Data protection, data transfer and data management information
Introduction
The GALLMED Ltd. (hereinafter referred to as: Service Provider, Data Controller) publishes a privacy and data management notice for its website available under the domain name www.gallmet.hu. The privacy policy of the Service Provider's website is continuously available at www.gallmet.hu.
In connection with the processing of data, the Service Provider, as the data controller, hereby informs the users of the website about the personal data processed on the website, the principles and practices followed in the processing of personal data, the organizational and technical measures taken to protect personal data, as well as the ways and means of exercising the rights of the user concerned.
The Service Provider does not verify the authenticity of the personal data provided to it. The person, user or contractor providing the data is solely responsible for the correctness of the data provided. By providing an e-mail address, any user also assumes responsibility for the fact that he/she is the only one to use the service from the e-mail address provided. With regard to this assumption of responsibility, any liability in connection with access from an e-mail address provided shall be borne solely by the user who provided the e-mail address.
As the data controller, the Service Provider will treat the personal data collected confidentially and in accordance with data protection legislation and the provisions of this notice. The Service Provider is committed to protecting the personal data of its users and attaches great importance to respecting the right of information self-determination of the users of the Website. The Service Provider treats personal data confidentially and takes all security, technical and organisational measures to guarantee the security of the data.
In the development and application of this information, the Service Provider shall act in the spirit and application of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, Act CVIII of 2001 on certain issues of electronic commerce services and information society services, and Regulation (EU) 2016/679 of the European Parliament and of the Council.
Personal data processed on the Website may be accessed primarily by the Service Provider's employees.
The Service Provider may unilaterally amend this Privacy Policy at any time.
By using the Website, the User accepts this "Data Protection, Data Transfer and Data Management Information".
2. Information about the Data Controller
Name: GALLMED Kft.
Head office: Hungary 6500 Baja, Szarvas G. u. 3.
Company registration number: 03-09-121132
Tax number: 22999489-2-03
EU VAT number: HU2299948
3. Contact details of the Data Controller
Name: GALLMED Kft.
Head office: Hungary 6500 Baja, Szarvas G. u. 3.
E-mail address: gallmed@gallmed.hu
Phone number: +36-79-326581
4. Data processing activities of the Data Controller on its Websites
Please note that you have the right to withdraw your consent at any time in the case of processing based on consent. Such withdrawal does not affect the lawfulness of processing based on consent prior to the withdrawal.
5. Webshop registration
Addressees: the relevant staff of the Service Provider.
- Personal data processed: name, e-mail address, postal and billing address, telephone number.
- The purpose of the data processing: to register the persons registered for the webshop, to distinguish them from each other, to provide the functions associated with the webshop registration: to shorten the ordering process, to re-order previously ordered goods, to view previous orders.
- Legal basis for data processing: condition of using the functions of the webshop registration.
- Duration of processing: after 1 year of inactivity, the Data Controller deletes the personal data from its database.
6. Conclusion of contract (placing and processing of order)
Addressees: the relevant staff of the Service Provider.
- The personal data processed are: name, e-mail address, country, postal code, city, street name, house number, telephone number.
- Purpose of the processing: to know the terms of the offer (order) for the conclusion of the contract.
- Legal basis for processing: the provision of personal data is a precondition for the conclusion of a contract. Without the provision of personal data, no purchase can be initiated in the online shop.
- Duration of data processing: deletion will take place after the general limitation period under the Civil Code has expired.
7. Performance of the contract
7.1. Transport
The personal data processed are: name, e-mail address, country, postal code, city, street name, house number, telephone number.
Purpose of data processing: delivery of the products ordered.
Legal basis for processing: performance of a contract.
Duration of data processing: deletion will take place after the general limitation period under the Civil Code has expired.
Recipients: the relevant employees of the Service Provider, as data processors
- Magyar Posta Zrt (1138 Budapest, Dunavirág u. 2-6.) data management information: https://www.posta.hu/static/internet/download/PRIVACY_NOTICE_MAGYAR_POSTA_ZRT.pdf
- Packeta Hungary Kft (1044 Budapest, Ezred u. 1-3 B2/11) Privacy Policy: https://files.packeta.com/web/files/Zasilkovna_Privacy-Policy.pdf
- WEBSHIPPY Magyarország Kft. (1044 Budapest, Ezred utca 2. B2. ép. 13.) privacy policy: https://webshippy.com/privacy-policy/?lang=en
7.2. Payment
Personal data processed: name, billing address, telephone number, e-mail address.
The purpose of the processing: payment of the value of the products ordered.
Legal basis for processing: performance of a contract.
Duration of data processing: deletion will take place after the general limitation period under the Civil Code has expired.
Recipients: the relevant employees of the Service Provider, as well as data processors:
- OTP Mobil Kft. (1143 Budapest, Hungária körút 17.), data management information: https://simplepay.hu/vasarlo-aff/
Magyar Posta Zrt (1138 Budapest, Dunavirág u. 2-6.), data management information: https://www.posta.hu/static/internet/download/PRIVACY_NOTICE_MAGYAR_POSTA_ZRT.pdf - PayPal (12312 Port Grace Blvd, La Vista, NE 68128, USA), Privacy Policy: https://www.paypal.com/cz/webapps/mpp/ua/legalhub-full?locale.x=en_CZ
- WEBSHIPPY Magyarország Kft. (1044 Budapest, Ezred utca 2. B2. ép. 13.) privacy policy: https://webshippy.com/privacy-policy/?lang=en
7.3. Billing
Personal data processed: name, billing address, e-mail address.
Purpose of data processing: supporting documents (invoicing), storage of invoices.
Legal basis for data processing: the Service Provider's legal obligation in Hungary [§ 166 (3) and § 169 (2) of Act C of 2000 on Accounting]
Duration of data processing: 8 years.
Recipients: the relevant employees of the Service Provider, as well as data processors:
- KBOSS.hu Kft. (1031 Budapest, Záhony utca 7.), data management information: https://www.szamlazz.hu/adatvedelem/
7.4. Use of the Utánvét Ellenőr (Cash On Delivery verifier) service by Data Controllers
Explanation of Data Processing: the Webshop sends the success of the delivery of the product purchased by the Concerned Party (order collected/not collected) and the pseudonymised e-mail address of the Concerned Party (using the SHA256 algorithm) to the Utánvét Ellenőr (Cash On Delivery verifier) service, where the Service Provider stores this data and sends it to other webshops using the service for manual or automated retrieval.
The personal data processed: the email address of the Concerned Party, the number of purchases made by the Concerned Party on the Webshop and the number of successfully delivered packages and unsuccessful attempts to deliver packages related to those purchases.
Purpose of data processing: to avoid or minimise potential damages caused by the Concerned Party in case of breach of contract by using the coded data available in the Utánvét Ellenőr (Cash On Delivery verifier), the Website system automatically offers the Concerned Party payment options that depend on the collection of his previous orders (not collected, refused collection, not ordered by the Concerned Party, etc.).
Legal basis for data processing: Pursuant to Article 6(1)(f) of the GDPR, the Data Controller's legitimate interest in mitigating the damage caused by the customer's breach of contract is considered a legitimate interest.
You can download an extract of the interest test here: PDF
Data Processing Duration: Data Controllers will process this data for 8 years from the date of collection.
Recipients: Recipients: the relevant employees of the Service Provider and as data processors:
- Utánvét Ellenőr Kft. (8640 Fonyód, Szigligeti utca 10.), data management information: https://utanvet-ellenor.hu/adatkezelesi-tajekoztato
Storage of the Concerned Party's data, data security measures
Data controllers shall implement appropriate technical and organisational measures to ensure and demonstrate that personal data are processed in accordance with the GDPR, taking into account the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in accordance with Article 24 of the GDPR. The data security measures of the Webshop as Data Controller are described in point 21 of this notice. The data security measures of the Utánvét Ellenőr (Cash On Delivery verifier) are described in the Data Security section of the Utánvét Ellenőr's (Cash On Delivery verifier) Data Security Notice.
8. Return of the product in case of exercise of the right of withdrawal
The personal data processed are: name, country, postcode, city, street name, house number, order number.
The purpose of the processing: to satisfy the customer's request (refund).
Legal basis for data processing: legal obligation of the Service Provider [Article 23 (1) of Government Decree 45/2014 (26.II.) on the detailed rules of contracts between consumers and businesses (Article 23 (1)).
Duration of data processing: deletion will take place after the general limitation period under the Civil Code has expired.
Recipients: the relevant employees of the Service Provider, as well as data processors:
- Magyar Posta Zrt (1138 Budapest, Dunavirág u. 2-6.), data management information: https://www.posta.hu/static/internet/download/PRIVACY_NOTICE_MAGYAR_POSTA_ZRT.pdf
9. Contact us
Personal data processed: name, e-mail address, other personal data provided in the text of the letter.
Purpose of processing: to reply to messages and questions received.
Legal basis for processing: the data subject's voluntary consent.
Duration of processing: until consent is withdrawn. In order to ensure that the storage of personal data is limited to the necessary period, the Data Controller will delete personal data without withdrawal of consent after 1 year from the date of their provision.
Addressees: the relevant staff of the Service Provider.
10. Data processing activities of the Data Controller on its Websites
Cookie
Anonymous visitor identifiers (cookies) are files or pieces of information that are stored on your computer (or other internet-enabled devices such as a smartphone or tablet) when you visit one of our websites. A cookie usually contains the name of the website it came from, its 'lifetime' (how long it stays on your device) and its value, which is usually a randomly generated unique number.
We use cookies to help us better tailor our websites to your interests and needs, and to offer you products that are more relevant to your interests and needs, making it easier for you to use our sites. Cookies help speed up your future activities and improve your experience when using our sites. Cookies can also be used to provide anonymous, aggregated statistics so we can better understand how people use our sites and improve their structure and content.
In terms of their duration, we distinguish between so-called session cookies and persistent cookies. Session cookies are temporary, i.e. they remain on your device until you leave our website. Permanent cookies stay on your device for much longer, sometimes until you manually delete them.
Other sites also collect information using pixel tags that can be shared with third parties. This directly supports our promotional activities and website development. For example, our visitors' website usage information may be shared with advertising agencies to enable us to more effectively use online advertising on our websites.
Most internet browsers are initially set to accept cookies. You can change the settings to block cookies or request a warning when cookies are set on your device. There are several ways to manage cookies. Please see the browser information or browser help page for more information about browser settings and how to change them!
If you turn off the cookies we use, it may affect your experience while you are on our website. For example, you may not be able to use the Web Store.
The cookies used on our website fall into the following categories:
Session cookies
"Session cookies" are necessary for browsing the website and using its features, including allowing you to note the actions taken by a visitor on a particular page, feature or service. Without the use of "session cookies", a smooth use of the website cannot be guaranteed. They are valid for the duration of the visit and are automatically deleted at the end of the session or when the browser is closed.
The proper functioning of the website is ensured in accordance with the provisions of Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
Cookies that support usage
These "cookies" enable our website to remember which mode of operation you have chosen (e.g. whether you use the English or the Hungarian version of the website, whether you choose the accessible version, how many results you see at once in the search results list, etc.). This is done so that you do not have to re-enter them on your next visit. Without the information contained in the "cookies" that store your preferences, our website may not function as smoothly as it should.
Cookies related to advertising
The purpose of using "advertising cookies" is to select the advertisements that are of most interest or interest to our visitors and display them on our website. They also allow us to measure the performance of our campaigns.
Performance cookies
We use "performance cookies" to collect information about how our visitors use our website (e.g. which pages they viewed, how many pages they visited, which part of the page they clicked on, how long each session took, what error messages they received, etc.) in order to improve our website (services, features, etc.) according to our visitors' needs and to provide them with a high quality, user-friendly experience.
For performance measurement purposes, our website uses third-party "cookies" on each visit. We use "cookies" to track how many people visit the website and what content they are interested in. All information is stored anonymously and used to anonymously analyse visitor behaviour in order to provide a high quality experience for users.
Cookies can be enabled by clicking the Accept button. Click on the "Cookie settings" button to enable or disable the cookies stored by each group (category).
Cookies can be turned on or off in groups (by category), and you can confirm the appropriate cookies by setting "Allow".
Of course, you can always view and change previously accepted cookies by clicking on the gear symbol at the bottom of the page.
11. Profiling
Profiling refers to the evaluation of personal characteristics relating to natural persons in the context of any automated processing of personal data, in particular to analyse and predict the personal preferences or interests, location or movements of the data subject.
Profiling allows the Service Provider to send you targeted, personalised offers and messages based on your previous orders and online behaviour.
The data necessary for profiling may be obtained by the Service Provider through the following activities:
- online shopping: purchase details (what, when, how much, where from, payment method).
- website browsing, behaviour: site usage (product page, category page, shopping cart, search).
The personal data processed: a) collected from the data subject: name, e-mail address, city, postal code, date of birth, telephone number, gender, purchase data, IP address (from which the registration was received); b) derived data not collected from the data subject (based on prediction, machine learning algorithm): favourite products, favourite categories, time of last web visit, duration; c) in addition, there are other data that the Service Provider can filter and create segments based on: email interaction (open/click/affinity to email categories, from which device, from which city clicked/opened), user's purchase lifecycle, purchase status (based on spending), average spending.
Purpose of data processing: sending targeted, personalised offers and messages.
Legal basis for processing: the data subject's voluntary consent. The data processor uses marketing cookies for profiling; thus, consent or non-consent to profiling can be expressed by giving or not giving consent to the use of marketing cookies when accepting the Cookie Policy.
Duration of processing: until the withdrawal of the data subject's consent. In order to ensure that the storage of personal data is limited to the necessary period, the controller will delete personal data without withdrawal of consent after 1 year from the date of their provision.
Recipients: the relevant employees of the Service Provider, as data processors:
- Facebook Ireland Ltd. (Address: 4 Grand Canal square, Grand Canal Harbour, D2 Dublin, Ireland; Facebook Ads),
- Google Inc. (Address: 1600 Amphitheatre Pkwy, Mountain View, California 94043, USA) (Google AdWords),
- InnoCraft Ltd. (Address: New Zealand, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand)
who, as data processors, display the ad to visitors who have visited the site and have opted-in to personalised ads on Facebook or Google. The European Union has a compliance decision with the US.
12. Remarketing
Remarketing allows the Server to display advertisements to people who have previously visited its website or provided their email address.
Personal data processed: e-mail address, purchase data.
The purpose of the processing: to show ads to previous users on Facebook and Google.
Legal basis for processing: the legitimate interest of the Service Provider (direct marketing). The user's e-mail address is transferred to the Service Provider when subscribing to the newsletter, based on the subscriber's consent. This means that the Data Controller also processes the e-mail address provided for purposes other than the purpose of data collection (sending the newsletter) (remarketing).
Duration of processing: the data subject has the right to object at any time to the processing of personal data concerning him or her for remarketing purposes. If the user withdraws his/her consent to receive the newsletter (which he/she is entitled to do at any time), the processing of his/her data for remarketing purposes will also cease. In order to ensure that the storage of personal data is limited to the necessary period, the controller will delete personal data without the need to object or withdraw consent after 1 year from the date of the last newsletter.
Recipients: the relevant employees of the Service Provider, as data processors:
- Facebook Ireland Ltd. (Address: 4 Grand Canal square, Grand Canal Harbour, D2 Dublin, Ireland; Facebook Ads),
- Google Inc. (Address: 1600 Amphitheatre Pkwy, Mountain View, California 94043, USA) (Google AdWords),
who, as data processors, display the advertisement to their registered users who have opted in to receive personalised ads on Facebook or Google. The European Union has a compliance decision with the US.
13. Direct marketing
13. Newsletter subscription
Personal data processed: name, email address.
The purpose of the data processing: to provide the subscriber with information about products and promotions on the www.gallmet.hu website.
Legal basis for processing: the data subject's voluntary consent.
Duration of processing: until consent is withdrawn.
Recipients: the relevant employees of the Service Provider, as well as data processors:
The Rocket Science Group, LLC (675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA), Privacy Policy: https://mailchimp.com/legal/privacy/
MailerLite Limited (Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland), Privacy Policy: https://www.mailerlite.com/legal/privacy-policy
13.2. Telemarketing subscription
The personal data processed: name, telephone number.
The purpose of the data processing: to provide the subscriber with information about products and promotions on the www.gallmet.hu website.
Legal basis for processing: the data subject's voluntary consent.
Duration of processing: until consent is withdrawn.
Recipients: the relevant employees of the Service Provider, as well as data processors:
MailerLite Limited (Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland), Privacy Policy: https://www.mailerlite.com/legal/privacy-policy
14. Other
We inform the visitors of the Website that the court, the prosecutor's office, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies may request the Data Controller to provide information, to disclose or transfer data, or to provide documents.
The Data Controller shall disclose to public authorities, where the public authority has indicated the precise purpose and scope of the data, only such personal data as are strictly necessary for the purpose of the request and to the extent strictly necessary for the purpose of the request.
15. Rights of visitors and users of the Website in relation to data management
You may request free of charge information on the details of the processing of your personal data, as well as request the rectification, erasure, restriction of processing and object to the processing of such personal data. The Data Controller shall inform any recipient (data processor) to whom or with whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. We will inform you of these recipients upon request.
The Data Controller shall inform you of the action taken on the request under points (a) to (f) below without undue delay and in any event within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform you of the extension, stating the reasons for the delay, within one month of receipt of the request.
If you have submitted the request electronically, the Controller will provide the information electronically, unless you request otherwise.
If the Data Controller does not take action on your request, it will inform you without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.
16. Right of access: you have the right to obtain feedback from the Data Controller on whether your personal data are being processed and, if such processing is ongoing, you have the right to access your personal data and the following information: the purposes of the processing, the categories of personal data concerned, the data processors, the duration of the processing, if the data have not been collected by the Data Controller from you, any available information on their source.
17. Right to rectification: you have the right to have inaccurate personal data relating to you corrected by the Data Controller without undue delay at your request. Taking into account the purpose of the processing, you have the right to request the completion of incomplete personal data.
18. Right to erasure: you have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay, and the Data Controller is obliged to erase personal data concerning you without undue delay when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; withdraw your consent if there is no other legal basis for the processing; object to the processing if the personal data have been unlawfully processed; erase the personal data in order to comply with a legal obligation under Union or Member State law to which the Controller is subject.
19. Right to object: you have the right to object at any time to the processing of your personal data based on the legitimate interests of the Controller. In such a case, the Controller may no longer process the personal data unless you can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, where it is related to direct marketing.
20. Right to restriction of processing: you have the right to have the Controller restrict processing at your request if:
- you contest the accuracy of the personal data
- the processing is unlawful
- the Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims
- you have objected to the processing.
If the processing is restricted, such personal data, except for storage, may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
21. Method of storage of personal data, security of processing
The Data Controller's servers are operated and maintained by a contracted company in case of problems:
- Center Webhost Kft. (1173 Budapest, Borsó utca 12-32. C. lház. 1. floor 2.), data management information: https://cweb.hu/adatkezelesi-tajekoztato/
- QUIC Cloud Inc., 150 Allen Rd. Suite 204, Basking Ridge, NJ 07920, USA (hereinafter "QUIC Cloud"):
QUIC Cloud provides an extensive worldwide Content Delivery Network (CDN) with DNS service. This technically involves the transmission of information (data) between your browser and our website via the QUIC Cloud network. This allows QUIC Cloud to transfer information between your browser and our website.
to analyse traffic between our servers and potentially malicious traffic on the internet. In doing so, we may use cookies or other technological means to repeatedly recognise Internet users, but only for the purposes described here.
The use of the QUIC Cloud service is based on the fault-free and secure availability of our website.
For more information about security and privacy at QUIC Cloud, please click here: https://quic.cloud/privacy-policy/.
The Data Controller shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the level of risk, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
The Data Controller shall take appropriate measures to protect the data against, in particular, unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction, damage or loss, and inaccessibility resulting from changes in the technology used.
The Data Controller's IT systems and network are protected against computer fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and attacks that could lead to denial of service. The Data Controller ensures security through server-level and application-level protection procedures.
Electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.) are vulnerable to network threats that could lead to fraudulent activity, contract disputes or the disclosure or modification of information. The Data Controller will take all reasonable precautions to protect against such threats. It monitors systems in order to record and provide evidence of any security incidents. System monitoring also allows the effectiveness of the precautions taken to be checked.
The Data Controller shall keep a record of any data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it.
22. Complaints
If you believe that the processing of personal data concerning you infringes the legal provisions on data protection, you have the right to take the Controller to court and to lodge a complaint with the supervisory authority.
Supervisory authority: the National Authority for Data Protection and Freedom of Information
head office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
postal address: 1530 Budapest, P.O. Box: 5.
phone: +36 1 391-1400
fax: +36 1 391-1410
E-mail address: ugyfelszolgalat@naih.hu
Website: https://naih.hu/about-the-authority