Data processing information

A. GENERAL PART

I. INTRODUCTION

The Érseki Sámvevőség (registered office: 8200 Veszprém, Vár utca 16.; hereinafter: Érseki Sámvevőség Érseki Pincészet), as data controller, provides information within the framework of this Data Protection Notice regarding the processing of personal data provided in connection with purchases in the webshop. In relation to the processing of personal data and sensitive data provided in the webshop, the Érseki Sámvevőség Érseki Pincészet is the data controller, and Shopify International Limited Ireland (registered office: 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland) is the data processor.
The data controller and the data processor shall adapt their practices during data processing operations to comply with the relevant data processing and other laws in all respects. Thus, the processing of personal data shall comply with, among others, but not exclusively, the following legal provisions:
(i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
(ii) Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.),
(iii) Act V of 2013 on the Civil Code (Civil Code);
(iv) Act C of 2000 on Accounting;
(v) Act CXIX of 1995 on the processing of name and address data for the purpose of research and direct marketing, When developing the data protection principles, the data controller has taken into particular account the provisions of Act VI of 1998 on the promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed in Strasbourg on 28 January 1981, and the provisions of the Charter of Fundamental Rights of the European Union. The data controller attaches particular importance to the lawful processing of personal data and to respect for the right to informational self-determination. The data controller shall take all necessary measures to ensure that the processing of personal data complies with the relevant legal provisions at all times. The data controller shall comply with the following basic principles set out in the General Data Protection Regulation when processing data:
(i) legality, due process and transparency;
(ii) purposefulness;
(iii) data saving;
(iv) accuracy;
(v) limited storage capacity;
(vi) integrity and confidentiality;
vii) accountability.

II. RIGHTS OF DATA DATA PROCESSING

1. RIGHT TO INFORMATION

The data subject must be provided with information about the processing of personal data in writing or by other means, including, where appropriate, electronic means. In data protection, the data subject is the person whose personal data is processed by an organization.

The information must be concise, transparent, understandable, and presented in a clear and intelligible manner, and in an easily accessible form. 3 The scope of the information is defined in Articles 12-14, 15-22 and 34 of the General Data Protection Regulation.

This Data Protection Notice includes the provisions of the articles specified in this paragraph.

2. RIGHT OF WITHDRAWAL

The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.

3. THE DATA SUBJECT'S RIGHT TO ACCESS

The data subject has the right to obtain from the controller whether or not personal data concerning him or her are being processed and, where such processing is taking place, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) the planned period for which the personal data will be stored; (v) the right of the data subject to request from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data; (vi) the right to lodge a complaint with a supervisory authority.

4. RIGHT TO CORRECTION

The data subject shall have the right to obtain from the controller, at his or her request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

5. RIGHT TO DELETION (“RIGHT TO BE FORGOTTEN”)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data concerning him or her without undue delay where one of the following grounds applies: (i) the data subject has withdrawn his or her consent; (ii) the data subject has requested the erasure of his or her personal data; (iii) the data subject objects to the processing of the personal data; (iv) the personal data have been processed unlawfully; (v) the personal data must be erased for compliance with a legal obligation. Personal data may not be erased if the processing is necessary: (i) for the exercise of the freedom of expression and the right to information; (ii) for the establishment, exercise or defence of legal claims.

6. RIGHT TO RESTRICTION OF DATA PROCESSING

The data subject has the right to request that the data controller restrict data processing if one of the following applies:

(i) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;

(iii) the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

(iv) the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate grounds of the data controller override those of the data subject.

If processing is restricted on the basis of the above, such personal data may be processed, with the exception of storage, only with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or of a Member State. The controller shall inform the data subject at whose request the processing has been restricted on the basis of the above in advance of the lifting of the restriction on processing.

7. RIGHT TO DATA PORTABILITY

The Service Provider shall have the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and shall have the right to transmit such data to another data controller without hindrance from the data controller to which the personal data have been provided. The right to data transfer shall not adversely affect the rights and freedoms of others.

8. RIGHT TO OBJECT

The right to object does not apply to data processing for the purposes specified in this Data Protection Notice, as the right to object applies to data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

9. AUTOMATED DECISION-MAKING IN INDIVIDUAL CASES, INCLUDING PROFILING

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Automated decision-making in relation to the processing of data specified in this Privacy Policy does not take place in individual cases, nor does profiling take place.

10. RIGHT TO BE NOTIFIED OF A DATA PROTECTION INCIDENT

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. The information provided to the data subject shall describe the nature of the personal data breach in a clear and intelligible manner. The data subject shall not be required to be informed if any of the following conditions are met:
(i) the controller has implemented appropriate technical and organisational security measures and these measures have been applied to the data affected by the data breach, in particular measures – such as the use of encryption – which render the data unintelligible to persons not authorised to access the personal data;
(ii) the controller has taken further measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
(iii) the provision of information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken to ensure that the data subjects are informed in a similarly effective manner.

11. RIGHT TO COMPLAINT

In case of dispute regarding the lawfulness of data processing, the data subject may initiate the following procedures: (i) File a complaint with the Data Protection Officer.
(ii) You may apply to a court and request a determination of unlawful data processing and claim damages and compensation. Only a court is authorized to determine damages and compensation in connection with unlawful data processing.
(iii) You may file a complaint with the National Data Protection and Freedom of Information Authority (seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C., hereinafter referred to as the Authority). The Authority is not entitled to decide on damages or compensation.

12. COMMON PROVISIONS ON THE EXERCISE OF THE RIGHTS SET OUT IN POINTS 3 – 9

The controller shall inform the data subject of the above within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receipt of the request. If the data subject submits the request electronically, the information shall be provided electronically, where possible, unless the data subject requests otherwise. If the controller does not take action on the data subject's request, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for not taking action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right to a judicial remedy. The controller shall provide the information free of charge. If the data subject's request is manifestly unfounded or excessive, in particular due to its repetitive nature, the controller, taking into account the administrative costs involved in providing the requested information or communication or taking the requested action:
(i) charge a reasonable fee, or
(ii) may refuse to act on the request. The burden of proving that the request is manifestly unfounded or excessive shall be on the controller. If the controller has reasonable doubts as to the identity of the natural person making the request, it may request that further information be provided to confirm the identity of the data subject.

III. SPECIAL PROVISIONS FOR CHILDREN

The services provided on the website www.ersekipinceszet.hu are not services provided to children. We would like to draw your attention to the fact that we can only fulfill orders containing alcoholic products if the ordering person is over 18 years old and we can only hand them over to a person over 18 who can prove their age. Based on paragraphs (1) and (4) of Section 16/A. of Act CLV of 1997 on

IV. DATA PROTECTION OFFICER

Name: Dr. Balázs Demeter – Archdiocese of Veszprém - titkarsag@veszpremiersekseg.hu

V. SECURITY OF DATA PROCESSING

When selecting and operating the IT tools used to process personal data, the data controller takes into account, among other things, but not exclusively, the following: (i) availability: the data is available to those authorized to do so;
(ii) integrity of data processing: the integrity of the data is ensured;
(iii) data integrity: the integrity of the data can be verified;
(iv) data confidentiality, secrecy: protection against unauthorized access is ensured, only those who are authorized to do so have access to the data. The data controller applies measures that ensure the protection of data, taking into account the current state of technology, and thus provides a level of protection appropriate to the risks associated with data processing. The data controller protects the data with appropriate measures, including, but not limited to, unauthorized access, disclosure, unauthorized data transfer, unauthorized deletion, destruction, damage and inaccessibility. The IT systems and IT networks of the data controller and the data processor are protected against computer viruses and computer intrusions.

VI. COOKIE MANAGEMENT
Cookies are small data packets that are stored by the user's computer or browser when visiting a website and are read back by the system when the website is visited again. If the browser sends back a previously saved cookie, the cookie manager can link the user's current visit with previous visits, but only with regard to its own content. Cookies are used to make the website work more efficiently. Cookies help the website to recognize returning users based on cookies, thereby collecting data on the habits of website visitors, such as which pages they view on the website and which functions they use. The data is used for the analysis, optimization, development and advertising strategy of the website in order to provide the service more efficiently. The purpose of data processing is therefore to identify users, distinguish them from each other, identify the user's work session, store the data provided during it, and perform web analytics measurements. The legal basis for data processing is the consent of the data subject. The scope of the data processed includes: identification number, date, time, previously visited page. The user can delete the cookie from his/her own computer and disable the use of cookies in his/her browser. Cookies can usually be managed in the Tools / Settings menu of browsers under the Privacy / History / Custom settings menu under the name cookie, cookie or tracking. If the user does not allow the use of cookies, then the website services can only be used to a limited or incomplete extent, and the analytical measurements may be inaccurate.

VII. MODIFICATION OF DATA PROCESSING NOTICE

The data controller is entitled to modify this Data Management Information at any time for the future unilaterally, without the consent of the data subjects, provided that if the purpose of data management changes, the personal data provided may be processed for the new, modified data management purpose with the separate consent of the data subjects. The Data Management Information in force at all times is available on the website www.ersekipinceszet.hu.

B) SPECIAL PART - CERTAIN DATA PROCESSING

I. PURCHASE IN THE WEBSHOP

1. PURPOSE OF DATA PROCESSING, SCOPE OF PROCESSED DATA

If you want to buy in the webshop, you can make a purchase with or without registration. The advantage of purchasing with registration is that you can log in to your account by entering your username and password, so you do not need to re-enter the data necessary for shipping and your contact information in the event of multiple orders, and you can view your previous orders by logging in to your account. To register for an account, you need to enter your last name, first name and e-mail address. During account registration, you can also enter all the data necessary for the purchase, so you do not need to enter this data repeatedly for each purchase. In the case of online purchases, you must enter your last name, first name, billing name, tax number and seat in the case of a business enterprise, and your home address in the case of purchases as a private individual, as well as your e-mail address and telephone number. An invoice will be issued for the purchased products in all cases. In connection with invoicing and the provision of financial activities related to invoicing, the data necessary for invoicing will be forwarded to Érseki Audit Érseki Pincészet (data processor). The delivery of the purchased products - depending on the selected delivery method - is carried out by Magyar Posta Zrt. (registered office: 1138 Budapest, Dunavirág utca 2-6., Cg. 01-10-042463), and DPD Hungary Kft. (registered office: 1134 Budapest, Váci út 33. 2nd floor) (data processors), therefore the data necessary for the delivery will be forwarded to the delivery company. In the case of home delivery or collection at the Post Office, the delivery will be carried out by Magyar Posta Zrt. or DPD Hungary Kft. In the case of payment by bank card, the buyer will be redirected from the webshop to the website operated by Shopify Payments. Neither the data controller nor the data processors store any data that the buyer provides on the redirected website operated by Shopify Payments. If the data provider does not provide his or her own (personal) data, the data provider is obliged to obtain the consent of the data subject. Érseki Sámvevőség Érseki Pincészet (as data controller) and Shopify International Limited Ireland (as data processor) cannot verify the accuracy and truthfulness of the (personal) data provided, and consequently the data subject is responsible for the accuracy and truthfulness of the (personal) data provided. The Archbishop's Audit Office Archbishop's Winery (as data controller) and Shopify International Limited Ireland (as data processor) - until proven otherwise - accepts the provided (personal) data as correct and true and considers that the data subject is entitled to provide the (personal) data.

2. LEGAL BASIS FOR DATA PROCESSING

If the data subject does not provide the requested personal data, he or she will not be able to create an account or place an order in the webshop.

3. DURATION OF DATA PROCESSING

The data controller and the data processor will process the personal data provided until the data subject requests the deletion of their personal data. If the data subject requests the deletion of personal data, the data controller will delete the data subject's personal data from its database. The data subject will receive a separate notification of the deletion. After deletion, the data processor will not have access to the data subject's personal data. The data subject may request the deletion of their personal data in the following ways:
(i) boraszat@ersekipinceszet.hu in an electronic message sent to an e-mail address;
(ii) by letter sent by post to the address of the Archbishop's Auditing Office, Érseki Pincészet, 8200 Veszprém, Vár utca 16. Since an invoice is issued for the purchase in each case, the personal data will be stored in connection with the invoice for the period specified in the current provisions of the Accounting Act and the relevant tax legislation, regardless of whether the data subject may request the deletion of his/her personal data before the expiry of this period. The legal basis for data management in this case is the fulfillment of an obligation specified in law. Since the data related to the delivery (name and address) appear on the invoice issued by the delivery company or on the related performance certificate, the personal data will be stored in connection with the invoice for the period specified in the current provisions of the Accounting Act and the relevant tax legislation, regardless of whether the data subject may request the deletion of his/her personal data before the expiry of this period. The legal basis for data management in this case is the fulfillment of an obligation specified in law.

4. DATA CONTROLLER DETAILS AND CONTACT INFORMATION

Company name: Archbishop's Audit Office Headquarters: 8200 Veszprém, Vár utca 16. E-mail: boraszat@veszpremiersekseg.hu; Legal representative: Director Imre László Minda Legal representative contact details: same as above

5. DATA PROCESSORS’ DETAILS AND CONTACT INFORMATION

A) Regarding financial data: Archbishop's Accounting Office Headquarters: 8200 Veszprém, Vár utca 16. E-mail: boraszat@veszpremiersekseg.hu; Legal representative: Director Imre László Minda Legal representative contact details: same as above

B) Regarding account registration and online purchases: The data provided in the webshop will be stored by the following hosting provider: Shopify International Limited Ireland, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland

C) Regarding the delivery of products The delivery of products is currently carried out by Magyar Posta Zrt. (registered office: 1138 Budapest, Dunavirág utca 2-6., Cg. 01-10-042463) and DPD Hungary Kft. (registered office: 1134 Budapest, Váci út 33. 2nd floor), therefore the data necessary for delivery will be forwarded to this economic enterprise. The data necessary for delivery are as follows:
(i) surname and first name;
(ii) delivery address – depending on the delivery method, in case of collection by post, the address of the post office provided; (iii) e-mail address;
(iv) telephone number.

NEWSLETTER II

1. PURPOSE OF DATA PROCESSING, SCOPE OF PROCESSED DATA

If you would like to receive a newsletter about news and promotions, you must provide your name and e-mail address to receive the newsletter electronically. If you do not provide your own personal data, the data subject is obliged to obtain the consent of the data subject. The Archbishop's Audit Érseki Pincészet (as data controller) cannot verify the correctness and veracity of the data provided, and consequently the data subject is responsible for the correctness and veracity of the data provided. The Archbishop's Audit Érseki Pincészet (as data controller)) - until the contrary is proven - accepts the personal data provided as correct and true, and considers that the data subject is entitled to provide the personal data.

2. LEGAL BASIS FOR DATA PROCESSING

The legal basis for data processing is the voluntary consent of the data subject. The data subject may withdraw their consent at any time during data processing. If the data subject withdraws their consent, the withdrawal may only apply to the future, so the lawfulness of data processing until withdrawal is not affected, the legal basis for data processing until withdrawal is the data subject's consent. If the data subject does not provide the requested personal data, they will not receive the newsletter. If the data subject wishes to receive the newsletter, it is necessary to provide their name and e-mail address.

3. DURATION OF DATA PROCESSING

The data controller and the data processor process the personal data provided until the data subject requests the deletion of the personal data provided. If the data subject requests the deletion of the personal data, the data controller will delete the data subject's personal data from its database. The data subject will receive a separate notification of the deletion. After deletion, the data processor will not have access to the data subject's personal data. The data subject may request the deletion of his/her personal data in the following ways: (i) in an electronic message sent to the e-mail address boraszat@vezpremiersekseg.hu; (ii) by clicking on the "unsubscribe" link in the newsletter. The software managing the newsletter database is capable of indicating if the newsletter has not been opened for 6 (six) months, and thus the data subject will be placed in inactive status. The data subject who has been placed in inactive status will receive an e-mail message, which he/she can click on to activate his/her status. If you do not activate your status within 30 (thirty) days of sending the email message, your personal data, i.e. your name and email address, will be automatically deleted from the newsletter database. This does not prevent you from subscribing to the newsletter again at any time.

Data processing information

A. GENERAL PART

B) SPECIAL PART - CERTAIN DATA PROCESSING

Veszprém Archbishop's Winery

More links

Subscribe to our newsletter