Privacy Policy

Privacy Notice

ARIOSO Budapest Kft.

(Last modified on: 24 May 2018)

ARIOSO Budapest Kft. (registered seat: 1075 Budapest Király u. 9; company registration number: 01-09-708823; tax number: 12897032-2-42) as data controller (hereinafter referred to as “Service Provider” or “Data Controller”) hereby notifies all persons visiting, registering on or purchasing through its website, as well as subscribing to its newsletter (hereinafter referred to as “Data Subject”, “User”, “You” or “Visitor”) on the personal data which are being processed by it, its practice followed when processing personal data, furthermore on the means and opportunities through which Data Subjects can exercise their rights.

The ARIOSO web shop (hereinafter referred to as “Web Shop”) forms part of the websites (hereinafter referred to as “Website”) which is available under the domain names of www.arioso.hu, www.budapestiviragkuldes.hu and www.flowerdeliverybudapest.hu which are the Data Controller’s own websites.

The Data Controller acknowledges to be legally bound by the content of the present legal notice relating to the processing of personal data carried out within the framework of its business activities. The Data Controller reserves the right to modify the present Privacy Notice (hereinafter referred to as “Notice”). The Data Controller publishes the Notice in force on its website. The Data Controller shall keep confidential and secure all personal data and shall carry out all the necessary developments and modifications, depending on changes in the legal and technical framework.

By using the Website, the User acknowledges the content of the Notice, therefore we ask you to read the notice carefully before using the Website. The consent to each processing of personal data shall be given by the User, either by using or registering on the Website, or by providing freely the personal data in question.

DEFINITIONS

„Personal data”: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

„Processing’: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure

by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

„Data transfer”: means ensuring access to the data for a third party;

„User”: any visitor of the Website; any person enjoying the status of consumer who registers, places an order and has a user’s account;

“Consent”: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

„Data process”: means performing technical tasks in connection with data processing

operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;

„Processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

„Personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“Profiling”: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability behaviour, location or movements;

„Service”: all the services provided by the Web Shop available on the Website, such as the delivery of flowers, delicacies, soaps, silk flowers, home fragrance diffusers, home decoration articles and other products against purchase order, as well as other services available on the Website, such as the execution of workshops.

“Third party”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

„Website”: www.arioso.hu

DATA CONTROLLER’S MAIN DATA AND CONTACT DATA

Company name: ARIOSO Budapest Kft.

Registered Seat: H-1075 Budapest, Király u. 9.

Company registration number: 01 09 708823

Tax number: 12897032-2-42

E-mail: info@arioso.hu

PRINCIPLES AND SCOPE OF DATA PROCESSING

Data Controller shall record and process personal data lawfully, fairly and in a transparent manner in relation to the User.

The Data Controller shall process personal data only for specified, explicit and legitimate purposes.

Personal data processed by the Data Controller shall be adequate, relevant and limited to what is necessary regarding the extent and duration of the processing.

Only persons of legal capacity aged 18 or more allowed to make record on the Website. The User shall be liable for the compliance of its activities with the present Notice. The Service Provider shall take all necessary steps in order to filter out any processing of personal data of persons below the age of 18 years.

Should the data provider not provide its own personal data, the data provider shall be obliged to obtain the User’s consent.

PERSONAL DATA OF VISITORS OF THE WEBSITE

Scope of processing: ID number, date and time of the visit, IP address of the User’s computer at the time of visit.

Purposes of processing: use of the Website, monitoring of the functioning of services in relation to visits to the Website, customized services, prevention of any misuse.

Legal basis of processing: consent freely given by the User, Art. 6 (1) (a) of GDPR, as well as section 13/A, subsection 3 of the Act on Electronic Commerce.

Users concerned: visitors of the Website.

Period for which personal data are processed, time limit for erasure: within 60 days of viewing the Website.

REGISTRATION

Scope of processing: name, e-mail address (which needs not to include any personal data), password, phone number, date and time of registration, IP address of the User’s computer at the time of registration, last login date.

Purposes of processing: identification of the User, secure account login, communication, carrying out technical operations.

Legal basis of processing: consent freely given by the User, Art. 6 (1) (a), as well as Art. 8 (1) of GDPR.

Users concerned: all Users registered on the Website.

Period for which personal data are processed, time limit for erasure: until the User’s request for erasure. By deleting the registration, all personal data shall be deleted. The Data Controller shall communicate electronically to the User the erasure of any personal data provided by the User, in accordance with Art. 19 of GDPR. If the User’s request for erasure includes his or her e-mail address, the Data Controller shall erase, after sending the communication, the e-mail address as well.

Identity of potential data controllers entitled to access to personal data, recipients of personal data: personal data may be processed by the data controller’s employees authorised thereto, in accordance with the content of the present Privacy Notice.

We hereby inform you that

processing of personal data is based on your freely given consent;

you are obliged to disclose personal data so that we can register you;

in case of failure to disclose such data, we will be unable to create a user’s account.

order to make the purchase process faster and more comfortable, it is possible to buy in the Web Shop even without registration.

PROCESSING OF PERSONAL DATA RELATED TO ONLINE PURCHASES

Scope of processing: name, e-mail address (which needs not to include any personal data), phone number, invoicing data (name, country, ZIP code, city, street, house number), name, address, telephone number and e-mail address of the addressee, bank account number in case of wire transfer, bank card data, purchase date, IP address at the time of purchase.

Purposes of processing: identification of the User, first communication to the data subject, communication with the data subject, performance of purchase, issuing invoices in accordance with the applicable rules, confirmation, more effective consultation on questions relating to purchases and invoicing, enforcement of claims, carrying out technical operations.

Legal basis of processing: the processing of personal data is necessary for the performance of the contract under Art. 6 (1) (b) of GDPR and section 13/A, subsection 3 of the Act on Electronic Commerce.

Users concerned: all Users who purchase.

Period for which personal data are processed, time limit for erasure: we shall use any data related to the performance of the contract concluded by electronic means for purposes related to the contract, and we shall erase and destruct them when the contract is terminated or upon expiration of the time limit set by law. Accounting documents, as well as documents underlying them shall be stored for 8 years pursuant to section 169, subsection 1 of the Act on Accounting.

Identity of potential data controllers entitled to access to personal data, recipients of personal data: personal data may be processed by the data controller’s employees.

We inform you that

in order to conclude a contract by electronic means, it is essential to disclose personal data so that we will be able to perform your orders;

in case of failure to disclose such data, we will be unable to process your orders.

WORKSHOP REGISTRATION AND ORDER

Scope of processing: name, e-mail address (which needs not to include any personal data), phone number, invoicing data (name, country, ZIP code, city, street, house number), bank account number in case of wire transfer, bank card data, date of registration, IP address at the time of registration.

Purposes of processing: identification of the User, first communication to the data subject, communication with the data subject, performance of reservations, issuing invoices in accordance with the applicable rules, confirmation, more effective consultation on questions relating to registration and invoicing, enforcement of claims, carrying out technical operations.

Legal basis of processing: the processing of personal data is necessary for the performance of the contract under Art. 6 (1) (b) of GDPR and section 13/A, subsection 3 of the Act on Electronic Commerce.

Users concerned: all Users who register

Period for which personal data are processed, time limit for erasure: we shall use any data related to the performance of the contract concluded by electronic means for purposes related to the contract and shall erase and destruct them when the contract is terminated or upon expiration of the time limit set by law. Accounting documents, as well as documents underlying them shall be stored for 8 years pursuant to section 169, subsection 1 of the Act on Accounting.

Identity of potential data controllers entitled to access to personal data, recipients of personal data: personal data may be processed by the data controller’s employees.

We inform you that

in order to conclude a contract by electronic means, it is essential to disclose personal data so that we will be able to perform your registration and provide a place for you on the workshop;

in case of failure to disclose such data, we will be unable to provide a place for you on the workshop.

COMMUNICATION WITH CUSTOMERS

Should you have any question when using our services, you can contact the Data Controller by using the contact data indicated in the present Notice and on the Website, by filling the contact us form under the “Contact” menu item.

The Data Controller shall delete all messages received, together with the sender’s name, e-mail address, date and time and other personal data disclosed in the message, at the latest after 2 years counted from the providing of such data.

NEWSLETTER

The Data Controller enables the Users to subscribe to a newsletter on the Website. Observing the provisions of the present Notice, the User can thereby give consent to receive offers, workshop events, promotional material and other messages (newsletter) from the Data Controller at the contact data disclosed when registering, as well as to the processing of his or her personal data necessary for sending advertising materials. The Data Controller shall not send unsolicited advertising messages.

In case of newsletters, the Data Controller shall process the personal data disclosed by the User when subscribing to the newsletter until the User unsubscribes from the newsletter by clicking on the “Unsubscribe” button available at the bottom of the newsletter message, or requests by mail or by e-mail – without any restriction or obligation to give reasons – to be deleted from the subscribers’ list. In case of unsubscribing, the Data Controller shall not send any more newsletter or offer to the User. The User may unsubscribe from the newsletter and withdraw his or her consent for free, at any time.

Scope of processing: name, e-mail address, date and time of subscribing, IP address at the time of subscribing.

Purpose of processing: identification of the User, enabling users to subscribe to the newsletter, sending newsletters, carrying out technical operations.

Users concerned: all users who subscribe to the newsletter.

Purpose of processing: sending messages electronically to the User, including advertisements, offers, communicating current information on products and campaigns.

Period for which personal data are processed, time limit for erasure: the processing of data shall be terminated upon withdrawal of consent, i.e. upon unsubscribing. The Data Controller shall notify the User electronically on the unsubscribing and the user’s deletion from the newsletter mailing list.

Identity of potential data controllers entitled to access to personal data, recipients of personal data: personal data may be processed by employees at the Data Controller’s marketing department.

The User may unsubscribe from the newsletter at any time and for free.

Legal basis of processing: consent freely given by the User, Art. 6 (1) (a) of GDPR, section 13/A of the Act on Electronic Commerce, as well as section 6, subsection 5 of the Advertising Act.

We inform you that

processing of personal data is based on your freely given consent;

if you wish to receive newsletters from us, it is essential to disclose personal data;

in case of failure to provide such data, we will be unable to send you newsletters.

DATA PROCESSORS ASSIGNED

The Data Controller shall be entitled to assign data processors in relation to its activities.

Data Processors shall record and process personal data which are given to them by the Data Controller and are being processed by them in accordance with the provisions of the GDPR, and they shall declare same to the Data Controllers.

When operating IT systems, performing purchases/orders, settling accounts or pursuing marketing activities, the Data Controller shall assign the following Data Processors:

Hosting Service Provider

1. Activity pursued by the Data Processor: hosting services

2. Name and contact data of the Data Processor:

Name: Rackforest Kft.

Seat: H-1116 Budapest, Sáfrány u. 6.

Website: www.rackforest.com

3. Scope of processing: all personal data disclosed by the User.

4. Users concerned: all Users using the services of the Website or registering / placing orders on the Website.

5. Purpose of processing: providing availability and appropriate performance of the Website. /Hosting services/

6. Period for which personal data are processed, time limit for erasure: until the agreement concluded by and between the Data Controller and the Hosting Service Provider terminates, or until the User sends a request for erasure to the Hosting Service Provider.

7. Legal basis of data processing: consent freely given by the User, Art. 6 (1) (a) of GDPR, as well as section 13/A, subsection 3 of the Act on Electronic Commerce.

Delivery

1. Name and contact data of the Data Processor:

Name: City Taxi Fuvarszervező Szövetkezet

Seat: H-1119 Budapest, Vahot u. 6.

Website: www.citytaxi.hu

Name: Magyar Posta Zrt.

Seat: H-1138 Budapest, Dunavirág u. 2-6.

Website: www.posta.hu

2. Activity pursued by the Data Processor: delivery of the products.

3. Scope of processing: name, address, telephone number, e-mail address of delivery.

4. Users concerned: all Users requesting door-to-door delivery and addressees.

Purpose of processing: delivery of the ordered products.

6. Period for which personal data are processed, time limit for erasure: until the delivery is completed.

7. Legal basis of data processing: performance of the contract, Art. 6 (1) (b) of GDPR.

Online payment

1. Name and contact data of the Data Processor:

Wirecard CEE

Web: www.wirecard.hu

PayPal

Web: www.paypal.com

2. Activity pursued by the Data Processor: online payment

3. Scope of processing: name and address indicated on the invoice, e-mail address.

4. Users concerned: all Users requesting online payment.

5. Purpose of processing: carrying out online payments, confirmation of transactions, monitoring misuses in order to protect Users.

6. Period for which personal data are processed, time limit for erasure: until the online payment is completed.

7. Legal basis of data processing: performance of the contract, Art. 6 (1) (b) of GDPR.

System administration services

1. Name and contact data of the Data Processor:

Name: Rackforest Kft.

Seat: H-1116 Budapest, Sáfrány u. 6.

Website: www.rackforest.com

2. Activity pursued by the Data Processor: system administration services (monitoring, technical updating, security system development, other developments, repair services).

3. Scope of processing: all personal data disclosed by the User.

4. Users concerned: all Users using the services of the Website or registering / placing orders on the Website.

5. Purpose of processing: system administration services (developments, monitoring and repairs).

6. Period for which personal data are processed, time limit for erasure: until the agreement concluded by and between the Data Controller and the Data Processor mentioned under this point terminates, or until the Service Provider sends a request for erasure to the Data Processor mentioned hereunder.

7. Legal basis of data processing: consent freely given by the User, Art. 6 (1) (a) of GDPR, as well as section 13/A, subsection 3 of the Act on Electronic Commerce.

Online marketing services

1. Name and contact data of the Data Processor:

Név: MailChimp

Web: https://mailchimp.com

2. Activity pursued by the Data Processor: online marketing services.

3. Scope of processing: name, e-mail address.

4. Users concerned: all Users using the Website and subscribing to the newsletter.

Purpose of processing: promotion and advertising of products available on the Website, increasing the frequency of visits to the Website.

Period for which personal data are processed, time limit for erasure: until the agreement concluded by and between the Data Controller and the Data Processor mentioned under this point terminates, or until the User sends a request for erasure to the Data Processor mentioned hereunder.

7. Legal basis of data processing: consent freely given by the User, Art. 6 (1) (a) of GDPR, as well as section 13/A, subsection 3 of the Act on Electronic Commerce.

Invoicing

1. Name and contact data of the Data Processor:

Name: KBOSS.hu Kft.

Seat: H-1031 Budapest, Záhony u. 7.

Website: www.szamlazz.hu

2. Activity pursued by the Data Processor: invoicing.

3. Scope of processing: name, name and address indicated on the invoice.

4. Users concerned: all Users placing any order on the Website.

5. Purpose of processing: issuing invoices.

6. Period for which personal data are processed, time limit for erasure: 8 years, in accordance with section 169, subsection 2 of Act C of 2000 on Accounting.

7. Legal basis of data processing: consent freely given by the User, Art. 6 (1) (a) of GDPR, as well as section 13/A, subsection 3 of the Act on Electronic Commerce.

PROCESSING OF TECHNICAL DATA AND COOKIES

Technical data are data related to the computer used by the User when logging in which are generated in the course of using the services and are recorded by the Service Provider’s system as an automatic result of technical processes, including but not limited to the date and time of visits, the IP address of the User’s computer and the type of its web browser.

Automatically recorded data are automatically logged at the time of signing in and signing out, without the User’s specific declaration or act. Unless otherwise provided by law, these data shall not be combined with other personal data of the Users. The Data Controller shall have exclusive access to such data.

In order to provide customized services, the Data Controller and the abovementioned third service providers place small files, each consisting of a sequence of characters, so-called cookies on the User’s computer and read them back. If the web browser sends back a cookie that has been saved earlier, the service provider handling the cookie will be able to combine data relating to the User’s current visit with earlier data, however, only in relation to its own content. The following cookies are in use:

Secure cookies;

Temporary (session) cookies: these files are deleted automatically after the User’s visit. These cookies serve the secure and effective operation of the Service Provider’s Website, i.e. they are essential for the proper operation of certain applications, as well as certain functions of the Website;

Persistent cookies: these files are stored for a longer period by the web browser. The exact period depends on the settings applied by the User in his or her web browser.

A part of these cookies serve the secure and effective operation of the Service Provider’s Website, thus they are essential for the proper operation of certain functions of the Website and certain applications, while other cookies are placed in order to provide better customer experience (e. g. optimized web navigation).

The functions “Help” or “Settings”, which can be found on the menu bar of most web browsers, provide information to the User, in respect of his or her own web browser, on

how to ban cookies,

how to accept new cookies,

how to send a command to the web browser to set a new cookie, or

how to disable other cookies.

Remote servers may help the independent measurement and auditing of data relating to the frequency of visits to the Website and of web analytics data (Google Analytics, Facebook Analytics). Information on the processing of measurement data is provided by the policies applying to such services. They are available at: www.google.com/analytics/; https://analytics.facebook.com/.

If the User does not want the above data to be measured by the external service providers for the purposes and by the means detailed above, he or she shall install a browser extension blocking such measurements.

MEANS OF DATA PROCESSING

The Data Controller shall store the personal data provided by the User for specified purposes.

Processing of automatically recorded data serve the following purposes: compilation of statistics, technical development of the Website, protection of the User’s rights. Statistical accounts shall not include, in any form, other data which can be used to identify the User, thus it shall be considered neither as processing nor as transmission of data.

The Service Provider does not verify personal data disclosed to it. Any person disclosing such data shall exclusively be liable for the correctness of the data disclosed. The User, when disclosing his or her e-mail addresses, shall assume liability at the same time that he or she is the only person using services from that e-mail address. Accordingly, the person who has registered the e-mail address shall exclusively be liable for all logins carried out by using that e-mail address.

The Data Controller shall not use the personal data disclosed for purposes other than specified in the present Notice, and neither shall it be entitled to do so. The Data Controller shall not disclose personal data, which are being processed by it, to third persons other than the Data Processors specified in the present Notice.

Unless provided otherwise mandatorily by an Act, personal data may be disclosed to third persons or authorities with the User’s previous and express consent. In cases where the Data Controller intends to use any personal data for purposes other than that of the original recording of data, it shall inform the User about that intent and obtain his or her previous and express consent, as well as it shall provide opportunity for the User to prohibit the use.

Should the User have any questions or problems when using the Data Controller’s services, he or she may contact the Data Controller by using the contact data available on the Website.

The User may send any question or observation to the Service Provider’s employee by using the available contact data. The Data Controller shall delete the received e-mails, together with the senders’ name, e-mail address and other personal data disclosed in the message, within 2 years counted from the disclosure of such data.

Information relating to any data processing which has not been mentioned in the present Notice shall be provided by the Data Controller when recording the respective data.

The Data Controller shall be obliged, upon any authority’s exceptional request or the request of other entities authorised by law, to provide information, to disclose or transmit data, as well as to hand over documents. In such cases – if the requesting authority or entity has indicated the specific purpose and the scope of data – the Data Controller shall disclose personal data only if and to the extent that it is necessary to fulfil the purpose of the request.

USER’S RIGHTS

1. Right to access

User shall be entitled to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information set out in the Regulation.

2. Right to rectification

User shall be entitled to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the User shall have the right to have incomplete personal data completed.

3. Right to erasure

User shall be entitled to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the rounds applies set out in the Regulation.

4. Right to be forgotten

In the case that the Data Controller has made the personal data public and is obliged to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the User has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5. Right to restrict the processing

User shall be entitled to obtain from the Data Controller restriction of processing where one of the conditions applies of Art. 18 (1) of GDPR.

6. Right to data portability

User shall be entitled to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

7. Right to object

User shall be entitled to object at any time to the processing of personal data concerning him or her, including profiling as well.

Information request

User shall be entitled to request information at any time from the Data Controller relating to the processing of his or her personal data. The User may request access to, erasure or alteration of personal data, as well as restriction of the processing of personal data, portability of data, further he or she may object to any processing of data by the following means:

– by mail, under the address: 1075 Budapest, Király u. 9.,

– by e-mail, to be sent to the e-mail address: info@arioso.hu

Time limit for measures

The Data Controller shall inform the User in writing about the measures taken upon the above requests, without undue delay but at the latest within 30 days counted from the receipt of the request.

This time limit, where appropriate, may be extended by 30 days. The Data Controller shall inform the User on the extension of the time limit within 30 days counted from the receipt of the request, together with the reasons for the delay.

If the Data Controller does not take measures upon the User’s request, it shall inform the User in writing, without delay but at the latest within one month counted from the receipt of the request, on the legal and factual grounds for rejecting the request, as well as on the possibility that the User may lodge a complaint with the supervisory authority mentioned under point X or may seek judicial remedy.

COMMUNICATION OF A PERSONAL DATA BREACH TO THE USER

The Data Controller shall communicate, in clear and plain language, the personal data breach to the User without undue delay, if the personal data breach is likely to result in high risk to the rights and freedoms of the User(s).

In the communication addressed to the User, the Data Controller shall describe the nature of the personal data breach, the contact point where more information can be obtained, the likely consequences of the personal data breach, as well as the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the User shall not be required if any conditions of Art 34 (3) GDPR are met.

POSSIBILITIES OF ENFORCING RIGHTS

1. The User may send any observation relating to the processing of personal data concerning him or her to the Data Controller on the following addresses:

– by mail: 1075 Budapest, Király u. 9.,

– by e-mail: info@arioso.hu

2. In case of the Data Controller’s infringement, a complaint may be lodged with the National Authority for Data Protection and Freedom of Information.

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, Post office box: 5.

Telephone number: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Website: www.naih.hu

3. If the User’s rights have been infringed, the User may file a lawsuit against the Data Controller. The court shall hear the case as a matter of urgency.

4. If the User has disclosed the personal data of a third person when registering in order to use the services, or has caused damage in any way when using the Website, the Data Controller shall be entitled to claim for damages against the User. In such cases, the Data controller shall take all necessary measures to provide assistance to the proceeding authorities in order to identify the infringer.

MISCELLANEOUS PROVISIONS

1. The Data Controller’s system may collect information relating to the activity of the Users which shall be combined neither with any other data provided by the User at the registration, nor with any data generated in the course of visiting other websites or using other services.

2. The Data Controllers commits to secure personal data, to take all technical measures ensuring the protection of any personal data recorded, stored or processed, as well as to take all necessary steps to prevent the destruction, unlawful use or unlawful alteration of such data. It commits further to call on any third person, to whom it potentially discloses or transmits the data, to fulfil their obligations hereunder.

3. The Data Controller declares that circumstances set out in Art. 37 (1) of GDPR do not exist; therefore no data protection officer has been designated.

When processing personal data, the Data Controller shall pay attention to proceeding in accordance with legal provisions in force relating to data protection, as well as in line with the well-established practice of the data protection authority. The Data Controller’s principles of data processing are in accordance with legal provisions in force relating to data protection, including but not limited to:

Regulation (EU) 2016/679 of the European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Act CVIII of 2001 on certain issues of electronic commerce activities and information society services;

Act V of 2013 on the Civil Code;

Act C of 2003 on electronic communications;

Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity.

The present Privacy Notice shall enter into force on 24 May 2018.