1. GENERAL INFORMATION
In the course of its activities, John Calvin Publishing House of the Reformed Church in Hungary (hereinafter: “the Controller”) takes utmost care for the protection of personal data, compliance with mandatory legal requirements and the safe and fair processing of personal data.
Details of the Controller:
Name in English: John Calvin Publishing House of the Reformed Church in Hungary
Short name (only in Hungarian): Református Kálvin Kiadó
Registered office: H-1113 Budapest, Bocskai út 35.
TIN No.: 19719452-2-43
The Controller shall at all times process personal data disclosed to it in accordance with the applicable Hungarian and European laws and ethical requirements and always take all technical and organisational measures required for safe and secure data processing.
This Policy was prepared in accordance with the following applicable laws.
- Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing;
- Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services;
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities;
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“the Info Act”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “the GDPR”).
The Controller agrees to observe the terms and conditions specified herein and also encourages its customers to accept the provisions hereof.
The Controller publishes this Privacy Policy on its website.
The Controller reserves the right to modify this Privacy Policy. In such case, the amended Privacy Policy will be published on the website of the Controller.
2. DEFINITIONS
Objection shall mean a declaration made by the data subject objecting to the processing of his/her personal data and requesting the termination of data processing, as well as the erasure of the data processed.
Controller shall mean natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a Processor.
Processing shall mean any operation or the aggregate of operations performed on data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification.
Data Transfer shall mean the grant of access to the data for a third party.
Disclosure shall mean granting access to the data for anyone.
Erasure shall mean making data unrecognisable in a way that such data can never be restored.
Data Tagging shall mean marking data with an identification tag in order for such data to become distinct.
Blocking of Data shall mean marking data with an identification tag in order to restrict further processing thereof for a definite term or permanently.
Data Destruction shall mean complete physical destruction of a data carrier.
Processing shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for carrying out such operations, as well as the place of execution, provided that the technical task is performed on such data.
Processor shall mean any natural or legal person or organisation without legal personality processing data on the grounds of a contract, including contracts concluded pursuant to legislative provisions.
Data Set shall mean all data processed in a single file.
Operation(s) shall mean access, modification, transfer, public disclosure, erasure or destruction, as well as incidental destruction or damages.
Third party shall mean any natural or legal person or organisation without legal personality other than the data subject, the Controller or the Processor.
Consent shall mean any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she clearly signifies agreement to the processing of personal data relating to him or her fully or to the extent of specific operations.
Sensitive Data shall mean personal data revealing nationality or racial origin, political opinions or any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning health, pathological addictions, sex life or criminal record.
3. PRINCIPLES OF DATA PROCESSING
Personal data may be processed when the data subject has given his/her consent or when processing is necessary under an Act or a Decree issued by the local government based on authorization conferred by an Act.
Personal data may be processed only for specified purposes, where this is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied in all stages of data processing activities.
The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.
Transfer of personal data and connecting of various processing activities shall be subject to the consent of the data subject or a permission granted by an Act and only in the event that the requirements applicable to such processing are met for each and every personal data.
Transfer of personal data from Hungary to third-country Controllers or Processors — irrespective of the data medium or the method of data transmission — shall be subject to the express consent of the data subject or a permission granted by an Act, and an appropriate level of protection shall be granted for such personal data in the course of processing in the third country.
Where data processing is mandatory, the purpose and the conditions of processing, the scope of data to be processed and the access thereto, the duration of the processing and the Controller shall be specified by an Act or a Decree issued by the local government.
On grounds of public interest, an Act may prescribe publishing of personal data, provided that the scope of such data shall be explicitly identified. In any other case, publishing of personal data shall be conditional upon the consent — in the event of sensitive data, the written consent — of the data subject. In the event of ambiguity the consent of the data subject shall be deemed as not granted.
The consent of the data subject shall be considered as granted for data disclosed by him/her in the course of a public appearance or for the purposes of public disclosure.
In a procedure initiated by the data subject, the grant of his/her consent to the processing of his/her data required in such procedure shall be deemed granted.
Personal data shall be erased if
a) such data are unlawfully processed;
b) so requested by the data subject in accordance with the provisions of the Info Act;
c) such data are incomplete or incorrect and this cannot be lawfully rectified, provided that erasure is not prohibited by an Act;
d) the purpose of processing no longer exists or the legal time limit for storage specified by an Act has expired;
e) so ordered by court or by the National Authority for Data Protection and Freedom of Information.
4. LEGAL GROUNDS OF PROCESSING
In the course of its activities, the Controller shall at all times process personal data on grounds of a permission granted by an Act or a voluntary consent. In certain cases, where consent is not granted, processing is based on other legal grounds or Article 6 of the GDPR.
Data received in the course of the Controller’s activities shall be processed solely by the personnel of the Controller or used by providers specified below in order to carry out particular tasks. Data disclosed by a natural person and erased upon the request of the latter shall be deleted from any further data of the Controller which may be used in the future, to the extent permitted by the applicable laws. The personnel of the Controller shall at all times make sure that the data processed by them are up-to-date and relevant for further use in the course of their activities.
5. PROCESSING ACTIVITIES CARRIED OUT BY PROCESSORS
The Controller will engage the following Processors and use their services in the course of its activities:
Magyar Posta Zrt.
Registered office: H-1138 Budapest, Dunavirág utca 2-6.
Company Registry No.: 01-10-042463
TIN No.: 10901232-2-44
Scope of data transferred: Name, telephone, e-mail, postal code, delivery address, doorbell number of the customer, message to courier
Purpose of data transfer: sending of mails, delivery of product
GLS General Logistics Systems Hungary Co.Ltd.
Registered office: H-2351 Alsónémedi, GLS Európa utca 2.
Company Registry No.: 13-09-111755
TIN No.: 12369410-2-13
Scope of data transferred: Name, telephone, e-mail, postal code, delivery address, doorbell number of the customer, message to courier, description, quantity and unit price of the purchased product
Purpose of data transfer: delivery of product, collection of cash on delivery
SPRINTER Futárszolgálat Korlátolt Felelősségű Társaság
Registered office: H-1097 Budapest, Táblás utca 39.
Company Registry No.: 01-09-660447
TIN No.: 12263840-2-43
Scope of data transferred: Name, telephone, e-mail, postal code, delivery address, doorbell number of the customer, message to courier, description, quantity and unit price of the purchased product
Purpose of data transfer: delivery of product, collection of cash on delivery
OTP Mobil Kft.
Registered office: 1143 Budapest, Hungária krt. 17-19.
Company Registry No.: 01-09-174466
TIN No.: 24386106-2-42
Scope of data transferred: Name, e-mail, phone number, billing and delivery address
Purpose of data transfer: see Data management policy of SimplePay: http://simplepay.hu/vasarlo-aff
DNS Szoftverház Kft.
Registered office: H-1221 Budapest, Baross utca 18.
Company Registry No.: 01-09-074682
TIN No.: 10517026-2-43
Scope of data transferred: Data associated with the processing of IT data required for bookkeeping, billing and the keeping of other accounting and turnover records
Purpose of data transfer: operation and maintenance of Oracle-based (accounting, financial and IT) management systems
6. WEBSITE
The Controller does not record the IP address or other personal data of the visitors of the websites operated by it. The Controller published the Privacy Policy applicable to the Webshop operated by it in a separate document.
The html code of the websites operated by the Controller may contain links from and to external servers independent from the purpose of web analytics measurements. Such measurements include conversion tracking as well. The data processed by the web analytics provider do not include any personal data and only cover browsing data which are not eligible to identify individuals.
Currently, the web analytics provider is PAROLA Ltd. (H-1117 Budapest, Prielle Kornélia utca 19/B, www.parola.hu)
7. NEWSLETTER
The Controller sends online newsletters on novelties, news and offers to the subscribers of the newsletters of the websites operated by it, customarily on a monthly basis. Subscription to newsletters shall be conditional upon the submission of name and e-mail, given that these are indispensable for the delivery of messages.
The term of processing will end upon the request of the data subject to erase such data. The truthfulness of submitted personal data shall be the liability of the user.
8. CLUB OF MEMBERS (“BARÁTI KÖR”)
The purpose of the Club of Members of Calvin Publishing House (“Kálvin Kiadó Baráti Köre”) established by the Controller is to offer discounted purchases and send information about publications, events and purchase opportunities. To that end, the Controller processes the name, address and e-mail of the members.
The term of processing will end upon the request of the data subject to erase such data. The truthfulness of submitted personal data shall be the liability of the user.
9. SAFETY AND SECURITY OF PROCESSING
Personal data are stored on the servers of PAROLA Ltd. (H-1117 Budapest, Prielle Kornélia utca 19/B, www.parola.hu) safeguarded by security guards 24/7 and connected to the Hungarian internet trunk network.
10. RIGHTS OF DATA SUBJECTS
The data subject may request from the Controller at any of the contact details of the latter: (i) information on his/her personal data being processed, (ii) the rectification of his/her personal data, and (iii) the erasure of his/her personal data, save where processing is rendered mandatory by the laws.
Upon the data subject’s request the Controller shall provide information concerning the data relating to him/her, the purpose, grounds and duration of processing, the name and address (registered office) of the Processor and on its activities relating to data processing, the purposes and recipients of data transferred.
The Controller shall comply with received requests for information without any delay and provide the information requested in an intelligible form in writing and free of charge, within 25 days the latest. The Controller shall rectify incorrect personal data. The Controller shall erase any personal data if the processing thereof is against the laws; or if it is incomplete or incorrect and this cannot be lawfully rectified, provided that erasure is not prohibited by an Act; if the purpose of processing no longer exists; if the deadline prescribed in an Act for the storage of such data expired; or if such erasure was ordered by Court or the Data Protection Officer. The Controller shall notify the data subjects and any person about the erasure to whom it previously transferred the data concerned for the purposes of processing. Such notification may be omitted where this is not in conflict with the data subject's legitimate interests, considering the purpose of processing.
The data subject shall have the right to object to the processing of his/her personal data if such processing (or the transfer) thereof is carried out solely for the purposes of enforcing the rights and legitimate interests of the Controller or the recipient, unless processing is mandatory based on an Act. It is also granted by the Act for the data subject to object to the processing if his/her personal data are used or transferred for the purposes of direct marketing, public opinion polling or scientific research.
In the event of objection, the Controller shall suspend the processing and investigate the cause of objection within the shortest possible time but within fifteen-days the latest from the submission of the request and notify the data subject in writing of its decision. If the data subject’s objection is justified, the Controller shall terminate the processing (including collection and transfer of data), block the data involved and notify all recipients to whom any of these data was transferred about the objection and the ensuing measures, upon which these recipients shall also take measures regarding compliance with the right of objection.
11. EFFECTIVE DATE
This Privacy Policy shall become effective on 25 May 2018.
Date of modification: 10 July 2018
Budapest, 24 May 2018
__________________________
John Calvin Publishing House
of the Reformed Church in Hungary
represented by: Sgd. Árpád Galsi, Director