PRIVACY POLICY

During the operation of the Online Store maintained by the Data Controller (www.vitalgrapeessence.com, hereinafter: the “Online Store,” “Webshop”), the Data Controller processes the personal data of data subjects who register in the Online Store, make purchases through it with or without registration, or simply visit the website (hereinafter collectively: “Data Subject,” “Customer,” “User”). Such processing is carried out in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: the “Info Act”), as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the “Regulation,” “GDPR”).

The Data Controller hereby informs Data Subjects about the personal data it processes in connection with registration and purchases carried out via the Online Store, the sending of newsletters, and the data processing necessarily associated with the use of the website www.vitalgrapeessence.com; about the purposes of processing, the retention periods, the methods of storage and transmission, the principles and practices it follows when processing personal data, as well as the ways and possibilities to exercise data subjects’ rights.

The Data Controller reserves the right to unilaterally amend this document at any time.

The controller of the published data is Vital Grape Essence Limited Liability Company, acting as data controller.

Company name: Vital Grape Essence Kft.
Registered office: Hungary, 6239 Császártöltés, Petőfi Sándor utca 4.
Mailing address: Hungary, 6239 Császártöltés, Petőfi Sándor utca 4.
Tax number: 32596245-1-03
Company registration number: 03-09-138536
Bank account: K&H Bank Zrt., 10404601-50527056-83851003
Data protection registry number: –
Issuing court/authority: Bács-Kiskun County Court
Contract language: Hungarian
Email: info@vitalgrapeessence.com

3.1 Registration

The Data Controller draws Data Subjects’ attention to the fact that making purchases in the Online Store is not subject to prior registration; registering does not oblige anyone to purchase.

Please note that only one registration may be associated with a given email address. The Data Subject bears all responsibility for damages arising from the provision of incorrect or false data. The Data Controller reserves the right to delete registrations that are clearly incorrect or false and, in case of doubt, to verify the authenticity of the data provided. Please also note that, to finalize registration (to prevent registrations made with erroneous or incorrect data), the system will send an automatic email to the address provided; by clicking the link in that email, the Data Subject can validate their registration.

The Data Controller expressly emphasizes that Data Subjects bear full responsibility for the accuracy and up-to-dateness of their data. Accordingly, please update your account details if any of your personal data changes. After modifying data, the system sends an automatic confirmation email to the registered address, in which the Data Subject can finalize the changes.

Purpose of processing: To perform registration that facilitates purchasing in the Online Store, and to collect the data necessary to fulfill orders placed by Data Subjects as buyers and, in case of purchase, to issue an invoice.

Legal basis for processing: The Data Subject’s voluntary, informed, and explicit consent, provided by ticking the checkbox displayed during registration, based on the information contained in this document. (Info Act Section 5(1)(a) and GDPR Article 6(1)(a).)

Scope of processed data: Billing name, billing address (postal code, city/town, street address), phone number, email address, contact person’s name, password.

Retention period: Until the Data Subject withdraws consent or the user account is permanently deleted, which the user may request by submitting an application to the contact details specified in Section 2 for the Data Controller; or until the Data Controller deletes registrations that are clearly incorrect or false, as well as after 2 years of inactivity.

Please note that if, after registration, you make a purchase in the Online Store, your account may still be deleted in the above cases; however, in such a case, data linked to the purchase—namely, the issued invoices (and the personal data appearing on them)—will continue to be retained as set out in Section 3.2.

Location of processing: IT equipment located at the Data Controller’s premises.

Method of storage: Electronic.

Data transfers: No data transfers occur.

Processor: CSB IT Hosting & Consulting BT., registered office: 9985 Felsőszölnök, Hármashatár út 33., Company reg. no.: 18 06 106940, contact: info@awh.hu. Processing activity: hosting services.

Possible consequences of failing to provide data: In the case of purchases in the Online Store, the data requested during the ordering process must be entered again each time.

3.2 Purchases in the Online Store

Users may purchase in the Online Store without prior registration. Registering in the Online Store does not obligate the user to purchase. Accordingly, the Data Controller provides separate information regarding the processing of personal data for these two processes.

Purpose of processing: To receive orders placed by the User from the Online Store, to confirm and fulfill orders, to deliver goods, to issue invoices/receipts for purchases, and to comply with documentation and record-keeping obligations applicable to the Data Controller.

Legal basis for processing: Processing is necessary for the performance of a contract to which the Data Subject is a party (GDPR Article 6(1)(b)). If the sales contract concluded between the parties has been performed (i.e., the buyer has paid the purchase price and the Data Controller as Seller has handed over the ordered product, and the buyer has accepted it), the legal basis for processing is Section 169(2) of the Accounting Act.

Scope of processed data: Billing name, email address, phone number, billing address (postal code, city/town, street address), shipping address (postal code, city/town, street address).

Retention period: Until the last day of the 8th year following the last day of the year in which the invoice was issued, pursuant to Section 169(2) of the Accounting Act.

Location of processing: IT equipment located at the Data Controller’s premises; for paper documents/invoices, the Data Controller’s archives.

Data transfers: In connection with the processing specified in this section, the following data are transferred to the following controllers:

Controller:
FedEx Express Hungary Kft., Hungary, 1185 Budapest, BUD International Airport II. Logistics Center-Office. 283. Bldg.
Purpose of transfer: Home delivery of ordered products
Scope of transferred data: Customer data indicated on the invoice (name, shipping and billing address)
Legal basis for transfer: Processing necessary for the performance of a contract to which the Data Subject is a party.

Processors:
CSB IT Hosting & Consulting BT., registered office: 9985 Felsőszölnök, Hármashatár út 33., Company reg. no.: 18 06 106940, contact: info@awh.hu. Processing activity: hosting services.

3.3 Sending Newsletters, Direct Marketing

Under Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: the “Advertising Act”), the User may give prior and explicit consent to be contacted by the Data Controller as service provider with advertising offers and other communications at the contact details provided by the Data Subject. In addition, subject to the provisions of this notice, the Data Subject may consent to the processing of personal data necessary for sending advertising offers.

The Data Controller does not send unsolicited advertising messages, and the User may unsubscribe from newsletters at any time, free of charge and without restriction or justification. In this case, the Data Controller will delete all personal data necessary for sending advertising messages from its records and will no longer contact the User with advertising offers. The User can unsubscribe by clicking the link included in the message.

Please note that the Data Controller and the auxiliary service provider engaged for contract performance (MPL) may send system messages related to contract performance and operation of the Online Store—such as confirmations of registration or orders and other delivery-related information—by electronic mail or SMS to users at the email address they have provided. These messages are not considered advertising and therefore do not fall under the Advertising Act; no consent from the Data Subject is required for them. Accordingly, the following points of this notice do not apply to such messages.

Purpose of processing: To send electronic email messages containing advertising to the Data Subject and to provide information about current news, products, and promotions.

Legal basis for processing: The Data Subject’s voluntary, informed, and explicit consent, provided by clicking the hyperlink in the confirmation email sent after subscribing to the newsletter, based on the information contained in this document. (Info Act Section 5(1)(a) and GDPR Article 6(1)(a).)

Scope of processed data: Last name, first name, email address.

Retention period: Until the Data Subject withdraws consent, which can be done by clicking the unsubscribe link at the bottom of the newsletter.

Location of processing: IT equipment located at the Data Controller’s premises and those of the processors engaged by the Data Controller.

Method of storage: Electronic.

Data transfers: No data transfers occur in relation to the processing covered by this section.

Processors:

1. CSB IT Hosting & Consulting BT., registered office: 9985 Felsőszölnök, Hármashatár út 33., Company reg. no.: 18 06 106940, contact: info@awh.hu. Processing activity: hosting services.

Possible consequences of failing to provide data: Notices regarding discounts and promotions can only be sent after the Data Subject provides the necessary data and consent.

3.4 Cookies

The Data Controller hereby informs the User that when downloading certain parts of the website, the web server automatically places small data files called cookies (“Cookies”) on the User’s device and reads them back on subsequent visits. In certain cases, these data files qualify as personal data under the Info Act and the GDPR because when the browser returns a previously stored cookie, the service provider handling the cookie can link the User’s current visit to previous ones—though only with respect to its own content.

The Online Store places two types of cookies on the user’s device. One is the essential PHPSESSID, which the webshop uses to identify the logged-in user’s session until logout and thus protect the registered user’s data. If your browser does not allow any cookies, including the PHPSESSID, you will not be able to use the webshop application. This cookie therefore does not require the user’s consent.

In addition, the Data Controller uses Google Analytics for statistical data collection, which places cookies in your browser and thus sends data to the Data Controller regarding what you visited on the site. These cookies do not store personal data; they serve to track what the Data Subject did on the website.

The Data Controller also uses the Google AdWords online advertising program and, within its framework, the Google conversion-tracking service. When the User reaches a website via a Google advertisement, a cookie necessary for conversion tracking is placed on the computer. These cookies do not contain any personal data, and the User cannot be identified by them.

Placement of the latter two cookies is based on the user’s consent; they are placed only with such consent, which the Data Subject gives by clicking the “I Agree” button in the pop-up window. If you do not wish to participate in data collection by Google Analytics or conversion tracking by Google AdWords, you may refuse by not granting consent to the installation of these cookies in your browser.

Purpose, retention, and consent requirements for certain cookies used by the Data Controller:

• Google Analytics (_ga, _gat, _gid cookies):
  The Online Store’s website uses Google Analytics to collect information and perform analyses on how Users access and use the Online Store. This information is used to prepare reports and to help improve the Online Store. Data collection—including the number of users of the Online Store, the User’s source, and which pages were visited through the Online Store—is carried out in anonymous form. The collected data cannot be traced back to the User. Google’s privacy policy can be found here. Google Analytics first-party cookies are created when the User visits the webshop because the Google Analytics tracking code is installed on our site. Cookies are stored on the User’s device for up to 2 years from the time indicated above. More information is available here. Consent required: Yes—by clicking the “I Agree” button, the Data Subject consents to placement of the cookie.
• Google AdWords (Google Remarketing):
  Numerous third-party providers, including Google, store data about the User’s prior visits to the Online Store and use that information to display the Data Controller’s ads when the User visits a website of one of Google’s partners. During a visit to the website, one or more cookies provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) are sent to the User’s computer, enabling the browser to be uniquely identified. Google remarketing cookies are used through the Google AdWords advertising system. Using the cookies provided by Google, the fact and time of the visit to the Online Store and which sub-pages were viewed are recorded. The stored data are retained in anonymous form. The User can disable Google remarketing cookies on Google’s Ads Settings page and can also disable third-party providers’ cookies on the Network Advertising Initiative’s opt-out page. Retention: up to 90 days after the User’s visit to the Online Store. Consent required: Yes—by clicking the “I Agree” button, the Data Subject consents to placement of the cookie.
• Session identifier (cookie named PHPSESSID):
  Session cookies enable the Webshop to recognize the User so the User does not have to re-enter data already provided. Retention: until the end of the current session (i.e., the duration of the User’s visit to the Webshop). After the session ends, the collected data are no longer accessible. Consent required: No, placement of this cookie does not require the Data Subject’s consent.
• Persistent cookies:
  To improve user experience (e.g., optimized site navigation, saving language preferences), the Data Controller uses persistent cookies. These cookies are stored longer in the browser’s cookie file. The duration depends on the settings used in the Data Subject’s internet browser. Consent required: Yes—by clicking the “I Agree” button, the Data Subject consents to placement of the cookie.

The User may accept or reject the use of cookies on a case-by-case basis, or reject the use of all cookies by appropriately configuring the browser. More information about how to do this and about cookies in general is available at: https://www.youronlinechoices.eu/. If the User decides to disable cookies, access to certain pages of the Website will be limited, and some functions or services of the Site may not operate properly.

Purpose of processing: Identifying users and distinguishing them from one another; identifying user sessions; storing data entered during sessions; preventing data loss; user identification; conducting web analytics measurements; proper operation of the Website; enhancing user experience; displaying advertisements to Users.

Legal basis for processing: The Data Subject’s consent, given by clicking the “I Agree” button in the cookie pop-up warning, based on the appropriate information provided in this notice. (Info Act Section 5(1)(a) and GDPR Article 6(1)(a).)

Scope of processed data: Identifier number, date, time, and the previously visited page.

Method of storage: Electronic.

Data transfers: No data transfers occur.

3.5 Information on Use of the Online Store as a Website

Although, in our view, the data the Data Controller becomes aware of during the processing described in this section do not qualify as personal data, for the sake of complete transparency we record that the Data Controller collects and stores, in aggregated form and in its own system through logging, statistical information regarding Users’ activities that is not suitable to identify the user personally. The log includes, among other things but not limited to, the IP address of the Data Subject’s computer, the time of use, and the user activity. The Data Controller does not disclose this data to third parties and uses the content of the log exclusively for its own analytical purposes, to improve user experience and for technical development of its IT system.

Please note that the Online Store contains links to other websites. The use of such external websites is governed by the privacy policies/notices of those sites, and after clicking an external link or the appropriate button, the Data Controller has no influence over the collection, storage, or processing of personal data.

The Data Controller respects the rules on the security of personal data, and both the Data Controller and any authorized processor take all technical and organizational measures and establish the procedural rules necessary to enforce the Info Act and GDPR requirements on confidentiality and data security.

The Data Controller protects the data it processes with appropriate measures against unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction or damage.

In the course of processing, the Data Controller preserves:
a) Confidentiality: ensuring that information is accessible only to those authorized to have access;
b) Integrity: safeguarding the accuracy and completeness of information and processing methods;
c) Availability: ensuring that the authorized user has access to information and associated assets when required.

The Data Controller adequately protects its IT systems and networks against computer fraud, espionage, fire and flood, viruses, and hacking. The operator ensures security through server-level and application-level protection procedures. The Data Controller monitors its systems to record all security incidents and provide evidence in the event of any security event. System monitoring also enables verification of the effectiveness of the protective measures applied. Compliance with the information security measures applied by the Data Controller is required and verified under the terms of contracts concluded with engaged processors.

All personal information provided by the Data Subject to the Data Controller must be true, complete, and accurate in all respects.

The Data Subject may request information about the processing of their personal data and may request the rectification of their personal data and—except in the case of mandatory processing—their deletion or withdrawal; the Data Subject may exercise the right to data portability and the right to object in the manner indicated at data collection or via the contact details of the Data Controller specified above.

Right to be informed: The Data Controller shall take appropriate measures to provide Data Subjects with all information referred to in Articles 13 and 14 of the GDPR and all notifications under Articles 15–22 and 34 regarding the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

The right to information may be exercised in writing via the contact details indicated in Section 2 of this notice. Upon request—and after verifying identity—information may also be provided orally.

Right of access: The Data Subject has the right to obtain from the Data Controller confirmation as to whether personal data concerning them are being processed and, where that is the case, access to the personal data and the following information: purposes of processing; categories of personal data; the recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations; the envisaged period for which the personal data will be stored; the right to rectification, erasure, restriction of processing, and objection; the right to lodge a complaint with a supervisory authority; information on the sources of the data; the existence of automated decision-making, including profiling, and meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the Data Subject. In the case of transfers to a third country or an international organization, the Data Subject has the right to be informed of the appropriate safeguards relating to the transfer.

The Data Controller shall provide a copy of the personal data undergoing processing to the Data Subject. For any further copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. At the Data Subject’s request, the information shall be provided by the Data Controller in electronic form. The Data Controller shall provide the information within no more than one month from receipt of the request.

Right to rectification: The Data Subject may request rectification of inaccurate personal data concerning them processed by the Data Controller and completion of incomplete data.

Right to erasure (“right to be forgotten”): The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
– the Data Subject objects to the processing, and there are no overriding legitimate grounds for the processing;
– the personal data have been unlawfully processed;
– the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
– the personal data have been collected in relation to the offer of information society services.

Erasure may not be requested where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; for reasons of public interest in the area of public health; or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise, or defense of legal claims.

Right to restriction of processing: The Data Subject may obtain restriction of processing where one of the following applies:
– the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
– the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
– the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims; or
– the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the Data Subject’s consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. The Data Controller shall inform the Data Subject before the restriction of processing is lifted.

Right to data portability: The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, machine-readable format, and has the right to transmit those data to another controller.

Right to object: The Data Subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, including profiling based on those provisions. In such a case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Automated individual decision-making, including profiling: The Data Subject has the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning them or similarly significantly affects them.

This right does not apply if the processing:
– is necessary for entering into, or performance of, a contract between the Data Subject and the Data Controller;
– is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or
– is based on the Data Subject’s explicit consent.

Right to withdraw consent: The Data Subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Procedural rules: The Data Controller shall inform the Data Subject without undue delay and in any event within one month of receipt of the request of the actions taken on a request under Articles 15–22 of the GDPR. That period may be extended by two further months where necessary, taking into account the complexity and number of requests.

The Data Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

If the Data Controller does not act on the Data Subject’s request, the Data Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Data Controller shall provide information and take action free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or may refuse to act on the request.

The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. At the Data Subject’s request, the Data Controller shall inform the Data Subject about those recipients.

The Data Controller shall provide a copy of the personal data undergoing processing to the Data Subject. For any further copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Subject submitted the request electronically, the information shall be provided in electronic form unless otherwise requested by the Data Subject.

Compensation and non-material damages: Any person who has suffered material or non-material damage as a result of an infringement of the Regulation shall have the right to receive compensation from the Data Controller or Processor for the damage suffered. The Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the Regulation specifically directed to processors or acted outside or contrary to lawful instructions of the Data Controller.

Where more than one Data Controller or Processor, or both a Data Controller and a Processor, are involved in the same processing and are responsible for any damage caused by processing, each Data Controller or Processor shall be held liable for the entire damage.

The Data Controller or Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Supervisory authority procedure: The Data Subject may lodge a complaint regarding the processing of their personal data with the National Authority for Data Protection and Freedom of Information (NAIH).

Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf.: 5.
Phone: 06.1.391.1400
Fax: 06.1.391.1410
Email: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

Right to seek judicial remedy: Regardless of lodging a complaint, the Data Subject may bring proceedings before a court against the Data Controller in case of an infringement of their rights. The court shall proceed in the case as a matter of priority.

If the User wishes to contact the Data Controller, they may do so via the contact details listed in Section 2 of this notice.