to as the Accounting Act).

In the case of complaint handling, the Data Controller shall keep the minutes of the oral complaint, the written complaint and the response thereto for 5 (five) years pursuant to Article 17/B of Act CLV of 1997 on Consumer Protection.

Personal data shall be deleted immediately upon the termination of the purpose of processing or upon the User's request, except for the data that the Data Controller is obliged to keep for the period specified in the legislation imposing mandatory data processing.

5. Legal basis for processing personal data

By registering and subscribing to the Newsletter, Users consent to the Controller processing their personal data as described in this Notice. The processing of personal data is based on the User's voluntary consent given in the light of this information.

The legal basis for the processing of personal data processed in the course of ordering or purchasing on the Website is the performance of the contract concluded between the User and the Data Controller, the enforcement of rights and obligations arising from the contract pursuant to Article 6 (1) (e) of the GDPR. The legal basis for the processing of accounting documents is the statutory provision imposing mandatory data processing, i.e. Section 169 of the Accounting Act.

In the case of complaint handling, the legal basis for data processing is Article 17/B of Act CLV of 1997 on Consumer Protection.

Users may only provide their own personal data on the Website. If they do not provide their own personal data, the data provider is obliged to obtain the consent of the data subject.

6. Scope of persons entitled to access personal data, data processing.

The Data Controller and its Data Processors are entitled to access personal data in accordance with the applicable legislation.

The data are processed by the following processor acting on behalf of the Data Controller:

Shopify International Limited
2nd Floor 1-2 Victoria Buildings Haddington Road Dublin 4, D04 XN32, Ireland

Purpose of processing: to operate the webshop software

The Data Controller reserves the right to involve additional processors in the future, which will be notified to Users by means of an amendment to this Policy.

In the absence of an express legal provision, the Data Controller shall only transfer to third parties personally identifiable data with the express consent of the User concerned.

7. Rights of the User

Access to personal data

The Data Controller shall, upon the User's request, inform the User whether the Data Controller is processing his/her personal data and, if so, provide access to the personal data and inform the User of the following information:

-the purpose(s) of the processing;
-the purposes for which the personal data are being processed; and
-if the User's personal data are transferred, the legal basis and the recipient(s) of the transfer;
-the intended duration of the processing;
-the rights of the User in relation to the rectification, erasure and restriction of processing of personal data and to object to the processing of personal data;
-the possibility of recourse to the Authority;
-the source of the data;
-relevant information on profiling;
-the names, addresses and activities of data processors in relation to the processing.

The Data Controller shall provide the User with a copy of the personal data subject to processing free of charge. For additional copies requested by the User, the Controller may charge a reasonable fee based on administrative costs. If the User has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.

The controller shall provide the information in an intelligible form at the request of the User without undue delay and at the latest within one month of the request. The User may submit a request for access using the contact details specified in point 1.

Correction of processed data

The User may request the Controller (using the contact details specified in point 1) to correct inaccurate personal data or to complete incomplete data, taking into account the purpose of the processing. The Controller shall carry out the rectification without undue delay.

Erasure (right to be forgotten), blocking of processed data

The User may request that the Controller erase personal data relating to him/her without undue delay and the Controller shall be obliged to erase personal data relating to the data subject without undue delay if one of the following grounds applies:

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

(b) the User withdraws his or her consent and there is no other legal basis for the processing;

(c) the User objects to the processing of his or her personal data;

(d) the processing of the personal data is unlawful;

(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

(f) the personal data were collected on the basis of consent in connection with the provision of information society services to children.

If the Controller has disclosed (made available to third parties) the personal data and is obliged to delete it on the basis of the above, it shall take reasonable steps and measures, taking into account the available technology and the cost of implementation, to inform the controllers of the personal data concerned that the User has requested them to delete the links to or copies of the personal data in question.

The personal data need not be deleted where the processing is necessary:

-for the purpose of exercising the right to freedom of expression and information;

-for the purpose of fulfilling the obligation under the EU or Member State law applicable to the data controller requiring the processing of personal data, or for the execution of a task performed in the public interest or in the context of the exercise of public authority conferred on the data controller;

-on the basis of public interest in the field of public health;

-for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, if the right to erasure would likely make this data management impossible or seriously jeopardize it;

-for the presentation, enforcement and defense of legal claims.

Limitation of data management

The User has the right to request that the Data Controller limit the processing of personal data instead of correcting or deleting it, if one of the following conditions is met:

-the User disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the data manager to check the accuracy of the personal data;

-the data management is illegal and the User opposes the deletion of the data and instead requests the restriction of their use;

-The Data Controller no longer needs the personal data for the purpose of data management, but the User requires them to present, enforce or defend legal claims;

-the User objected to data management; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

If data management is subject to restrictions, such personal data may only be processed with the consent of the User, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a member state.

The Data Controller informs the User, at whose request the data processing was restricted, of the lifting of the data processing restriction in advance.

Notification obligation related to the correction or deletion of personal data or the limitation of data management

The Data Controller informs all recipients of the correction, deletion or restriction of personal data to whom or to whom the personal data was communicated, unless this proves to be impossible or requires a disproportionately large effort. Upon the User's request, the data controller will inform the User about these recipients.

Right to protest

The User may object to the processing of his personal data if the data processing

-it is of public interest or necessary for the execution of a task performed in the context of the exercise of public authority granted to the Data Controller;
-necessary to assert the legitimate interests of the Data Controller or a third party;
-based on profiling.

In the event of the User's objection, the Data Controller may no longer process the personal data, unless it proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the User, or that are related to the presentation, enforcement or defense of legal claims .

If personal data is processed for the purpose of direct business acquisition or related profiling, the User has the right to object at any time to the processing of his/her personal data for this purpose. If the User objects to the processing of personal data for the purpose of direct business acquisition, then the personal data may no longer be processed for this purpose.

Data controller action in connection with the User's request

The Data Controller shall inform the User without undue delay, but at the latest within one month of the receipt of the request, of the measures taken following the request for access, correction, deletion, restriction, objection, and data portability. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The Data Controller shall inform the User of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. If the User submitted the request electronically, the information must be provided electronically, if possible, unless the data subject requests otherwise.

If the Data Controller does not take measures following the User's request, it shall inform the User without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, as well as of the fact that the User may file a complaint with a supervisory authority and exercise his right to judicial redress.

In the case of the User's request, the information, the information and the action taken based on the request must be provided free of charge. If the User's request is clearly unfounded or - especially due to its repetitive nature - excessive, the Data Controller, taking into account the administrative costs associated with providing the requested information or information or taking the requested action, may charge a reasonable fee or refuse to take action based on the request. It is the responsibility of the Data Controller to prove that the request is clearly unfounded or excessive.

8. Data security

The Data Controller undertakes to ensure the security of the data, to take the technical and organizational measures and to establish the procedural rules that ensure that the recorded, stored and managed data are protected, as well as to prevent their destruction and unauthorized use and unauthorized alteration. It also undertakes to call on all third parties to whom the data is forwarded or transferred based on the consent of the Users to comply with the requirement of data security.

The data controller ensures that no unauthorized person can access, disclose, forward, modify, or delete the processed data. The managed data can only be seen by the Data Manager, its employees, or the Data Processor used by the Data Manager, and the Data Manager will not pass them on to third parties who do not have the right to access the data.

The data manager will do everything possible to ensure that the data is not accidentally damaged or destroyed. The above commitment is required by the Data Controller for its employees participating in data management activities.

The User acknowledges and accepts that in the case of entering personal data on the Website - despite the fact that the Data Controller has modern security tools to prevent unauthorized access to the data or their investigation - the protection of the data cannot be fully guaranteed on the Internet. In the event of unauthorized access or knowledge of data despite our efforts, the Data Manager is not responsible for this type of data acquisition or unauthorized access or for any damage caused to the User as a result of these reasons. In addition, the User may also provide his personal data to third parties, who may use it for illegal purposes or in a way.

9. Management and reporting of data protection incidents

A data protection incident is any event that involves the unlawful handling or processing of personal data managed, forwarded, stored or processed by the Data Controller, including, in particular, unauthorized or accidental access, alteration, communication, deletion, loss or destruction, as well as accidental destruction and result in injury.

The Data Controller is obliged to report the data protection incident to the NAIH without undue delay, but no later than 72 hours after becoming aware of the data protection incident, unless the Data Controller can prove that the data protection incident is not likely to pose a risk to the rights and freedoms of natural persons looking at. If the notification cannot be made within 72 hours, the reason for the delay must be indicated, and the required information can be provided in detail without further undue delay. The notification to the NAIH shall contain at least the following information:

-the nature of the data protection incident, the number and category of data subjects and personal data;
-Name and contact information of data controller;
-likely consequences of the data protection incident;
-the measures taken or planned to manage, prevent, remedy the data protection incident.

The Data Controller informs the data subjects about the data protection incident via the Data Controller's website within 72 hours after the detection of the data protection incident. The information must contain at least the data specified in this section.

The Data Controller keeps a record of data protection incidents for the purpose of checking the measures related to the data protection incident and informing the affected parties. The register contains the following data:

-scope of personal data concerned;
-scope and number of stakeholders;
-the date of the data protection incident;
-the circumstances and effects of the data protection incident;
-measures taken to prevent the data protection incident.

The data in the register is kept by the Data Controller for 5 years from the date of detection of the data protection incident.

10. Enforcement options

The Data Controller will do everything possible to ensure that personal data is handled in accordance with the law, however, if the User feels that this has not been complied with, he has the option to write to the contact details indicated in point 1.

If the User feels that his right to the protection of personal data has been violated, he can seek legal redress from the competent authorities according to the applicable laws.

-National Data Protection and Freedom of Information Authority (address: 1055 Budapest, Falk Miksa utca 9-11; ugyfelszolgalat@naih.hu; www.naih.hu)
-at court.

11. Other provisions

This Information is governed by Hungarian law, especially Act CXII of 2011 on the right to self-determination of information and freedom of information. the provisions of the Act, and Regulation 2016/679 of the European Parliament and the Council (EU) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Regulation 95/46/EC (April 2016 27.) is governing.

Budapest, 16.12.2020.

Nonplusz Fashion Kft.

Data controller