Privacy Policy
Data processing information of Green Mentha Limited Liability Company.
Data processing related to services provided through the online store and contract management.
1. Data Controller and its contact details.
Name of the Data Controller company: Green Mentha Limited Liability Company (hereinafter: "Data Controller”)
Registered office: 2011 Budakalász, Szent László Street 57.
Email address: hello@kbeautyforyou.com
Phone number:
Website: kbeautyforyou.com
2. Scope of processed data, purpose and legal basis of data processing, and retention period of data.
|
Scope of processed data. |
Purpose of data processing. |
Legal basis for data processing. |
Retention period. |
|
Data related to contract preparation. (Data of private individual contractual partners, or in the case of non-private individual contractual partners, the names, positions, contact details of contacts, representatives, and other private individuals relevant to contract conclusion, possibly reference data). |
Contract preparation, contract management. |
In the case of a private individual contractual partner, the preparation and fulfillment of the contract to be concluded with them. In the case of a non-private individual contractual partner, the Data Controller's legitimate interest in preparing and fulfilling the contract. The Data Controller's legitimate interest in enforcing claims following the failure or termination of the contract. |
The Data Controller processes the data until the failure to conclude the contract or, if the contract is concluded, until its termination. After the failure or termination of the contract, the Data Controller does not delete the personal data but retains it based on legitimate interest until the expiration of claims arising from the contract (civil law, tax law). |
|
Data related to the fulfillment of the contract (including data related to communication between the parties, settlements, and contract modifications). |
Contract fulfillment, contract management, compliance with accounting obligations. |
In the case of a private individual contractual partner, the preparation and fulfillment of the contract to be concluded with them. In the case of a non-private individual contractual partner, the Data Controller's legitimate interest in preparing and fulfilling the contract. The Data Controller's legitimate interest in enforcing claims following the termination of the contract. In the case of accounting documents arising from the contract, the legal basis for data processing is the legal obligations arising from tax and accounting laws. |
The Data Controller processes the data until the termination of the contract. After the contract ends, the Data Controller does not delete the personal data but retains it based on legitimate interest until the expiration of claims arising from the contract (civil law, tax law, or accounting). |
|
Data necessary for claim enforcement in case of defective performance. |
Enforcement of claims arising from the contract, contract management. |
The Data Controller's legitimate interest in enforcing claims arising from the contract. |
The Data Controller processes the data until the termination of the contract. After the termination of the contract, the Data Controller does not delete the personal data but retains them based on legitimate interest until the expiration of claims arising from the contract (civil law, tax law). |
|
Data related to the termination of the contract. |
Closing settlements related to the contract, enforcing claims related to the termination of the contract, contract management. |
In the case of a private individual contractual partner, the preparation and fulfillment of the contract to be concluded with them. In the case of a non-private individual contractual partner, the Data Controller's legitimate interest in preparing and fulfilling the contract. The Data Controller's legitimate interest in enforcing claims following the failure or termination of the contract. |
The Data Controller processes the data until the termination of the contract. After the termination of the contract, the Data Controller does not delete the personal data but retains them based on legitimate interest until the expiration of claims arising from the contract (civil law, tax law). |
|
All the above-mentioned personal data categories related to claims arising from the contract |
Enforcement of legal claims |
It is the legitimate interest of the Data Controller to have evidence appropriate to its interest in proving claims in case of enforcement (including claims based on contracts enforceable by or against the Data Controller). |
Until the expiration of the statute of limitations for legal claims |
Regarding the above data processing, the Data Controller draws attention to the fact that if the data subject does not provide the above data in full then the possible consequence of not providing the data may be the impossibility of concluding or performing the contract.
Legitimate interest In the case of data processing based on Right to object (see point 5.E)!
3. Recipients of personal data, categories of recipients
|
Category of recipients |
Category of personal data transferred to the recipients |
Category of the recipient |
Activity performed by the recipient |
|
Courier service used by the Data Controller (GLS Hungary Ltd.) |
Contact data of the data subject |
Data Processor |
Corresponds to the activity performed by the Data Controller. |
|
Economic company entrusted with the operation of the online store (Shopify Inc.) |
Data necessary for the preparation and performance of the contract |
Data Controller |
Provision of IT services related to the operation of the online store. Data backup location is in EEA member states. |
By forwarding personal data to the above recipient(s), the Data Controller does not transfer the data of the data subject to a third country. The Data Controller does not transfer personal data unless the data transfer is mandatory by law, authority, or court order.
4. Processing of Special Data
The Data Controller does not process special data.
5. Data Subject Rights
The data subject may request access to their personal data from the Data Controller, correction, deletion, and in certain cases, may also request the restriction of data processing. The data subject also has the right to file a complaint with the supervisory authority and the right to legal remedy. The data subject may request the personal data processed about them to be provided in a machine-readable format (right to data portability), if the legal basis for data processing is the performance of a contract concluded with the data subject. The data subject also has the right to file a complaint with the supervisory authority and the right to legal remedy.
5)The right of access
The data subject is entitled at any time to request information on whether the Data Controller processes their personal data and how, including the purposes of data processing, the recipients to whom the data has been disclosed, or the retention period, as well as any rights related to data processing. When exercising the right of access, the data subject is also entitled to request a copy of the data; if the request is submitted electronically – unless otherwise requested by the data subject – the Data Controller shall provide the requested information electronically (in pdf format). If the data subject's right of access adversely affects the rights and freedoms of others, especially others' trade secrets or intellectual property, the Data Controller is entitled to refuse to fulfill the data subject's request to the necessary and proportionate extent. If the data subject requests the above information in multiple copies, the Data Controller shall charge a reasonable fee proportional to the administrative costs of preparing the additional copies, 200 HUF per copy/page.
5B)The right to correction
The Data Controller corrects or completes the personal data concerning the data subject upon their request. If there is doubt about the corrected data, the Data Controller may ask the data subject to prove the corrected data appropriately – primarily with a document – to the Data Controller. If the Data Controller has disclosed the personal data affected by this right to another person (i.e., a recipient such as a data processor), the Data Controller shall promptly inform these persons after the data correction, provided that this is not impossible or does not require disproportionate effort from the Data Controller. Upon request, the Data Controller shall inform the data subject about these recipients.
5C)The right to deletion ("the right to be forgotten")
If the data subject requests the deletion of some or all of their personal data, the Data Controller shall delete it without undue delay if:
- the Data Controller no longer needs the personal data for the purpose for which it was collected or otherwise processed;
- this concerns data processing based on the consent of the data subject, but the consent has been withdrawn by the data subject and there is no other legal basis for the data processing;
- the personal data was processed unlawfully by the Data Controller, or
- the deletion of personal data is necessary to fulfill a legal obligation.
If the Data Controller has disclosed the personal data subject to this right to another person (i.e., recipient such as a data processor), the Data Controller will promptly inform these persons after deletion, provided that this is not impossible or does not require disproportionate effort from the Data Controller. Upon request, the Data Controller will inform the data subject about these recipients. The Data Controller is not always obliged to delete personal data, especially if the data processing is necessary for the assertion, enforcement, or defense of legal claims.
5.D)Right to restriction of data processing
The data subject may request the restriction of the processing of their personal data in the following cases:
- the data subject disputes the accuracy of the personal data – in this case, the restriction applies for the period that allows the data controller to verify the accuracy of the personal data;
- the data processing is unlawful, but the data subject opposes the deletion of the data and instead requests the restriction of their use; or
- the Data Controller no longer needs the personal data for the purpose of data processing, but the data subject requires them for the assertion, enforcement, or defense of legal claims, or
- the data subject objected to the data processing – in this case, the restriction applies for the period until it is determined whether the Data Controller's legitimate grounds override those of the data subject.
Restriction of data processing means that the Data Controller does not process the personal data subject to restriction except for storage, or processes it only to the extent to which the data subject has consented, or the Data Controller may process such data without such consent if necessary for the assertion, enforcement, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the Union or a member state of the European Union. The Data Controller will inform the data subject in advance about lifting the restriction of data processing. If the Data Controller has disclosed the personal data subject to this right to another person (i.e., recipient such as a data processor), the Data Controller will promptly inform these persons about the restriction of data processing, provided that this is not impossible or does not require disproportionate effort from the Data Controller. Upon request, the Data Controller will inform the data subject about these recipients.
5.E)Right to object
If the legal basis for the data processing concerning the data subject is the legitimate interest of the Data Controller or a third party, the data subject has the right to object to the processing. The Data Controller is not obliged to comply with the objection if it proves that
- the data processing is justified by compelling legitimate grounds that override the interests, rights, and freedoms of the data subject; or
- the data processing is related to the Data Controller’s legal claims submission, enforcement, or defense.
The data subject is entitled to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, machine-readable format (e.g., via email), and also to have those data transmitted directly by the Data Controller to another data controller.
In exercising the right to data portability, the Data Controller complies with the data subject's request by sending the data as a pdf attachment via email.
5G)Right to complain, right to legal remedy
If the data subject considers that the processing of their personal data by the Data Controller violates the applicable data protection laws, in particular the provisions of the General Data Protection Regulation, they have the right to lodge a complaint with the competent data protection supervisory authority of the member state of their usual residence, workplace, or the place of the alleged infringement. In Hungary, complaints can be submitted to the National Authority for Data Protection and Freedom of Information ("NAIH"). Contact details of NAIH:
Website: http://naih.hu/ Phone: +36-1-391-1400
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c. Fax: +36-1-391-1410
Postal address: 1530 Budapest, P.O. Box 5. E-mail: ugyfelszolgalat@naih.hu
The data subject has the right to file a complaint with another supervisory authority established in a European Union member state, particularly in the member state of their usual residence, workplace, or the place of the alleged infringement.
The data subject – regardless of their right to lodge a complaint – may also turn to the court in the event of the above violation of rights. For the Data Controller, the competent court is the Budapest Metropolitan Court, but the data subject may also initiate proceedings before the court of their place of residence. The contact details of courts in Hungary can be found at the following link: http://birosag.hu/torvenyszekek. Furthermore, if the data subject's usual place of residence is in another European Union member state, they may initiate proceedings before the court with jurisdiction and competence in that member state. The data subject is also entitled to turn to the court against a legally binding decision of the supervisory authority concerning them. The data subject is also entitled to judicial remedy if the supervisory authority does not deal with the complaint or does not inform the data subject about the procedural developments or the outcome of the submitted complaint within three months. The data subject has the right to mandate a nonprofit organization or association established under the law of a European Union member state, whose statutes include the public interest and the protection of data subjects' rights and freedoms regarding personal data, to submit the complaint on their behalf, to review the supervisory authority's decision in court, to initiate legal proceedings, and to enforce their right to compensation on their behalf.
Automated decision-making, profiling
The Data Controller does not carry out automated decision-making or profiling in the course of data processing related to data subjects.
Deadline for responding to the data subject's request
The Data Controller ensures that if data subjects exercise any of their rights related to this data processing and contact the Data Controller in this regard, the Data Controller will respond to such requests without undue delay, but no later than within one month, except in the case of withdrawal of consent, when it will immediately arrange for the deletion of data processed based on the consent.
If necessary, taking into account the complexity of the request and the number of requests, the deadline specified in the previous paragraph may be extended by an additional two months. In such cases, the Data Controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request. If the data subject submitted the request electronically, the information should be provided electronically if possible.
