Privacy & Security
Do you agree to the use of cookies?
HAMA TRADE LIMITED LIABILITY COMPANY
Information on the processing of personal data
Introduction
The data controller find it extremely important to disclose data of public interest as broadly as possible and is committed to protecting the personal information of the parties involved. Data controller find it extremely important to respect the right to informational self-determination of the parties involved. Data controller process personal data confidentially and take all the appropriate security, technical and management measures to ensure the safety of that information.
Data controller process personal data and data of public interest in accordance with the Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter: “Info Act”), and with the guidelines provided by the president of the National Authority for Data Protection and Freedom of Information, and with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”).
This regulatory document provides rules designed to protect the personal information of natural persons in regard to data processing, and to the free low of that information. The rules of this regulation shall be applied to individual data processing as well as to publishing of instructions and information on the processing of personal data. Providing any personal information indicates that the owner of that information accepts the terms of this regulatory document.
-
Contact
HAMA Kereskedelmi Korlátolt Felelősségű Társaság (registered seat: 1181 Budapest, Zádor u. 18.; company registration number: 01-09-264063; tax number: 10841547-2-43; represented by Ottó Prohászka; website: https://business.hu.hama.com email: info@hama.hu; telephone: +36-1/297-1040; hereinafter "Controller”, “Company””)hereby declare that this document is legally binding. Data Controller strive to comply the terms of this regulation and of existing legislation in regard to any data processing activity in relation to their operation.
The Data Processor
Data Controller may assign a third-party data controller company (hereinafter: “Data Processor”) to carry out data processing activities. Currently Data Controller have a contractual relation with the following Data Processor:
ADVANCED NETWORK TECHNOLOGIES Műszaki, Szolgáltató, Termelési, Kereskedelmi és Fejlesztési Korlátolt Felelősségű Társaság (registered seat: 1064 Budapest, Izabella u 88.; company registration number: 01-09-071747, tax number: 10452714-2-42, executive director: Krisztina Horváth)
Disclosure
This regulatory document (Information on the processing of personal data) is obtainable from https://hama.hu (hereinafter: “Company website”) at any time.
Modification and Effectiveness
The Data Controller shall be entitled for the unilateral amendment of this regulatory document at any time. The Data Controller shall notify the parties involved in good time and in the proper manner. Modification of this regulation may be required primarily to ensure compliance with the laws and regulations. All the content of the website of the Data Controller is protected by copyright. Any information provided on the website (text or image) may be used only if written consent is provided in advance by the owner of the website. The Data Controller accept no responsibility or liability whatsoever in regard to the content of the website. This regulatory document is effective and valid until recalled. This regulatory document is applicable to officials and employees of the Data Controller and to all parties whose personal information is processed.
Definitions
In regard to any data processing activity and also in the scope of this regulatory document Data Controller use the terms of Info Act and GDPR.
Definitions
In regard to any data processing activity and also in the scope of this regulatory document Data Controller use the terms of Info Act and GDPR.
Notification
In case of divergence between the Hungarian and the English version of this document, the Hungarian version shall prevail.
Processing of personal data
Processing of personal data carried out by the Data Controller in regard to visiting https://business.hu.hama.com/
-
Cookies
Data Controller use cookies on their website. Some of those cookies process personal data.
SPAM defense cookies:
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing IP-address Consent made upon the Article 6 (1) a) of the GDPR Analyzing usage of the website for filtering unwanted and automated traffic SPAM defense cookies process information for a maximum of 8 hours Analytics cookies:
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing IP-address Consent made upon the Article 6 (1) a) of the GDPR Used by Google Analytics to categorize visitors of the website Analytics cookies process information for a maximum of 8 hours -
Accepting resumes on the Company website (https://business.hu.hama.com )
Data Controller advertise current job openings on the Company website under the “Karrier” menu option in the purpose of fulfilling those positions.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail address Consent made upon the Article 6 (1) a) of the GDPR Establishment of employment relationship In case of the application is accepted: over the entire duration of the employment relationship. In case of the application is not accepted: for a maximum of 5 days following the fulfillment of the job opening Other personal data shown by resume Consent made upon the Article 6 (1) a) of the GDPR Establishment of employment relationship In case of the application is accepted: over the entire duration of the employment relationship. In case of the application is not accepted: for a maximum of 5 days following the fulfillment of the job opening Additional processing of personal data carried out by the Data Controller/h4>
-
Accepting resumes (with the exception of resumes accepted on the Company website)
In extreme circumstances Data Controller advertise current job openings on third party sites like profession.hu, cvonline.hu and jobline.hu. Sometimes the Company also have so called “flier” resumes
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail address Consent made upon the Article 6 (1) a) of the GDPR Establishment of employment relationship In case of the application is accepted: over the entire duration of the employment relationship. In case of the application is not accepted: for a maximum of 5 days following the fulfillment of the job opening Other personal data shown by resume Consent made upon the Article 6 (1) a) of the GDPR Establishment of employment relationship In case of the application is accepted: over the entire duration of the employment relationship. In case of the application is not accepted: for a maximum of 5 days following the fulfillment of the job opening Further processing of resumes
If the application of a candidate is not accepted, special consent may be made by the candidate to allow further data processing carried out by the Company in regard to applying for job openings in the future.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail address Consent made upon the Article 6 (1) a) of the GDPR Establishment of employment relationship Until the consent is recalled and for a maximum of 1 year Other personal data shown by resume Consent made upon the Article 6 (1) a) of the GDPR Establishment of employment relationship Until the consent is recalled and for a maximum of 1 year Data processing in regard to deliveries
In the case of outgoing deliveries Company preserve delivery notiications which shows the name and the address of the party involved.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name and address of the party involved (natural person, private entrepreneur, contact person) Upon the legitimate interest of the Data Controller; Article 6 (1) f) of GDPR Keeping contact between Data Controller and the party involved For 6 months Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Personal data of contact persons in regard to contracts
Where the Company conclude a contract with a legal entity, the personal data of the contact person on behalf of the party entering into the contract shall be disclosed. During the process of concluding the contract, personal data of the party involved shall be transmitted to the law firm contracted by the Data Controller.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, telephone number, e-mail address Upon the legitimate interest of the Data Controller; Article 6 (1) f) of GDPR Fulfilling the contract, keeping contact between the Data Controller and the party involved For the claim validity period (5 years following the termination of the contract) Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Processing of personal data in regard to contracts with private entrepreneurs and natural persons
In extreme circumstances Data Controller may conclude contracts with private entrepreneurs or natural persons. During the process of concluding the contract, personal data of the party involved shall be transmitted to the law firm contracted by the Data Controller.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, tax number, address, registered seat, registration number, signature Processing of personal data necessary for the performance of a Contract; Article 6 (1) b) of GDPR Fulfilling the contract For the claim validity period (5 years following the termination of the contract) Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Processing of master data in regard to non-legal entities
If a purchase is made by non-legal entities, the personal data shall be stored in the SAP system used by the Company. A unique ID shall be assigned to the customer. The SAP system stores the billing address of the customer. Invoice shall be issued after all the necessary personal data is provided.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, address/registered seat, tax number Upon the legitimate interest of the Data Controller; Article 6 (1) f) of GDPR Storage of partner information, issuing invoice For the entire duration of the business relation. Inactive partners are deleted automatically. Personal data in regard to invoicing: for 5 years Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Recruitment agencies
Data Controller have contractual relationship with student employment agencies and pensioner employment agencies.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail, address, telephone number, date of birth, place of birth Processing of personal data necessary for the performance of a Contract; Article 6 (1) b) of GDPR Fulfilling of job openings 5 years following the termination of the contract Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Photos taken on Company events
Photos may not be taken at internal events; however photos may be taken at public events. Photos may be published in media related to the Company.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Photo Upon the legitimate interest of the Data Controller; Article 6 (1) f) of GDPR Promoting events, advertising the Company For 2 years Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Data processing in relation to prize competition
In some circumstances, the Company provide prizes to the winners of a prize competition.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail address, telephone number, address Upon the legitimate interest of the Data Controller; Article 6 (1) f) of GDPR Getting in contact with the winner, delivering prize For 1 year Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Newsletter sent to active partners
Upon the registration process, the partner/customer declares if they consent to receiving newsletters form the Company or not. The Company maintain a database of e-mail addresses.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail address Consent made upon the Article 6 (1) a) of the GDPR Publishing of current news, advertising the Company For the entire duration of the contractual relationship Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Newsletter sent to inactive partners
Upon the registration process, the partner/customer declares if they consent to receiving newsletters form the Company or not. The Company maintain a database of e-mail addresses.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail address Consent made upon the Article 6 (1) a) of the GDPR Publishing of current news, advertising the Company Until consent is recalled Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Customer service by telephone, bug reporting
Contact may be made by telephone or email. In some circumstances bug reporting may be made in person on the Company site where the customer presents the problem in relation to the product themselves.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, e-mail address, telephone number Upon the legitimate interest of the Data Controller; Article 6 (1) f) of GDPR Repairing the product For 2 years Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Invoicing
Company may issue an invoice using different methods depending on whether the personal data of the customer is stored in the system used by the Company or not. The invoice may be sent to the customer using different channels.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, address/registered seat, tax number/td> Upon the lawfulness of operating; Article 6 (1) c) of GDPR Managing, issuing and receiving invoices For 5 or 8 years Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Registration form
There is a registration form on the Company website, which is used to collect personal data of customers should they plan frequent purchases in the future. The Company process that information in their system (SAP).
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, tax number, registered seat, postal address, bank account number Upon the legitimate interest of the Data Controller; Article 6 (1) f) of GDPR Adding new partners For the entire duration of the contractual relationship. Inactive partners are deleted automatically Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Processing orders – for partners
The Company generally take orders via the SAP system, however orders are also accepted via e-mail, telephone or the EDI system.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, telephone number, e-mail address, shipping address Processing of personal data necessary for the performance of a Contract; Article 6 (1) b) of GDPR Processing and managing orders For the entire duration of the contractual relationship. Inactive partners are deleted automatically Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Bill of delivery
Most of the time delivery is processed in correspondence of the bill of delivery which is signed by both parties involved.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Signature Processing of personal data necessary for the performance of a Contract; Article 6 (1) b) of GDPR Proof of delivery, monitoring of delivery For 5 years Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Selling a company car, concluding sales contract – for legal entities
Selling a company car to a legal entity not related to the Company shall be accompanied by a sales contract. During the process of concluding the contract, personal data of the party involved shall be transmitted to the law firm contracted by the Data Controller.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, telephone number, e-mail Processing of personal data necessary for the performance of a Contract; Article 6 (1) b) of GDPR Selling Company assets For 5 years Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
Selling a company car, concluding sales contract – for non-legal entities
Selling a company car to a natural person not related to the Company shall be accompanied by a sales contract. During the process of concluding the contract, personal data of the party involved shall be transmitted to the law firm contracted by the Data Controller.
Personal data processed Legal basis of the personal data processing Purpose of the personal data processing Duration of the personal data processing Name, telephone number, e-mail Processing of personal data necessary for the performance of a Contract; Article 6 (1) b) of GDPR Selling Company assets For 5 years Providing personal data for the purposes of data processing described in this section is mandatory. If that personal data is not provided, the aforementioned service shall not be used. Data processing described in this section is carried out by the Data Controller.
On behalf of an incapacitated Data Subject (under the age of 14) personal data shall be provided only by the legal representative of the party involved. Providing personal data of an incapacitated party shall be accompanied by the declaration of the legal representative of the party involved. The declaration aforementioned declaration shall be signed by the representative of the party involved. The declaration may be provided to the Data Controller in person or sent via postal mail, e-mail or fax. The aforementioned declaration may be given in alternative ways to writing, such as voice recording or video recording.
Personal data of a partially capacitated Data Subject (under the age of 16) shall be processed only based upon the written consent of the legal representative of the party involved.
Consent of a Data Subject over the age of 16 may be considered valid without the consent or approval of the legal representative of the party involved in regard to registration process or to any other form of providing personal data. Those parties may give consent to data processing depending on the method used for data processing.
Consent of the Data Subject, terms of consent
Data Controller shall process of personal data only if the consent of the Data Subject is given voluntarily and explicitly and is based on prior information provided by the Data Controller. Consent may be given in writing – including electronically – or verbally. Consent may be given by checking a checkbox in relation to data processing when Data Subject visits the Company website. Not saying anything or not doing anything shall not be considered as consent. A prechecked checkbox on the Company website shall not be considered as consent. Whenever a customer visits the Company website and changes technical settings in relation to data processing, those activities shall be considered as voluntary and explicit consent. When a customer gives a declaration or carries out an activity in relation to data processing, those activities shall be considered as voluntary and explicit consent.
If the data processing is based on the consent of the Data Subject, the Data Controller shall be able to give valid form of proof that the Data Subject gave consent to the data processing. If the party involved gives consent in writing and the document has subsections in relation to other matters as well, the request of consent shall be presented in a clearly distinguishable way. The Data Subject may withdraw their consent to the data processing at any time. Withdrawal of the consent shall not void the lawfulness of any data processing activity that happened prior to the withdrawal. The Data Controller shall provide a clear and simple way for the Data Subject to withdraw their consent to data processing.
-
-
Security of the personal data
Data Controller apply such reasonable technical and organizational security measures that ensure the appropriate security of the personal data of the parties involved, including protection against unauthorized or unlawful data processing, and against accidental loss, destruction or damage (including ensuring the private and secure operation, integrity, availability and protection of the systems that carry out the data processing activities). Data Controller apply tools such as firewall software, encryption technology and physical protection to ensure the safety of those systems at each entry point. Data Controller consider the technology level available at the time of selecting and applying the appropriate measures of protection. Given that more than one method is available, Data Collector shall choose that option which provides higher security level in relation to protecting the personal data, unless applying that method results in disproportionate difficulties for the Data Controller.
Data breach
Data breaches are such incidents which result in full or partial loss of security which enables the transmitted, stored or processed data to be accidentally or unlawfully destroyed or to get lost, altered, unlawfully published or to be accessible to unauthorized third parties. Data breaches, if not treated in an appropriate manner, may result in physical, material and non-material damage to the natural persons, including loss of control of their personal data, restriction of their rights, discrimination, identity theft and identity abuse. Unlawful processing of personal data shall be reported to the authorities. Data Controller shall report such activities to the 12 supervisory authority without any undue delay – within 72 hours if possible – after becoming aware of the data breach incident, except in the case of the data breach is not likely to pose any risk in relation to the personal rights of the Data Subject.
Transmission of data
In the description of each data processing activity, Data Controller list the addressee of data transmission activities as well as the categories of those activities if applicable. Data Controller shall and obliged to transmit any lawfully processed personal data to the authorities if transmission is required by law or final court decision. Data Controller shall not be held responsible for such personal data transmission or any consequences in relation to that data transmission. Data Controller may not transmit personal data to third-country data processor companies (companies based in non-EEA member countries).
-
Rights related to the processing of personal data as Data Subject
In regard to the processing of their personal data (including the terms of this regulatory document and terms defined by the law), Data Subject may contact the Company at any contact information of the Company detailed in this document.
Rights as Data Subject
Right to access (right to requesting information)
Data Subject may request information regarding their personal data processing, including the confirmation of those activities, as well as what type of personal data are processed on what basis and from which source and for what purpose and for how long. Data Subject may request information regarding who and when got access to that information and regarding the transmission of personal data, including the addressee of that information as well as the time and the legal basis for such access or transmission, in particular including third-country addressees and organizations.
Data Controller shall reply without any delay (but not later than 30 days) to those requests using the channel specified by the Data Subject.Right to rectificationg
Data Subject may request the rectification or modification of any personal data related to them. Data Controller shall process those requests without any delay (but not later than 30 days) and shall notify the Data Subject using the channel specified by the Data Subject.
Right to erasure
Data Subject may request the erasure of their personal data if any of the following conditions apply: a) the processing purpose for which the Data Controller collected or processed the data no longer exists; b) the processing of personal data is based on voluntary consent and Data Subject withdraws that consent, except when Data Controller has other legal basis for processing that information c) Data Subject objects to the processing of personal data and Data Controller has no other legal basis for processing that personal information d) the processing of the personal data is unlawful e) the personal data shall be deleted to fulfill a lawful requirement applicable to the Data Controller f) personal information is collected in relation to any information service advertised to minors.
Data Controller shall process those requests without any delay (but not later than 30 days) and shall notify the Data Subject using the channel specified by the Data Subject.Right to the Restriction of Data Processing
Data Subject may request the restriction of data processing if any of the following conditions apply: a) Data Subject contests the accuracy of the processed information; data restriction applies for a limited time which enables the Data Controller to check the accuracy of the personal information b) the processing of the personal data is unlawful c) Data Controller does not need the personal data for the purpose of processing but Data Subject needs the same information for the submission or assertion or the protection of legal claims d) Data Subject objects to data processing; data restriction apples for a limited time which enables to check if the legitimate interests of the Data Controller or the legitimate interests of the Data Subject should prevail.
The duration of the restriction shall be appropriate according to the reason for the restriction. Data Controller shall process those requests without any delay (but not later than 30 days) and shall notify the Data Subject using the channel specified by the Data Subject.Right to object
Data Subject may object to data processing based on legitimate interests of the Company at any given contact provided by this document. Data Controller may no longer process that personal information unless it is justified by compelling legitimate basis that the interests of the Data Controller should prevail over the interest, the rights and the right to freedom of the Data Subject or that the information may be needed for the submission or assertion or the protection of legal claims by the Data Controller.
Data Controller shall process those requests within the shortest possible time (but not later than 15 days). A decision shall be made in relation to the grounds of the legitimate concern and notification shall be sent to the Data Subject using the channel specified by the Data Subject.Right to data portability
Data Subject may request the personal data provided by them in a structured, commonly used, machine readable format. Data Subject may request the Company to transfer such data to another data controller if the data processing is based on the voluntary consent of them or on contract and the data processing is carried out by automated means. Data Subject may request that the information should be transmitted directly between data processors – if technically possible.
Data Controller shall process those requests not later than 30 days and shall notify the Data Subject using the channel specified by the Data Subject.Regarding the lawfulness of the processing of personal data by the Data Controller
Data Subject may initiate the procedure of the
National Authority for Data Protection and Freedom of Information:
Postacím:Postal address: 1363 Budapest, Pf. 9.
Address: 1055 Budapest, Falk Miksa utca 9-11.
Telephone number: +36-1/391-1400
Fax: +36-1/391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: https://naih.hu
koordináták: É 47°30'56''; K 18°59'57''Data Subject may apply to the competent court with a complaint regarding the processing of personal data by the Data Processor. The court may proceed with the case out of order. Data Subject may bring an action in the competent court of their place of habitation or place of residence at their discretion.
Data Controller shall reply to the Data Subject without any delay (but not later than 30 days from the date of receiving the request) in regard to the legal request. If necessary, based on the complexity of the request, the 30 days deadline may be extended by 60 days. The requirement of providing information may be fulfilled by operating a secure online system, which enables easy and fast access to the necessary information.This document is protected by copyright.
This document is dated May 20, 2020