Privacy notice

Privacy policy

1. Name of data controller

Name of data controller:	Maxima Plus Ltd.
Company registration number of the data controller:	Registered at the Commercial Court of the General Court of Egri: 10-09-035821
Data Controller's registered office:	3000 Hatvan Papp Mill HRSZ 0369/3
Representative of the Data Controller:	Ádám Németh Managing Director

2. Data management rules

This privacy notice is valid from 01.05.2018 until its withdrawal.

The terminology of this Policy is identical to the interpretative definitions set out in Article 4 of the General Data Protection Regulation (hereinafter referred to as GDPR) and, supplemented at certain points, to the interpretative provisions of Article 3 of the Infotv. Based on these:

personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Contribution: a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;

data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the controller's designation may also be determined by Union or Member State law;

data management: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

privacy incidents: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

The processing of personal data must be lawful, fair and transparent for the data subject.

The Data Controller shall make the information available on its website on an ongoing basis. Acceptance of the Privacy Notice (by ticking the corresponding checkbox) constitutes acknowledgement of receipt and consent to processing. Thus, processing may only take place if the data subject gives his or her freely given, specific, informed and unambiguous consent, in a clear affirmative action, such as a written declaration, including by electronic means, to the processing of personal data concerning the natural person

The personal data collected by the Controller must be processed only for specified, explicit and legitimate purposes and not in a way incompatible with those purposes, and stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Employees who carry out processing at the Data Controller and employees of organisations involved in processing on behalf of the Data Controller and carrying out an operation of the Data Controller shall keep the personal data they have obtained as business secrets. The employees of the Data Controller shall ensure in the course of their work that no unauthorised person has access to personal data and that personal data are stored and stored in such a way that they cannot be accessed, accessed, altered or destroyed by any unauthorised person.

If a person subject to the Policy becomes aware that personal data processed by the Controller is inaccurate, incomplete or untimely, he or she must correct it or request its correction from the person responsible for the data.

3. Enforcement of data subjects' rights

The data subject may request information about the processing of his or her personal data; request the rectification of his or her personal data; request the erasure of his or her data by e-mail to ugyfelszolgalat@pagony.hu; request the restriction of processing; and have the right to data portability.

3.1. Right to information

The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information:

• The right to know the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
• where applicable, the envisaged period of storage of the personal data or, where this is not possible, the criteria for determining that period.
• The data subject should be informed of his or her right to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data, and to lodge a complaint with a supervisory authority.
• He or she is also entitled to receive all available information about whether the data have been collected from someone other than the data subject.
• He or she is also entitled to be informed of the logic used in automated decision-making and of the significance of such processing and its likely consequences for the data subject.

The Data Controller shall inform the data subject of the action taken on the request under the right of information without undue delay and in any event within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request.

As a rule, the information is provided free of charge, and the Data Controller will only charge a fee in the cases provided for in Articles 12(5) and 15(3) of the GDPR.

If the controller fails to act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration. (right to rectification).

3.2. Right to rectification

The Company shall correct inaccurate data without undue delay at the request of the data subject.

For as long as the Company is verifying the accuracy of the personal data, the personal data in question may be restricted in accordance with section 3.4 of this notice.

3.3. Right to object

The data subject may object to the processing of his or her personal data by means of a statement to the Data Controller where the legal basis for the processing is.

• the public interest within the meaning of Article 6(1)(e) of the GDPR; or
• legitimate interest within the meaning of Article 6(1)(f) of the GDPR [the conditions for the application of legitimate interest as a legal basis are set out in Section 5 of these Rules].

In the event of the exercise of the right to object, the Company may no longer process the personal data, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The decision as to whether processing is justified on compelling legitimate grounds shall be taken by the Company's CEO. He shall inform the data subject of his position in an opinion.

3.4. Right to restriction of processing

Restrictions on processing may be imposed if:

• the data subject contests the accuracy of the data, the Company shall restrict the processing of personal data for a period of time until the accuracy of the data is established;
• the processing is unlawful and the data subject requests restriction of use instead of erasure;
• the data controller no longer needs the data, but the data subject requires them for the purposes of legal claims;
• the data subject objects to the processing of personal data in accordance with Article 21 of the GDPR, pending the outcome of the assessment of the objection.

The head of the department responsible for processing the personal data shall suspend the processing of the data subject's objection to the processing of his or her personal data for the duration of the assessment of the objection, but for a maximum of 5 days, examine the grounds for the objection and take a decision, which shall be communicated to the applicant.

If the objection is justified, the head of the department will restrict the data, i.e. only storage as data processing may take place as long as

• the data subject consents to the processing;
• the processing of personal data is necessary for the exercise of legal claims;
• the processing of personal data becomes necessary in order to protect the rights of another natural or legal person; or
• the processing is required by law in the public interest.

If the restriction of processing has been requested by the data subject, the head of the relevant department shall inform the data subject in advance of the lifting of the restriction.

3.5 Right to erasure ("right to be forgotten")

The data subject shall have the right to obtain from the Data Controller the erasure of personal data relating to him or her without undue delay and the Data Controller shall be obliged to erase personal data relating to him or her without undue delay if one of the following grounds applies:

1. (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. (b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
3. (c) the data subject objects to the processing on the basis of Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing on the basis of Article 21(2);
4. d) the personal data have been unlawfully processed;
5. (e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

OR

1. f) the personal data were collected in connection with the provision of information society services

3.6. The right to data portability

The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the Company in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data, provided that:

• the legal basis for the processing is the consent of the data subject or the processing was necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into that contract [Article 6(1)(a) or (b) or Article 9(2)(a) GDPR]; and
• the processing is carried out by automated means.

The controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of those recipients.

The Data Controller shall also compensate the damage caused to others by the unlawful processing of the data subject's data or by the breach of data security requirements, as well as the damages in the event of a personal injury caused by the Data Controller or by a data processor engaged by the Data Controller. The controller shall be exempt from liability for the damage caused and from the obligation to pay the damage fee if it proves that it is not in any way responsible for the event giving rise to the damage

The data subject may lodge a complaint with the NAIH regarding the data processing procedure of the Data Controller:

name: National Authority for Data Protection and Freedom of Information

headquarters: 1024 Budapest, Szilágyi Erzsébet fasor 22/C.

Website: www.naih.hu

The data subject may also, at his or her choice, pursue his or her claim in court. The tribunal has jurisdiction to hear the case. The action may also be brought, at the option of the person concerned, before the court of the place where he or she resides or is domiciled.

4. Processing of data in the course of using the Controller's website

4.1. Cookies

The Company's website runs software that analyses the website traffic data and records information about visits. The Company receives automatically generated information about visitors to its website: the Internet Protocol (IP) address of the visitor, the time of the visit, the pages viewed, the name of the browser program used.

the purpose of the processing: to study website visiting habits, to facilitate contact with the Company

the scope of the data processed: the Internet Protocol (IP) address of the visitor, the time of the visit, the pages viewed, the name of the browser program used

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR.

the deadline for data storage: one year from the date of the data entry

how the data is stored: electronic

4.2. Registration

Visitors have the possibility to register on the Company's website. By filling in the form, the visitor provides the relevant data required to contact the Company. However, the data can only be sent if the data subject accepts the Company's privacy policy, which he/she can do by ticking a box, otherwise he/she will not be able to finalise the registration.

By registering, the data subject becomes a regular customer of the Company and thus entitled to certain discounts.

The loyalty cardholder will be entitled - by name and, if more than one person is registered under the same name, by address - to use the Company's shops.

During registration, the data subject can provide shipping and billing information and the telephone number of the data subject, in which case the data subject can order products on the interface without providing any further information after registration. The delivery address will be provided to the courier as the data processor in case of an order. The exact details of the data processor are set out in this policy.

The telephone number is required for the take-over notification. The e-mail address is required for online contact. Delivery details are required so that the courier can deliver the product to the address requested by the data subject. The billing details are required for the issuing of the invoice.

During the registration, the data subject may indicate his/her gender, which is used by the Company to carry out market research on the data subject's data: gender, books ordered by him/her. The market research is anonymous and does not contain any personal data.

The period of data processing lasts until the registration is deleted, with the proviso that if the data subject makes a purchase in the system after registration, the Company is obliged to keep the accounting records for at least 8 years pursuant to Article 169 (2) of Act C of 2000 on Accounting. After 8 years, the Company will automatically delete the personal data of a data subject who has not reordered services from the Company within 8 years of the last order.

the purpose of the processing: facilitate contact with the Company, registration

the scope of the data processed: the name, e-mail address or, where not required, the delivery and billing address and telephone number of the data subject

the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

the deadline for data storage: until the registration is cancelled, with the proviso that if the registrant makes a purchase on the platform, the Company is obliged to keep the accounting records for at least 8 years pursuant to Article 169 (2) of Act C of 2000 on Accounting. After 8 years, the Company will automatically delete the personal data of a data subject who has not reordered services from the Company within one year of the last order.

how the data is stored: electronic

In case of payment by card, the bank card and card payment transaction data are handled by CIB Bank.

the scope of the data transmitted: in case of payment by credit card, the payer's ID, the amount, date and time of the transaction to Barion (barion.com).

Legal basis for the transfer: the data subject's consent pursuant to Article 6(1)(a) of the GDPR.

4.3. Processing of customer data

Visitors to the website have the possibility to order and purchase the Company's products with or without registration. Before ordering the selected product, i.e. before the conclusion of the contract between the Customer and the Company, the Customer provides the relevant data required for the delivery of the ordered product and for invoicing.

The delivery address is given to the courier as the data processor. The exact details of the data processor are set out in this policy.

The telephone number is required for the take-over notification. The e-mail address is required for online contact. Delivery details are required so that the courier can deliver the product to the address requested by the data subject. The billing details are required for the issuing of the invoice.

the purpose of the processing: making purchases, placing orders, issuing invoices via the Company's website, fulfilling accounting obligations, registering customers, fulfilling orders, analysing customer habits

scope of data processed: aname, e-mail address, telephone number, delivery and billing details of the data subject

the legal basis for processing: the data subject's consent pursuant to Article 6 (1) (a) of the GDPR and Article 169 (2) of Act C of 2000 on Accounting (Accounting Act)

the deadline for data storage: eight years until the data are deleted at the request of the data subject, in accordance with Section 169 (2) of the Act on Accounting (Rechnungv. tv.)

how the data is stored: electronic

In the case of card payments, the credit card and card payment transaction data are handled by Barion (barion.com)

the scope of the data transmitted: in the case of payment by credit card, the payer's ID, the amount, date and time of the transaction are managed by Barion (barion.com).

Legal basis for the transfer: the data subject's consent pursuant to Article 6(1)(a) of the GDPR

4.4. Processing of complaints

The customer has the right to lodge a complaint with the Company orally, by electronic means or in writing under Act CLV of 1997 on Consumer Protection (Act on Consumer Protection). Electronic complaints can be sent by the customer to the e-mail address grinkokft@gmail.com.

the purpose of the processing: investigating and handling customer complaints

the scope of the data processed: the name, address, e-mail address of the data subject, other data relating to the complaint as specified in Section 17/a (5) of the Act on the Protection of the Rights of the Child

the legal basis for processing: the data subject's consent pursuant to Article 6 (1) (a) of the GDPR, and Paragraph 17/a (5) of the Fgy.tv.

the deadline for data storage: until the purpose is achieved: if the data subject has not objected further after the reply has been sent, the data controller deletes the data 5 years after the reply was sent, and in the case of further claims, the data are deleted after the expiry of the limitation period

how the data is stored: electronic

4.5. Data processing in relation to newsletter and direct marketing

In order to serve the needs of its customers as fully as possible, the Company sends emails and newsletters to the data subject for direct marketing and informal purposes, based on the prior clear and explicit consent of the data subject. If the data subject can subscribe to the newsletter on the website, he or she must accept the privacy policy at the point of subscription. You can do this by ticking a box. The Company ensures that the data subject can unsubscribe from marketing e-mails at any time free of charge. The Company will also communicate such information to customers in person or by telephone.

The Company provides Facebook with the e-mail addresses of persons who have consented to direct marketing activities, and Facebook is considered a data processor of the Company in this respect. The purpose of the transfer of e-mail addresses is to send targeted advertisements by Facebook.

You can change your settings to allow ads on Facebook here:https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

In the event that the data subject subscribes to the newsletter, the Company may, in the course of its direct marketing activities, send targeted advertisements to the data subject, analysing his or her gender (if provided), products ordered, location, interests, age and age of children. In the event that you do not wish to consent to profiling, you may object to the processing of your data at the e-mail address provided by the Company.

We inform the data subjects that the Company has concluded a contract with Mailerlite, a data processor based in Lithuania, for the sending of the newsletter. Mailerlite is a Privacy Shield company, which means that it has undertaken to comply with the GDPR.

If the data subject requests the deletion of his or her data, the Company shall keep a ban list as defined in Act CXIX of 1995 on the processing of name and address data for research and direct marketing purposes (hereinafter: the Act). The Company undertakes to check whether the data subject is on the ban list before making an advertising enquiry.

purpose of processing: informing stakeholders about the Company's most important news, direct marketing

the scope of the data processed: name, e-mail address of the data subject

legal basis for processing: the data subject's consent within the meaning of Article 6(1)(a) of the GDPR

deadline for data storage: until the end of the operation of the newsletter service, but if the data subject requests the deletion of his/her data (unsubscribes from the newsletter), immediately after the deletion request

how the data is stored: electronic

5. Data processors

The Company uses the following data processor for the processing of personal data for technical tasks only:

data processor name: iSuccess Könyvelő Kft.

address: 5, Martin u. Budapest, 1172

purpose of data processing: accounting, payroll

Processor name: Mailchimp The Rocket Science Group LLC d/b/a

Address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia, 30308

purpose of processing: sending newsletters

Data Processor Name: Facebook Inc.

Address: 1601 WILLOW ROAD, MENLO PARK, CA 94025

purpose of data processing: marketing

Name of data processor:

Imex Global Ltd.

Adosam: 23583317243

Péter Török

Address: 1188 Budapest, Nagykőrösi út 23.

purpose of processing: server management

Data relating to entries for speedway races will be processed by S-Riders Ltd. The purpose of the data processing is to record the entries of the riders and to speed up the pick-up process at the event venue based on the information provided by the entrants. This data will be permanently deleted within 30 days after the event. We do not use the data of the competitors from the entry form for marketing purposes!

Entries are processed by S-Riders Kft.

Tax number: 12719262216

Address: 5321 Kunmadaras, Airport No. 042.

Processors shall process the data in accordance with the instructions of the Company, shall not take any decision on the substance of the processing, shall process the personal data of which they become aware only in accordance with the provisions of the Company, shall not process the data for their own purposes, and shall store and retain the personal data in accordance with the provisions of the Company.

6. Change the declaration

The Data Controller reserves the right to modify this statement. If the modification affects the use of the personal data provided by the data subject, the changes will be communicated to the user by means of an e-mail information letter. If the details of the processing are also changed as a result of the modification of the statement, the Data Controller will separately request the data subject's consent.

7. Issues not covered by these rules

In matters not covered by these Rules, the GDPR and, in cases permitted by the GDPR, the rules of the Infotv shall apply by way of assistance.