Privacy Notice

– Kátolyi Pívíz Bt. –
www.rosemaryvital.com
Privacy Notice on the processing of personal data of natural persons

Controller: Kátolyi Pívíz Bt.
Version: v1.0
This policy remains in force until revoked. Its scope extends to the organization’s officers, employees, and the organization’s data protection officer.

Effective date: 14 July 2023

1. Chapter

General information — not tied to a specific processing purpose

1.1 Purpose of this Privacy Notice

Kátolyi Pívíz Bt., 7661 Kátoly, Szabadság u. 63. (hereinafter: the Service Provider, Controller) accepts as binding the contents of this legal notice. The Controller undertakes to ensure that all data processing related to its activities complies with this Privacy Notice, with applicable international legislation, and with the legal acts of the European Union.

Information on the data protection principles applied by Kátolyi Pívíz Bt. is continuously available at the address indicated above.

Kátolyi Pívíz Bt. reserves the right to amend this notice at any time. Any changes will be communicated in due time at the web address provided earlier.

Kátolyi Pívíz Bt. is committed to protecting the personal data of its customers and partners and considers respect for the right to informational self-determination to be of paramount importance. The Controller treats personal data confidentially and takes all security, technical, and organizational measures necessary to guarantee data security.

1.3 General information on data processing

The person designated as the Controller for the given processing purpose (who, alone or jointly with others in the case of joint controllership, determines the purposes of the processing and makes and enforces decisions regarding processing or has them carried out by a processor) shall process personal data only for a specified purpose, to exercise a right, or to fulfill an obligation. Processing must comply with the purpose at every stage.
The Controller processes personal data only to the extent and for the duration necessary to achieve the purpose.
Data processed for different purposes are recorded and reported separately in the data protection records and are described in the “Processing purposes” chapter of this Privacy Notice.

During processing the Controller ensures the accuracy, completeness, and—where necessary in view of the purpose of processing—the up-to-dateness of data, and ensures that the data subject can be identified only for the time necessary for the purpose of processing.

2. Chapter

Controller’s details

2.1 Controller’s details

Name: Kátolyi Pívíz Bt.
Registered office: 7661 Kátoly, Szabadság u. 63.
Postal address: 7661 Kátoly, Szabadság u. 63.
Registering court: Pécs Company Court
Tax number: 20763967-1-02

2.2 DPO — Data Protection Officer contact details

If you have any questions for our company, please contact us using the details below. Our Data Protection Officer will be happy to assist you.

Name: Vudi Gábor
Postal address: 7661 Kátoly, Szabadság u. 63.
Email: gabor@rosemaryvital.com
Phone: +36 20 807 8080

3. Chapter

Categories of personal data processed, defined separately by processing purpose

Purpose No. 1 — Customer service

1. Controller details
   Contact person: Vudi Gábor
   Phone: +36 20 807 8080
   Email: gabor@rosemaryvital.com
   Controller tax number: 20763967-1-02
   Controller name: Kátolyi Pívíz Bt.
   Country: Hungary
   Postal code: 7661
   City/Town: Kátoly
   Street, type, number: Szabadság u. 63.

2. Actual place or website of processing: www.rosemaryvital.com

3. Purpose of processing:
   a) Identification of the Client and distinction from other clients, maintaining contact with the Client, client record-keeping and service
   b) Preparing statistics and analyses to improve services
   d) More personalized service for Users, handling complaints, sending promotional offers, market research, and fulfilling accounting obligations
   e) Complying with data processing and data provision mandated by law

4. Legal basis for processing: Consent of the data subject

5. Personal data processed by the Controller
   Data relating to data subjects:

Personal dataReason for processing

Full name of purchaserIdentification, invoicing, fulfillment of order

Phone numberContact, fulfillment of order

EmailContact, fulfillment of order

City/TownDetermining regional relevance, subscriptions, etc.

Retention period: until the User withdraws consent.
Duration of processing: indefinite.
Source of data: voluntary provision.

Processing may cease due to deletion of data by or at the request of the Client, deletion requested by another data subject, the Client’s inactivity, breach of the Terms of Use by the User, discontinuation of the Service, or by a final and enforceable court or authority order mandating deletion or destruction of data.

1. Data subjects: natural persons who initiate contact on the website.

2. Persons authorized to access data: Kátolyi Pívíz Bt.
   Employees of Kátolyi Pívíz Bt. may access the data while observing strict confidentiality. When sending quotations and fulfilling orders, staff access personal data within the Controller’s own customer-management and invoicing systems. Computers and records are accessible only with appropriate username and password pairs. Computers are stored in lockable offices. Paper documents are kept in lockable cabinets.

Unless otherwise provided by law, personal data collected may be processed by Kátolyi Pívíz Bt. for the purpose of fulfilling its legal obligations or for the enforcement of its own or third-party legitimate interests, if such interests are proportionate to the restriction of the right to protection of personal data, without separate consent and even after withdrawal of the Client’s consent.

In certain services, the collection and processing of personal data by Kátolyi Pívíz Bt. is based on law, including tax and accounting legislation (Act CXVII of 1995, Act C of 2000, Act XCII of 2003). In the absence of other provisions, processing is based on the User’s voluntary consent.

1. Data transfers
   For this purpose, data are transferred to the following partners for data processing:
   Website development: Kiss Gyula István, 7370 Sásd, Kolozsvár u. 8. fsz.2., kiss.gyula.istvan@gmail.com
   Website hosting/operation: Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv-Yafo, 6350671, support@wix.com
   Email hosting: Intelliweb Kft., 7627 Pécs, Wass Albert út 23., customer service: ugyfelszolgalat@wwh.hu
   Analytics: Kiss Gyula István, 7370 Sásd, Kolozsvár u. 8. fsz.2., kiss.gyula.istvan@gmail.com

Purpose No. 2 — Marketing communications

1. Controller details
   Contact person: Vudi Gábor
   Phone: +36 20 807 8080
   Email: gabor@rosemaryvital.com
   Controller tax number: 20763967-1-02
   Controller name: Kátolyi Pívíz Bt.
   Country: Hungary
   Postal code: 7661
   City/Town: Kátoly
   Street, type, number: Szabadság u. 63.

2. Actual place or website of processing: www.rosemaryvital.com

3. Purpose of processing:
   a) Client identification and distinction, maintaining contact, preventing unauthorized access to personal data
   b) Preparing statistics and analyses to improve services
   c) Direct marketing and business acquisition communications of advertising content
   d) More personalized service for Users, complaint handling, sending promotional offers, conducting market research
   e) Organization and administration of prize draws or other contests, filtering multiple registrations, identifying and notifying winners, handling complaints, delivering prizes or enabling use of awarded services, related administration, and fulfilling accounting obligations
   f) Complying with data processing and data provision mandated by law

4. Legal basis for processing: Consent of the data subject

5. Personal data processed by the Controller

Personal dataReason for processing

Full name of subscriberIdentification, personalized salutation

Phone numberContact, communicating personalized offers

EmailContact, communicating personalized offers

City/TownRegion-specific information, subscriptions, etc.

Retention period: until the User withdraws consent.
Duration of processing: indefinite.
Source of data: voluntary provision.

Processing may cease due to deletion of data by or at the request of the Client, deletion requested by another data subject, the Client’s inactivity, breach of the Terms of Use by the User, discontinuation of the Service, or by a final and enforceable court or authority order mandating deletion or destruction of data.

1. Data subjects: natural persons who subscribe to our marketing communications.

2. Persons authorized to access data: Kátolyi Pívíz Bt.
   Employees of Kátolyi Pívíz Bt. may access the data while observing strict confidentiality. During quotation and order fulfillment, staff access data within the Controller’s customer-management and invoicing systems. Computers and systems require username and password. Computers are kept in lockable offices. Paper records are stored in lockable cabinets.

Unless otherwise provided by law, personal data collected may be processed by Kátolyi Pívíz Bt. for the purpose of fulfilling its legal obligations or for the enforcement of its own or third-party legitimate interests, if proportionate, without separate consent and even after withdrawal of consent. In certain services, processing is based on law, including tax and accounting legislation (Act CXVII of 1995, Act C of 2000, Act XCII of 2003). Otherwise, processing is based on the User’s voluntary consent.

1. Data transfers
   For this purpose, data are transferred to the following partners for data processing:
   Website development: Kiss Gyula István, 7370 Sásd, Kolozsvár u. 8. fsz.2., kiss.gyula.istvan@gmail.com
   Website hosting/operation: Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv-Yafo, 6350671, support@wix.com
   Email hosting: Intelliweb Kft., 7627 Pécs, Wass Albert út 23., customer service: ugyfelszolgalat@wwh.hu
   Analytics: Kiss Gyula István, 7370 Sásd, Kolozsvár u. 8. fsz.2., kiss.gyula.istvan@gmail.com

4. Chapter

Cookies

4.1 The role of cookies

Cookies collect information about visitors and their devices, remember individual settings that may be used during online transactions so they do not have to be re-entered, make the website easier to use, and ensure a quality user experience.

For personalized service, a small data package, a so-called cookie, is placed on the user’s device and read back during a later visit. If the browser returns a previously saved cookie, the service provider handling the cookie can link the current visit with previous ones, but exclusively with respect to its own content.

4.2 Strictly necessary, session cookies

These cookies ensure that visitors can browse the website of Kátolyi Pívíz Bt. completely and smoothly, use its functions, and access available services. These cookies are valid only for the duration of the session and are automatically deleted when the browser is closed.

4.3 Third-party cookies (analytics)

The website of Kátolyi Pívíz Bt. also uses third-party cookies, such as Google Analytics. Using this statistical service, the Controller collects information about how visitors use the website. The data are used for site development and improving user experience. These cookies remain in the visitor’s browser until they expire or are deleted by the visitor.

5. Chapter

Rights of the data subject

5.1 Right to information

Kátolyi Pívíz Bt. takes appropriate measures to provide all information referred to in Articles 13 and 14 of the GDPR and all notifications under Articles 15–22 and 34 to data subjects in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

The Privacy and Data Processing Notice of Kátolyi Pívíz Bt. is available at: https://www.rosemaryvital.com/adatkezeles

A printed copy can be viewed at: 7661 Kátoly, Szabadság u. 63.

5.2 Right of access

Upon request, the data subject is informed by the Controller about the data processed by it or by a processor acting on its behalf, their source, the purpose, legal basis, and duration of processing, the name and address of the processor and its activities related to processing, circumstances of any data breach, its effects and the measures taken to remedy it, and, in the case of data transfers, the legal basis and the recipients.

Beyond requests made to the Controller, the data subject can also obtain information from the public data protection register.

The Controller provides information within a maximum of one month from receipt of the request.

5.3 Right to rectification

At the request of the data subject, the Controller examines the disputed personal data. If the personal data are inaccurate and the correct data are available, the Controller rectifies them. The Controller marks personal data if their accuracy is contested but cannot be clearly established.

5.4 Right to erasure

At the request of the data subject, the Controller deletes or blocks the personal data concerned, making them unrecognizable and irrecoverable.

The data subject has the right to obtain the erasure of personal data without undue delay where one of the following grounds applies:
— the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
— the data subject withdraws consent and there is no other legal basis,
— the data subject objects to processing and there are no overriding legitimate grounds,
— the personal data have been unlawfully processed,
— the personal data must be erased for compliance with a legal obligation under Union or Member State law,
— the personal data have been collected in relation to the offer of information society services.

In addition to deletion upon request, the Controller deletes personal data if processing is unlawful, if the data are incomplete or incorrect and cannot be lawfully rectified, if the purpose of processing has ceased or the statutory retention period has expired, or if so ordered by a court or the Authority.

Erasure may not be requested where processing is necessary for freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise, or defense of legal claims.

The Controller fulfills deletion requests without undue delay, at the latest within 30 days, and notifies the data subject and any recipients unless notification would not prejudice the data subject’s legitimate interests. If the Controller does not comply, it informs the data subject within 30 days of the factual and legal reasons for refusal.

5.5 Right to restriction of processing

The Controller restricts processing instead of deletion if requested by the data subject or if deletion would harm the data subject’s legitimate interests. Restricted data are marked and processed only as long as the ground for restriction persists.

Restriction applies if:
— the accuracy of the personal data is contested, for the period enabling verification,
— processing is unlawful and the data subject opposes deletion and requests restriction,
— the Controller no longer needs the data but the data subject requires them for legal claims,
— the data subject has objected to processing, pending verification of overriding legitimate grounds.

If processing is restricted, personal data may, with the exception of storage, be processed only with the data subject’s consent, for legal claims, for the protection of the rights of another natural or legal person, or for important public interest. The Controller implements restriction without undue delay, at the latest within 30 days, and notifies the data subject and any recipients unless this would not prejudice the data subject’s legitimate interests. If the Controller refuses rectification, restriction, or deletion, it informs the data subject within 30 days of the factual and legal reasons.

5.6 Right to data portability

The data subject has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used, machine-readable format, and to transmit those data to another controller.

5.7 Automated decision-making, including profiling

In the case of a decision based on automated processing, the data subject may request information from the Controller and express their point of view. Upon request, the Controller informs the data subject of the method used and its essence and provides an opportunity to present their position.

Requests to the Controller and statements concerning automated processing can be submitted via:

Postal address: Kátolyi Pívíz Bt., 7661 Kátoly, Szabadság u. 63.
Email: gabor@rosemaryvital.com

Information is free of charge if the requester has not submitted an identical request in the same year for the same data set. Otherwise, a fee may be charged. Any fee already paid is refunded if the data were processed unlawfully or the request leads to rectification.

The Controller responds in writing within a maximum of 15 days from receipt of the request.

5.8 Right to object

The data subject may object to processing of their personal data:
a) if processing or transfer is necessary solely for compliance with a legal obligation of the Controller or for the enforcement of the legitimate interests of the Controller, the recipient, or a third party, except in the case of mandatory processing,
b) if the use or transfer of personal data takes place for direct marketing or opinion polling,
c) or for scientific research.

Upon objection, the Controller examines the request within at most 15 days, decides on its merits, and informs the requester in writing. If the objection is well-founded, processing is terminated, the data are blocked, and recipients are informed. Data cannot be deleted where processing is mandated by law. Data cannot be transferred if the Controller accepts the objection or the court finds it justified.

5.9 Right to withdraw consent

The data subject has the right to withdraw consent at any time.

6. Chapter

Remedies available to the data subject

6.1 First, contact the Controller with your complaint

If you believe your personality rights have been violated through unlawful processing or breach of data security, we recommend contacting the Controller first.

Contact for complaints:
Postal: Kátolyi Pívíz Bt., 7661 Kátoly, Szabadság u. 63.
Phone: +36 20 807 8080
Email: gabor@rosemaryvital.com

The Controller replies in writing within at most 15 days. If you do not receive a reply within this time or you disagree with the reply, you may contact the competent authority.

6.2 Then, contact the Authority

If you have already contacted the Controller but did not receive a reply within the statutory deadline or disagree with the reply, you may lodge a complaint with the Hungarian Authority:

Name: National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf. 5.
Phone: +36 1 391 1400
Fax: +36 1 391 1410

6.3 Finally, seek judicial remedy

The data subject or the data recipient may bring an action before a court in the event of a violation of rights, disagreement with the Controller’s decision on an objection, failure to meet deadlines, refusal to rectify, delete or block, refusal to provide information, etc.
The Controller bears the burden of proving compliance with the law. The action may, at the data subject’s choice, also be brought before the court of the data subject’s domicile or residence. The Authority may intervene in the proceedings in the interest of the data subject’s success.

7. Chapter

Data security

7.1 Data breach

A data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. Without appropriate and timely measures, a breach can cause physical, material, or non-material damage to natural persons.

The supervisory authority must be notified without undue delay and, where feasible, not later than 72 hours after becoming aware of a breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. Data subjects must be informed without delay if the breach is likely to result in a high risk to their rights and freedoms so they can take necessary precautions.

7.2 General data protection rules

The Controller designs and performs processing operations to protect the privacy of data subjects under the applicable laws. In particular, the Controller and any processor ensure data security, take technical and organizational measures, and establish procedures necessary to enforce data and secrecy provisions.

Measures include preventing unauthorized access, alteration, transfer, disclosure, deletion, or destruction, and protection against accidental destruction or damage and unavailability due to changes in technology. Appropriate technical solutions prevent direct linking of electronic records and their assignment to data subjects.

For automated processing, additional measures ensure prevention of unauthorized data entry, prevention of use by unauthorized persons, traceability of transfers, traceability of who entered which data and when, recoverability in case of system failure, and error reporting.

When defining and applying security measures, the Controller considers the current state of the art and selects solutions that provide the highest level of protection, unless this would impose a disproportionate burden.

8. Chapter

Other provisions
For any processing not listed in this notice, information will be provided at the time the data are collected.
Please note that courts, prosecutors, investigative authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information, the Hungarian National Bank, or other bodies empowered by law may contact the Controller to request information, data transfer, or provision of documents.

Kátolyi Pívíz Bt. will disclose personal data to authorities only to the extent and in the manner strictly necessary to achieve the stated objective of the request and provided the authority specifies the exact purpose and scope of the data.

9. Chapter

Data protection glossary (definitions)

a) GDPR: the General Data Protection Regulation of the European Union
b) Data subject: any identified or identifiable natural person
c) Personal data: any information relating to an identified or identifiable natural person and any inference drawn from such data
d) Consent: a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data
e) Objection: a statement by the data subject contesting processing and requesting its termination or deletion of data
f) Controller: the natural or legal person or organization that determines the purposes and means of processing and makes and enforces decisions regarding processing or has them carried out by a processor
g) Processing: any operation performed on personal data, such as collection, recording, organization, storage, adaptation, use, transfer, disclosure, alignment, restriction, deletion, destruction, preventing further use, as well as photo, audio, or video recording and the recording of biometric identifiers
h) Data transfer: making data available to a specified third party
i) Deletion: rendering data unrecognizable in a way that their restoration is no longer possible
j) Restriction (blocking): making processing operations impossible permanently or for a specified period
k) Data processing (technical): performing technical tasks related to processing operations, regardless of methods, means, or location
l) Processor: a natural or legal person or organization that processes personal data on behalf of the Controller
m) Third party: a natural or legal person or organization other than the data subject, the Controller, or the Processor
n) Data breach: unlawful processing or handling of personal data, including unauthorized access, alteration, transfer, disclosure, deletion, or destruction, as well as accidental destruction or damage
o) Data security: organizational, technical, and procedural measures to protect against unauthorized processing and to reduce risks to a minimum

Version: 1.0
Date: 14 July 2023