Privacy notice

Privacy notice

  1. Data processing

The webshop, available at https://polczfood.com/, is hosted by

POLCZ FOOD Limited Liability Company

Abbreviated name: POLCZ FOOD Kft.

Company registration number: 10-09-038879

Tax number: 26186304-2-10

Registered office: 3000 Hatvan, Hungary, hrsz. 759/9.

Postal address: Hungary, 3000 Hatvan, hrsz. 759/9.

Phone: +36 30 655 9795 (in English)

E-mail address: support@polczfood.com

Website: https://polczfood.com/

(hereinafter referred to as the "Data Controller").

  • Athe law applicable to data processing, the scope of this notice
  •  The above Data Processing (hereinafter referred to as the "Data Processing"), which operates the website (hereinafter referred to as the "Website") available at the above Internet address, provides its services from Hungary. Accordingly, the provision of the service and the Users' use of the service (including the processing of data) are governed by Hungarian and European law. The Data Processing shall primarily process the Users' data

- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (The EU General Data Protection Regulation), (hereinafter referred to as GDPR),

- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Act on electronic commerce services),

- Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Economic Advertising Activities

in accordance with the provisions of.

  • This notice applies to the processing of data in the course of using the website https://polczfood.com/ (hereinafter referred to as "the website"), using the services available there and fulfilling orders placed in the online store.
  • For the purposes of this notice, User means: the natural persons browsing the website or using the services and functions of the website who are concerned by the processing.
  • Data processing related to the provision of an information technology service
  • The Data Processing uses cookies to operate the website and to collect technical data about visitors to the website.
  • The data processing provides a separate information notice on the data management implemented by cookies: information notice on the use of cookies.
  • Data processing related to the receipt and reply to a message
  • Data subjects: users sending messages to the Data Processing by e-mail using the e-mail address(es) indicated on the website.
  • Legal basis for processing: consent of the User pursuant to Article 6(1)(a) of the GDPR. The User gives his consent by sending the e-mail message.

The User has the right to withdraw his/her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out prior to the withdrawal. If the User withdraws his/her consent before replying to the message, the Data Processing will not continue the exchange of messages, will not reply to the questions previously asked, as it will have to delete the data processed on the basis of the consent.

  • Scope of data processed:

The User sending the message:

- name,

- your e-mail address,

- the content of the message.

  • Purpose of processing: to enable the User to exchange messages with the Data Processing.
  • Duration of data processing: if the exchange of messages does not lead to the conclusion of a contract, it lasts until the message is answered or the User's request is fulfilled. The Data Processing shall delete the data processed for this purpose after the message has been replied to/ the request has been fulfilled. If the exchange of information takes place by means of several messages on related subjects, the Data Processing shall delete the data after the end of the exchange of information or after the fulfilment of the request.

If a contract is concluded as a result of the exchange of messages and the content of the messages is relevant to the contract, the legal basis and duration of the processing are as described in points 7 and 8 (processing in connection with an order).

  • Method of storage of the data: in a separate file in the IT system of the Data Processing.
  • Processing of data related to the sending of newsletters
  • The data subject: the User who subscribes to the newsletter by ticking the box on the website for consent to subscribe to the newsletter.
  • Legal basis for data processing: pursuant to Article 6 (1) (a) of the GDPR, subject to Art. 6 (1) and (2), the consent of the User. Voluntary consent is given by the User by ticking the checkbox in front of the subscription declaration after filling in the fields for subscribing to the newsletter.

The User has the right to withdraw his/her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out prior to the withdrawal.

In addition to sending useful information, the newsletter service also aims at direct marketing by the Data Processing. The User may subscribe to this service independently of the use of other services. The use of this service is voluntary and based on the User's decision, after having been duly informed. The User's non-use of the newsletter service does not imply any disadvantage for him/her in using the website and its other services. The Data Processing does not make the use of its direct marketing service a condition for the use of any of its other services.

  • Scope of data processed:

to send newsletters to the User:

- your e-mail address,

to register the consent given online:

- IP address of the device used when subscribing,

- date of subscription.

  • Purpose of processing: sending newsletters by the Data Controller to the User by e-mail. The sending of newsletters means sending information about the Controller's services, news and updates, attention-grabbing offers, advertising and promotional content.
  • Duration of data processing: the Data Controller processes the data processed for the purpose of sending the newsletter until the User's consent is withdrawn (unsubscribe) or until the data is deleted at the User's request.
  • Method of storage of the data: in a separate file in the IT system of the Data Processing.
  • Data processing related to registration
  • Data subjects concerned: users who register on the website.
  • Legal basis for processing: consent of the User pursuant to Article 6(1)(a) of the GDPR. Voluntary consent is given by the User during the ordering process by ticking the checkbox in front of the declaration to create a user account and finally by placing the order.
  • Scope of data processed:

to register, please enter the username of the User:
,

- your e-mail address,

- password,

to register the consent given online:

- IP address of the device used at the time of registration,

- registration date.

Passwords are stored in the Data Controller's system using encryption, as a result of which the Data Controller does not know the User's password.

  • Purpose of the processing: to facilitate registration on the website, regular purchases.
  • Duration of data processing: for registered Users, the duration of data processing lasts until the deletion of the data at the request of the registered User. The processing may also cease upon the deletion of the User's registration by the Data Controller. The User may at any time delete his/her registration or request the Data Controller to delete it, which request shall be executed by the Data Controller without delay, but no later than 10 working days after receipt of the request.
  • Method of storage of the data: in a separate file in the IT system of the Data Processing.
  • Data processing related to orders placed by consumers
  • Data subjects concerned: natural persons (consumers) who place orders on the website.
  • Legal basis for processing: article 6(1)(b) of the GDPR, which states that processing is necessary for the performance of a contract to which the User is a party.
  • Scope of data processed: the processing concerns the following personal data and contact details.

User:
- last name,
- first name,

- billing address,

- delivery address,
- telephone number,
- e-mail address,
- product(s) ordered,
- purchase price of the product(s) ordered,
- pick-up/delivery method,
- payment method,
- other information that the User may provide at the time of ordering, which is necessary to complete the order,
- date of order,

- coupon code (if available),
- date of payment.

  • The purpose of the processing: the conclusion and performance of the contract resulting from the order.
  • Duration of data processing: the Data Controller processes the data on the basis of its legitimate economic interest until the expiry of the limitation period for claims arising from the contractual relationship, which is normally 5 years from the date on which the claim becomes due. Any interruption of the limitation period shall extend the period of processing until the new date on which the limitation period starts to run.   

The processing of the data necessary for the delivery of the goods required to fulfil the order (name, address, telephone number of the customer, data relating to the delivery of the goods ordered and the payment of the price in the case of cash on delivery) for this purpose lasts until the delivery is completed. When transmitting the data necessary for the performance of the delivery to the carrier, the Data Controller shall apply a data processing restriction, whereby the carrier may process the transmitted data only to the extent and for the duration necessary for the performance of the delivery in the interest of the Data Controller.  

However, it is in the legitimate interest of the transporting company to keep all or part of the above data in case of complaints, claims or civil disputes. However, this is already done as a separate data controller, for more information, please refer to the data management information of the respective service provider. Such service providers used by the Data Controller can be found in the section of this notice entitled "Use of a Data Processor", where the contact details of their website containing their privacy policy are also indicated.  

The Data Controller shall keep the accounting documents issued in connection with the order for the period necessary to fulfil the obligation to keep the documents as required by the Accounting Act, in accordance with Chapter 11.

  • Method of storage of data: in a separate file in the IT system of the Data Processing and on accounting vouchers for the purpose of the proper accounting in order to fulfil the obligation to keep records required by the Act on Accounting.
  • Consequences of non-supply of data: the provision of the data necessary for the fulfilment of the order by the User placing the order is a prerequisite for the conclusion of the contract. If the User wishes to place an order, he is obliged to provide the above data. In case of failure to provide the data, the Data Controller cannot fulfil the order.
  • Processing of data of a natural person acting on behalf of a farmer organisation
  • The data subjects concerned by the processing are: the natural person User (or "Representative") acting on behalf of a business entity that has established a relationship with the Data Controller on the Website or ordered a product.
  • Legal basis for processing: the legitimate interest of the organisation represented by the User (hereinafter referred to as the "Management Entity") pursuant to Article 6(1)(f) of the GDPR.

It is in the legitimate interest of the Management Entity that contacts the Data Controller to enable the exchange of information prior to placing an order and to conclude and perform a contract in accordance with its interests. It can do all this through its natural person Representative.

The Data Controller shall process the data of the Representative only in the context of the administration, contact and performance of the contract with the organisation represented by the Representative, to the extent and for the duration necessary for this purpose, and shall limit the scope of the data to the necessary data.

The exchange of information necessary for maintaining contact, placing orders and fulfilling contracts cannot be carried out without processing the data of the Representative, so data processing is essential for the enforcement of the legitimate interests of the Management Entity.

Separate documentation on the interest assessment has been prepared, the availability of which is available from the Data Controller.

  • Scope of data processed:

The Rep:

- surname,

- first name,

- your e-mail address,

- phone number,

In addition, if ordered:

the company represented:

- the way it works,

- name,

- postacíme,

- billing address,

- tax number, Community tax number,

- company registration number.

and the details of the purchase:

- the product(s) ordered,

- the purchase price of the product(s) ordered,

- method of receipt/delivery,

- payment method,

- any other information provided by the User at the time of ordering, which may be necessary to fulfil the order,

- order date,

- payment date.

  • The source of the data: by default, the User. In case the Representative indicated in the contact or order process does not provide his/her data himself/herself, but someone else from the Host Organisation provides his/her data, the source of the data is the Host Organisation. In such cases, the Data Controller also receives the data of the Representative in the legitimate interest of the Management Entity. It is the obligation of the Management Entity to inform the Representative of the processing it carries out; of the provision of the Representative's data to the Data Controller.
  • The purpose of the processing is: the implementation of the contact and the conclusion and performance of the contract between the Data Controller and the Management Entity following the order.
  • Duration of data processing: in the case of an exchange of messages, if it does not lead to the conclusion of a contract, it lasts until the message is answered or the request of the Management Entity is fulfilled. The Data Controller shall then delete the data processed for this purpose.

In the case of an order or if a contract is concluded as a result of an exchange of messages, the Data Controller processes the data on the basis of its legitimate economic interest until the expiry of the limitation period for claims arising from the contractual relationship, which is normally 5 years from the date on which the claim becomes due. Any interruption of the limitation period shall extend the period of processing until the new date on which the limitation period starts to run.

The Data Controller shall keep the accounting documents issued in connection with the contract for the period necessary to fulfil the obligation to keep the documents as required by the Accounting Act, in accordance with Chapter 11.

  • Method of storage of data: in a separate file in the IT system of the Data Controller or, in the case of contracting, in accounting documents necessary for the proper accounting in order to fulfil the obligation to keep the accounting documents required by the Act on Accounting.
  • Consequences of failure to provide data: the provision of the data necessary for the fulfilment of the order or for the maintenance of contact by the Representative is a prerequisite for the conclusion of the contract or for the effective maintenance of contact. If the Representative wishes to place an order or exchange information with the Data Controller, he/she is obliged to provide the above data as requested. In the event of failure to provide the data, the Data Controller will not be able to fulfil the order or answer the Representative's questions.
  • Data processing related to product evaluation
  • The User can evaluate the products sold in the online store by clicking on the "Reviews" button on the product data sheet. The User may publish his/her reviews in text form and in the form of a number of stars and points.
  • The reviews posted on the site, as well as the names given by the reviewing Users, are displayed in a way visible to all visitors to the site.
  • Information on the processing of data published in User reviews:
  • Data subjects concerned: users who post reviews on the website.
  • Legal basis for processing: consent of the User pursuant to Article 6(1)(a) of the GDPR. By ticking the privacy statement before submitting a post and by submitting the post, the User consents to the processing and publication of the data he/she has provided in his/her post.

The User has the right to withdraw his/her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out prior to the withdrawal.

  • Scope of the data concerned: the User's ratings can be seen by other users after they are published in such a way that the name given by the User who published the given comment or post can be identified, the data published in his/her comment or post can be identified, thus the User's identity can also be identified.
  • Purpose of data processing: to enable product evaluation for Users.
  • Duration of data processing: the duration of the processing of data on the website in the above form lasts until the deletion of the User who has posted a comment on the website, upon request. The processing may also cease when the User's post is deleted by the Controller. The User may request the deletion of his/her postings by the Data Controller at any time, which request shall be executed by the Data Controller without delay.
  • How the data are stored: in the Data Controller's IT system, displayed on the website.
  1. Data processing related to refunds
  1. In the case of a refund, if the User has paid by online credit card or other online payment service, the amount paid by the User will be refunded via the payment service provider used. If the User has paid by bank transfer or requests a refund in this way, the Data Controller will refund the amount to the User.
  1. The data subjects concerned by the processing: the User placing the order concerned by the cashback.
  1. Legal basis for processing: to comply with a legal obligation to which the Data Controller is subject pursuant to Article 6(1)(c) of the GDPR. 
  1. Scope of data processed: 

- order identification number,

- amount to be refunded,

- the title of the refund,

- User name,

- if the User paid by bank transfer or requested a refund by transfer to his/her bank account, the bank account number.

  1. Purpose of data processing: in the case of exercising the right of warranty, right of withdrawal, right of guarantee, depending on the title of the refund, the provisions of Act V of 2013 on the Civil Code and Act 45/2014. (26.II.) of the Government Regulation No.
  1. Duration of processing: the Data Processing processes the data on the basis of its legitimate economic interest until the expiry of the limitation period for refund claims, which is normally 5 years from the date on which the claim becomes due. Any interruption of the limitation period shall extend the period of processing until the new date on which the limitation period starts to run.  

The Data Controller shall keep the accounting documents issued in connection with an order in connection with a refund for the time necessary to fulfil the obligation to keep the documents as required by the Accounting Act, in accordance with Chapter 11.

  1. Method of storage of data: in a separate file in the IT system of the Data Processing and on accounting vouchers for the purpose of the proper accounting in order to fulfil the obligation to keep records required by the Act on Accounting.
  1. Data management related to the retention of accounting records
  1. Data subjects concerned: users placing an order on the website.
  1. Legal basis for processing: to comply with a legal obligation to which the Data Controller is subject pursuant to Article 6(1)(c) of the GDPR. 
  1. Scope of data processed:

The User:

- surname,

- first name,

- billing address,

- delivery address,

- phone number,

- your e-mail address,

- the goods(s) ordered,

- the purchase price of the goods(s) ordered,

- method of receipt/delivery,

- payment method,

- any other information provided by the User at the time of ordering, which may be necessary to fulfil the order,

- order date,

- payment date.

  1. The purpose of data processing: to comply with the obligations to issue invoices and keep accounting documents as defined in Section 169 of the VAT Act and Section 169 (2) of the Accounting Act.
  1. Duration of data processing: the Data Controller processes the above data for the period necessary to fulfil the obligation to keep records required by the Accounting Act. This period shall be at least 8 years from the date of issue of the voucher in accordance with the Accounting Act, after which the Data Controller shall delete the data within one year. This includes, in particular, the data contained in invoices (name, address of the customer, data relating to the product ordered and the payment of the price), and other data contained in orders and confirmations as part of the contractual documentation, which also fall within the scope of the accounting document.
  1. Method of storage of data: in a separate file in the IT system of the Data Processing and on accounting vouchers for the purpose of the proper accounting in order to fulfil the obligation to keep records required by the Act on Accounting.
  1. Processing of consumer complaints
  1. Data subjects concerned by the processing: users who report consumer complaints.
  1. Legal basis for processing: the legal basis for processing is the processing necessary to comply with a legal obligation pursuant to Article 6 (1) (c) of the GDPR; the fulfilment of the legal obligations of the Data Controller in relation to the handling of complaints, as set out in Section 17/A of the Act on the Protection of Personal Data.
  1. Scope of data processed:

The complaining User:

- surname,

- first name,

- your address,

- where, when and how to lodge a complaint,

- a detailed description of your complaint,

- the information provided by the User in the complaint; any personal data that the User brings to the attention of the Data Controller in connection with the complaint,

- personal data contained in documents, records and other evidence that the User may provide,

- where and when the record of the complaint was made,

- the User's signature in the case of a written complaint,

- in case of a complaint sent by e-mail, the User's e-mail address,

- in the case of a verbal complaint made by telephone or other electronic communication service, the unique identification number of the complaint and the telephone number of the User,

- the identification of the order or other transaction, if any, that is the subject of the complaint and information about its performance.

Telephone calls are not recorded by the Data Controller.

  1. Source of data: the data is provided by the User to the Data Controller in the complaint. Investigation of the complaint may also require the processing of data relating to the User's previous orders placed with the Data Controller. The Data Controller does not obtain the User's data from any other (external) source.
  1. The purpose of data processing is: to investigate and respond to the complaint submitted by the User; to fulfil the legal obligations of the Data Controller under Article 17/A of the Act.

The purpose of processing the User's personal data is to identify the User, which is necessary to investigate and respond to the User's complaint.

The information containing personal data provided by the User in the complaint, as well as the data of the previous order that may be concerned by the complaint, will be used to investigate and respond to the complaint, if necessary.

The name and address of the User will be used for addressing the postal mailing in case the record of the complaint or the response to the complaint is sent by the Data Controller in writing by post.

Your name and e-mail address may be used to contact you by e-mail (if necessary to investigate the complaint) or to respond to your complaint by e-mail.

  1. Duration of data management: the Data Controller shall keep the record of the complaint, or in the case of a written complaint, the document submitted and the response to the complaint for three years pursuant to paragraph (7) of Article 17/A of the Act on the Protection of the Rights of Persons with Disabilities, and then destroy it.

If the submitted claim does not constitute a complaint, the Data Controller will delete the data after one month from the end of the communication related to the claim.

If the notification does not constitute a complaint, but relates to a specific transaction related to the performance of the Data Controller and has relevant content, the Data Controller shall process the data until the expiry of the limitation period for claims arising from the contractual relationship, which is normally 5 years from the date on which the claim becomes due, after which the data shall be deleted.

  1. Method of storage of the data: in a separate file in the Data Controller's IT system, possibly on paper, depending on the method of referral, in the record of the complaint and in the document containing the response to the complaint.
  1. Data processing in relation to the notification of a complaint
  1. The data subjects concerned by the processing: users who have notified a claim under warranty or guarantee. 
  1. Legal basis for processing: the legal basis for processing is Article 6(1)(c) of the GDPR, which states that processing is necessary for compliance with a legal obligation.
  1. Scope of data processed:

The User:

- surname,

- first name,

- postacíme,

- the place, time and manner of lodging the objection,

- a detailed description of the objection, 

- the data provided by the User in the objection; any personal data that the User brings to the attention of the Data Controller in connection with the objection,

- how to resolve the objection,

- the content of the response to the objection,

- in the event of a refusal to settle the objection, the reasons for the refusal,

- the conclusions that may be drawn from any documents, records and other evidence that the User may produce or provide, and the personal data contained therein,

- in case of an objection sent by e-mail, the User's e-mail address,

- in the case of an oral objection communicated by telephone or other electronic communication service, the unique identification number of the objection report and the telephone number of the User,

- the identification of the order or other transaction to which the objection relates.

Telephone calls are not recorded by the Data Controller.

  1. Source of data: the data is provided by the User to the Data Controller. The Data Controller does not obtain the User's data from any other source.
  1. The purpose of the processing is: to investigate and respond to the User's warranty or guarantee claims; to comply with the provisions of Act V of 2013 on the Civil Code, Act XXIV of 2013 on defective performance. (IV. 29.) NGM Decree No. 19/2014 on the procedural rules for the handling of warranty and guarantee claims for goods sold under a contract between a consumer and a business, and the fulfilment of the legal obligations set out in Chapter XXII of the Civil Code of V V of the Hungarian Civil Code of V of V of the Hungarian Civil Code of V of V of the Hungarian Civil Code of V of V of the Hungarian Civil Code of Consumer Protection, and in Government Decree No. 151/2003 (IX. 22.)
  1. Duration of processing: the data processed in the course of the handling of the objection will be processed by the Data Controller until the expiry of the general limitation period applicable to civil law claims, which is normally 5 years from the end of the handling of the objection.

The interruption of the limitation period extends the period of processing until the new date on which the limitation period starts to run.

  1. The data are stored electronically in a separate file in the Data Controller's IT system or in the paper record of the objection notification.
  1. Data transmission
  1. Data subjects concerned by the transfer: users who pay online on the website.
  1. The recipient of the transfer:

depending on the payment method chosen:

Stripe Payments Europe Ltd.

Company registration number: 513174

Tax number: IE 3206488LH

Registered office: C/O A&L Goodbody, IFSC, North Wall Quay, Dublin 1, Ireland

Postacím: C/O A&L Goodbody, IFSC, North Wall Quay, Dublin 1., Ireland

E-mail: dpo@stripe.com

Website: https://stripe.com/

a company as the provider of an online payment service available on the Controller's website,

and the

Barion Payment Zrt.

Company registration number: 01-10-048552

Tax number: 25353192-2-43

Headquarters: Hungary, 1117 Budapest, Irinyi József utca 4-20. 2. em.

Postal address: Hungary, 1117 Budapest, Irinyi József utca 4-20. 2. em.

Phone: +36 1 464 70 99

E-mail: adatvedelem@barion.com

Website: https://www.barion.com/hu/

a company as the provider of an online payment service available on the Controller's website.

  1. Legal basis for the transfer: legitimate interest of the Recipient pursuant to Article 6(1)(f) of the GDPR.

The Recipient is obliged under the legislation applicable to it to operate a fraud prevention and detection system in connection with the provision of payment services and is entitled to process the personal data necessary for this purpose. The Recipient has established a system in accordance with its legal obligations, the operation of which requires the transfer of data by the Data Processing. Accordingly, it is in the legitimate interest of the Recipient to be able to operate the fraud prevention and detection system in order to fulfil its legal obligation. Legislative provisions referred to which apply to the Recipient:

- Section 165 (5) of Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings,

- Section 92/A (3) (f) of paragraph (3) of Act CCXXXV of 2013 on certain payment service providers,

- Section 14 (1) v) of Act LXXXV of 2009 on the Provision of Payment Services.

The legitimate interest of the Data Controller and the Recipient is to prevent fraud and ensure the proper functioning of online payments. The main source of revenue for both organisations is linked to the proper functioning of the payment service. It is also in the interest of the User, in particular to avoid misuse of credit card data.

The transmission of data allows fraud to be detected, detected and any obstacles to the payment process to be removed.

The data processed by the User during the ordering process will be transmitted through an electronic channel ensuring encrypted data traffic, exclusively to the Recipient and only in the case of online payment by credit card, which will not be used by the Recipient for any other purpose. It follows from the above that the transmission of data does not entail any significant risk for the Recipient, nor does it have any further appreciable effect on him.

The transfer of data is necessary to achieve the purposes described here and is also suitable to make the payment service more secure.

Taking into account the above and the safeguards in place, the transfer of data does not constitute an unwarranted intrusion into the privacy of Users and is therefore a necessary and proportionate processing operation.

Separate documentation on the interest assessment has been prepared, the availability of which is available from the Data Controller.

  1. Scope of the data transmitted:

- the products placed in the shopping cart and the purchase data (prices, costs) displayed in the cart,

- surname,

- first name,

- phone number,

- e-mail address,

- title,

- unique identifier of the transaction.

The User provides the credit card data provided during the payment directly to the payment service provider, so they are not in the possession of the Data Controller.

  1. The purpose of the data transfer is: the proper operation of the payment service and the technical processing of the payment, the confirmation of transactions, the operation of fraud-monitoring - a fraud detection system supporting the control of banking transactions initiated electronically - in order to protect the interests of users, and the provision of customer service assistance to the User.
  1. Data security: data security is based on the separation of data. The data controller receives the information related to the order from the User, while the payment service provider receives only the credit card data necessary for the payment transaction on the payment page with 128-bit SSL encryption. For payment by credit card, the Internet browser program must support SSL encryption. SSL is an abbreviation for Secure Sockets Layer, an accepted encryption method. The browser program used by the User uses SSL to encrypt the credit card data before it is sent, so that it is encrypted before it reaches the payment service provider and cannot be read by unauthorised persons.
  1. The User can find out more about the data processing carried out by Stripe Payments Europe Ltd. and Barion Payment Zrt. and the further circumstances of data processing - including the legal basis, purpose, exact scope of data processed, duration of data processing - at https://stripe.com/en-hu/privacy/ and https://www.barion.com/hu/adatvedelmi-tajekoztato/.
  1. The Data Controller does not transfer data to third parties for commercial or marketing purposes.
  1. Apart from the above, the Data Controller only transfers data to public authorities in the event of a legal obligation.  

The Data Controller uses the following entities as data processors.

  1. Hosting
  1. Data subjects concerned by the processing: users as defined in this notice.
  1. The Data Controller uses as a data processor

CLOUDWAYS LTD.

Company registration number: C55975

Headquarters:Junction Business Centre, 1st Floor Sqaq Lourdes, St Julians STJ3334, Malta

Postacím: Junction Business Centre, 1st Floor Sqaq Lourdes, St Julians STJ3334, Malta

E-mail address: support@cloudways.com

Website: https://www.cloudways.com/

as a web hosting provider (hereinafter referred to as the "Data Processor").

  1. Scope of the data processed: the processing potentially concerns all the data indicated in this notice, the specific scope of the data being determined by the functions used by the User, as described in the above chapters on specific processing.
  1. The purpose of using a data processor is to ensure the operation of the website in the information technology sense by providing the necessary electronic storage space.
  1. Nature of the processing: it is carried out by electronic means and the processing of the data is limited to the provision of the electronic storage space necessary for the operation of the site in the IT sense.
  1. Website developer
  1. Data subjects concerned by the processing: users as defined in this notice.
  1. The Data Controller uses as a data processor

PixLand Media Korlátolt Felelősségű Társaság

Abbreviated name: PixLand Media Kft.

Company registration number: 13-09-160360

Tax number: 24178600-2-13

Headquarters:Hungary, 2049 Diósd, Diófasor utca 111/A

Postal address: Hungary, 2049 Diósd, Diófasor utca 111/A

as the developer of the website,

and the

Digital Summit Szolgáltató Korlátolt Felelősségű Társaság

Abbreviated name: Digital Summit Kft.

Company registration number: 01-09-381390

Tax number: 29157888-2-42

Headquarters:Hungary, 1157 Budapest, Zsókavár utca 2. 7. floor. door 26.

Postal address: Hungary, 1157 Budapest, Zsókavár utca 2. 7. floor. door 26.

as the developer of the website,

and the

HOV-9 Information Technology and Services Limited Liability Company

Abbreviated name: HOV-9 Ltd.

Company registration number: 13-09-181701

Tax number: 25586749-2-13

Headquarters:Hungary, 2310 Szigetszentmiklós, Kéktó köz 9/B

Postal address: Hungary, 2310 Szigetszentmiklós, Kéktó köz 9/B

as the developer of the website (hereinafter collectively referred to as the "Data Processors").

  1. Scope of data processing: the processing concerns all the data indicated in this notice.
  1. The purpose of using data processors: to ensure the information technology operation of the website.
  1. Nature of the processing: it is carried out electronically, and the processing of the data consists exclusively of the technical operations necessary for the operation of the software of the site in an IT sense.
  1. Processing of data related to the sending of newsletters
  1. Data subjects concerned by the processing: users who subscribe to newsletters on the website, irrespective of their use of other services provided by the website.
  1. The Data Controller uses as a data processor

Sendinblue SAS (Brevo)

Company registration number: 498 019 298

Location: 7 rue de Madrid, 75008 Paris, France

Postal address: 7 rue de Madrid, 75008 Paris, France

Contact: https://www.brevo.com/contact/

Website: https://www.brevo.com/

a company as the developer and maintainer of the newsletter sending software used by the Data Controller (hereinafter referred to as the "Data Processor").

  1. The data subject of the processing: the processing concerns the e-mail address of the User who subscribes to the newsletter.
  1. The purpose of using a data processor: to ensure the operation of the software used by the Data Controller for sending newsletters in the information technology sense, by means of data processing in the technical operations necessary for the secure operation of the software.
  1. Nature of the processing: the processing of the data consists exclusively of the technical operations necessary for the operation of the newsletter sending software in the IT sense.
  1. Data processing related to the provision of electronic mail software and hosting
  1. The data subjects concerned by the processing: the Users identified in this notice, with whom the Data Controller communicates by electronic mail.
  1. The Data Controller uses as a data processor

Microsoft Ireland Operations Limited

Abbreviated name: Microsoft Ireland Ltd.

Company registration number: 256796

Community tax number: IE8256796U

Address: 70 Sir Rogerson's Quay, Dublin 2, D02R296, Ireland

Postacím: One Microsoft Place, South County Business Park,

Leopardstown, Dublin 18, D18 P521, Ireland

Telephone: +353 1 295 3826

Contact: https://www.microsoft.com/hu-hu/concern/privacy

Website: https://www.microsoft.com/hu-hu/

as the hosting provider and software developer for the electronic mail service (hereinafter referred to as the "Data Processor").

  1. The data subject of the processing: firstly, the name and e-mail address of the data subject, and secondly, any additional data sent by the User by electronic mail.
  1. The purpose of using a data processor: to ensure the functioning of electronic mail.
  1. Nature of the processing: during the retention periods, the emails are stored in the software environment and storage provided by the Data Processors, so there is processing during this time.
  1. Data processing related to product delivery
  1. Data subjects concerned by the processing: users who place an order on the website.
  1. The Data Controller uses as a data processor

DPD Hungária Courier, Parcel Delivery Service Provider Limited Liability Company

Short name: DPD Hungária Kft.

Corporate registration number: 01-09-888141

Tax number: 13034283-2-41

Headquarters: Hungary, 1134 Budapest, Váci út 33. Building 2. floor.

Postal address: Hungary, 1134 Budapest, Váci út 33. A épület 2. em.

Telephone: +36 1 501 6200

E-mail: dpd@dpd.hu

Website: https://www.dpd.com/hu/

as the carrier delivering the goods ordered,

(hereinafter referred to as the "Data Processor").

  1. Scope of the data processing: the processing of the following data of the User for the performance of the contract resulting from the User's order (delivery):

- last name,
- first name,
- phone number,

- e-mail address,
- delivery address.

  1. The purpose of using the data processor: to carry out the delivery of the ordered product within the framework of the performance of the contract resulting from the User's order, by delivering it to the address indicated by the User, if necessary by telephone agreement on the place and time of delivery.
  1. Nature of the processing: the processing of the data consists solely of the processing operations necessary for the performance of the delivery and service.
  1. Data processing related to the production of invoices
  1. Data subjects concerned by the processing: users who place an order on the website, regardless of their use of other services provided by the website.
  1. The Data Controller uses as a data processor

Billingo Technologies Private Limited Company

Abbreviated name: Billingo Technologies Zrt.

Company registration number: 01-10-140802

Tax number: 27926309-2-41

Headquarters:Hungary, 1133 Budapest, Árbóc utca 6. I. floor

Postal address: Hungary, 1133 Budapest, Árbóc utca 6.

Phone: +36 1 500 9491

E-mail: hello@billingo.hu

Website: https://www.billingo.hu/   

a company as the developer and maintainer of the billing software used by the Data Controller (hereinafter referred to as the "Data Processor").

  1. The scope of the data processing: the data processing concerns the name and address of the User placing the order, the identification of the ordered item(s), the date of purchase and the receipts containing the purchase price, delivery charges and any other charges.
  1. The purpose of using a data processor is to ensure the use, availability and operation of the software used to issue invoices.
  1. Nature of the processing: the processing of the data consists solely of the technical operations necessary to ensure the availability and IT operation of the software used to issue the invoice.
  1.  Data processing related to accounting services
  1. Data subjects concerned by the processing: the Users who place an order.
  1. The Data Controller uses the following as data processors

Aurum Informatic Technology Korlátolt Felelősségű Társaság

Abbreviated name: Aurum Informatic Technology Kft.

Company registration number: 13-09-185393

Tax number: 25036282-2-13

Registered office: 2162 Őrbottyán, Hungary, Rákóczi Ferenc utca 272.

Postal address: Hungary, 2162 Őrbottyán, Rákóczi Ferenc utca 272.

a company as the accountant of the economic activity of the Data Controller (hereinafter referred to as the " Data Processor").

  1. The scope of the data processing: the data processing concerns the name and address of the User placing the order, the identification of the ordered item(s), the date of purchase and the data contained in the receipts containing the purchase price, delivery charges and any other charges.
  1. The purpose of using the Processor: to fulfil the statutory accounting obligations relating to the economic activity carried out by the Data Controller by using the services of the above Processor.
  1. The nature of the processing: the processing of data means only the operations necessary for the fulfilment and verification of accounting obligations, carried out by the processor by handling paper media and digital data managed in software.
  1. Data processing related to audit services
  1. Data subjects concerned by the processing: the Users who place an order.
  1. The Data Controller uses as a data processor

Focus Audit and Advisory Könyvvizsgáló és Tanácsadó Korlátolt Felelősségű Társaság

Abbreviated name: Focus Audit Kft.

Company registration number: 01-09-341567

Tax number: 12423161-2-41

Headquarters:Hungary, 1139 Budapest, Váci út 87. 2. floor. 20. door

Postal address: Hungary, 1139 Budapest, Váci út 87. 2. floor. door 20.

Phone: +36 20 500 0404

E-mail: kapcsolat@focusaudit.hu

Website: https://focusaudit.hu/

as the auditor of the economic activities of the Data Controller (hereinafter referred to as the "Data Processor").

  1. The scope of the data processing: the data processing concerns the name and address of the User placing the order, the identification of the ordered item(s), the date of purchase and the data contained in the receipts containing the purchase price, delivery charges and any other charges.
  1. The purpose of the processing is: to fulfil the statutory accounting obligations relating to the economic activity carried out by the Data Controller by using the services of the above mentioned Processor.
  1. Nature of the processing: the processing of data consists exclusively of operations necessary for the fulfilment and verification of accounting obligations.
  1. does not use any processor other than the processors identified above and in the "Cookie Information" document.
  1. Data protection, data security
  1. The Data Controller shall ensure the security of data in its data management and processing activities, and shall ensure the enforcement of the law and other data protection and confidentiality rules by technical and organisational measures and internal rules of procedure. In particular, it shall take appropriate measures to protect the processed data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.
  1. The data on which the measurement of visits and the mapping of website usage patterns are based are initially recorded by the Data Controller's IT system in such a way that they cannot be directly linked to any individual.
  1. The data will only be processed for the legitimate purposes set out in this notice, to the extent necessary and proportionate for those purposes, in accordance with the applicable laws and recommendations, and subject to appropriate security measures.
  1. To this end, the Data Controller uses the http protocol "https" to access the website, which allows web communication to be encrypted and uniquely identified. In addition, as described above, the Data Controller stores the processed data in encrypted data files, which are stored in separate processing lists for each processing purpose, accessible to specific employees of the Data Controller, who are responsible for the protection and responsible processing of the data in accordance with this Policy and the applicable laws.
  1. The Data Controller shall enter into a binding data processing contract with the data processors it uses to ensure compliance with applicable law and to guarantee an adequate level of data security.
  1. Passwords are stored in the Data Controller's system using encryption, as a result of which the Data Controller does not know the User's password.
  1. User rights in relation to data management
  1. the right to
  1. By reading this Privacy Policy, the User can inform himself/herself about the data processing at any time. At the User's request, information may also be provided orally, provided that the User's identity has been verified by other means. The User may request information during and after the period of his/her involvement with the processing. The information shall also cover all relevant details of the processing and the way in which the User exercises his or her rights. Upon request, the Data Controller shall also inform the User of the measures taken in response to the User's requests or the reasons for not taking such measures, indicating the forums available for lodging a complaint.
  1. Providing information is free of charge. If the User's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller shall, taking into account the administrative costs of providing the requested information or taking the requested action:
  2. charge a reasonable fee, or
  3. may refuse to act on the request.
  1. The Data Controller shall provide the information as soon as possible after the request is made (without undue delay), but no later than one month.
  1. Right of access
  1. Users have the right to access the data processed about them. In the event of such a request, the Data Controller shall inform the User whether or not personal data concerning the User are being processed and of all relevant circumstances relating to the specific processing.
  1. Under the right of access, the User may request a copy of his/her personal data processed by the Data Controller, which the Data Controller will provide to him/her free of charge on the first occasion. For subsequent copies, the Controller may charge a reasonable fee based on administrative costs.
  1. The copy shall be provided by the Data Controller in a commonly used electronic format, unless the User requests otherwise.
  1. Within the shortest possible time from the request (without undue delay), but no later than one month, the Data Controller shall provide access as described above.
  1. The right to rectification
  1. The User has the right to have inaccurate personal data concerning him/her corrected by the Data Controller without undue delay upon his/her request.
  1. Taking into account the purpose of the processing, the User has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
  1. At the User's request, the Data Controller shall correct or, in justified cases, supplement inaccurate personal data concerning the User without undue delay.
  1. The right to erasure
  1. The User shall have the right to obtain from the Data Controller the erasure of personal data relating to him or her without undue delay, and the Data Controller shall be obliged to erase personal data relating to the User without undue delay, if one of the following grounds applies:
  2. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  3. the User withdraws the consent on which the processing is based and there is no other legal basis for the processing (of the processing covered by this notice, only the processing based on consent described in the following chapters:

3. Consent-based technical processing related to the provision of an IT service;

4. Data processing related to the receipt and response to a message;

5. Data processing related to the sending of newsletters;

6. Registration-related data processing;

11. Processing of data related to product evaluation);

  • the User objects to the processing and there are no overriding legitimate grounds for the processing (of the processing covered by this notice, only the processing based on legitimate interest as described in the following chapters:

3. Technical processing based on legitimate interest related to the provision of an information technology service;

8. Processing of the data of natural persons acting on behalf of a management entity;

14. Data transmission (to payment service provider));

  • the personal data have been unlawfully processed;
  • personal data must be erased in order to comply with a legal obligation under European Union or Member State law to which the controller is subject.
  1. The Data Controller is not obliged to delete data necessary for the establishment, exercise or defence of legal claims, even if the User so requests, nor is the Data Controller obliged to delete data whose processing is necessary for the protection of the vital interests of the User or of another natural person or for compliance with an obligation under Union or Member State law applicable to the Data Controller. However, the Data Controller will delete the data without request after the retention period has expired as a general rule.
  1. Right to restriction of processing
  1. At the User's request, the Controller shall restrict the processing of data if one of the following conditions is met:
  1. the User contests the accuracy of the personal data, in which case the restriction applies for the period of time that allows the Controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the User opposes the deletion of the data and instead requests the restriction of their use;
  3. the Data Controller no longer needs the personal data for the purposes of processing, but the User requires them for the establishment, exercise or defence of legal claims;
  4. the User has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate interests of the Controller prevail over the legitimate interests of the User (of the processing covered by this notice, this applies only to the processing based on legitimate interest, as described in the following chapters:

3. Technical processing based on legitimate interest related to the provision of an information technology service;

8. Processing of the data of natural persons acting on behalf of a management entity;

14. Data transmission (to payment service provider));

  1. If the processing is restricted, such personal data, except for storage, shall be processed by the Controller only with the consent of the User or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.
  1. The Data Controller shall inform the User who has contested the accuracy of the personal data and on this basis the processing has been restricted of the lifting of the restriction of processing in advance.
  1. Obligation to notify the rectification or erasure of personal data or the restriction of processing

The Data Controller shall notify the User of the rectification, restriction and erasure, as well as the recipients to whom the data was previously transmitted. Notification may be omitted if it proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the User of these recipients.

  1. Right to data portability
  1. The User shall have the right to receive personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data, if:
  2. processing is based on the consent of the User or on a contract with the User; and
  3. the processing is carried out by automated means.
  1. Of the data processing operations covered by this notice, the data processing operations described in the following chapters comply with the above conditions, and therefore the right to data portability may be exercised in relation to them:
  2. carried out on the basis of consent:

3. Consent-based technical processing related to the provision of an IT service;

4. Data processing related to the receipt and response to a message;

5. Data processing related to the sending of newsletters;

6. Registration-related data processing;

11. Data processing related to product evaluation

  • the legal basis for the performance of the contract with the User:

7. Data processing related to orders placed by consumers.

  1. In exercising the right to data portability as set out above, the User has the right to request, where technically feasible, the direct transfer of personal data between data controllers.
  1. The right to protest
  1. Users may object to the processing of their personal data based on legitimate interests at any time on grounds relating to their particular situation.
  1. In this case, the Data Controller may continue to process the personal data only if the Data Controller proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the User or are related to the establishment, exercise or defence of legal claims.
  1. Among the data processing operations covered by this notice, the User may exercise his or her right to object in respect of the following data processing operations described in the chapters on data processing operations based on legitimate interests:

3. Technical processing based on legitimate interest related to the provision of an information technology service;

8. Processing of the data of natural persons acting on behalf of a management entity;

14. Data transmission (to payment service provider).

  1. Fulfilling user requests
  1. The information and action referred to in point 17 shall be provided by the Data Controller free of charge. If the request of the User concerned is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller shall, taking into account the administrative costs of providing the requested information or information or of taking the requested action:

a) charge a reasonable fee, or
b) refuse to act on the request.

  1. The Data Controller shall inform the User of the action taken on the request, including the provision of copies of the data, without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the User of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request. Where the User concerned has submitted his request by electronic means, the information shall be provided by the Data Controller by electronic means, unless the User concerned requests otherwise.
  1. If the Data Controller does not take action on the request of the User concerned, the Data Controller shall inform the User concerned without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of the right to lodge a complaint with the supervisory authority referred to in point 19 and to exercise the right to judicial remedy as provided for in the same point.
  1. The User may submit requests to the Data Controller by any means that allows the identification of the User. The identification of the User submitting the request is necessary because the Data Controller can only grant requests to those who are entitled to do so. If the Data Controller has reasonable doubts about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the User concerned.
  1. User requests by post Data Controller Hungary, 3000 Hatvan, hrsz. 759/9., or by e-mail to the e-mail address support@polczfood.com. Requests sent by e-mail shall be considered valid by the Data Controller only if they are sent from the e-mail address provided by the User to the Data Controller and registered there, however, the use of another e-mail address shall not constitute a disregard of the request. In the case of e-mail, the date of receipt shall be deemed to be the first working day following the sending of the request. 
  1. Enforcement

Data subjects may exercise their rights before the courts and may also apply to the National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information
Address: Hungary, 1055 Budapest, Falk Miksa utca 9-11.
Postal address: Hungary, 1363 Budapest, Pf. 9.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu/

In the event of a court proceeding, the action may be brought before the court of the User's domicile or residence, at the choice of the User concerned, as the court has jurisdiction to hear the case.

The original document is in Hungarian, in all cases the original Hungarian version shall prevail.
Download/print the original document in Hungarian: HERE

4 March 2024.

POLCZ FOOD Kft.