Close
0 Shopping cart €0.00
Close

Your cart is empty

PRIVACY NOTICE

A Creative City Group Kft. (hereinafter referred to as the Controller), under the framework of operating www.yme3e9.zamnia.com website (hereinafter referred to as the Website) handles the data of users (hereinafter referred to as the Data Subject) that use the services – such as contacting, online shopping, newsletter subscription – available on the Website.

In relation to data processing, the Controller hereby informs the Subjects on the personal data processed by them on the Website, on the principles and practices followed during personal data processing, as well as on the ways and options of subjects to practice their relevant rights.

When handling the personal data in their system, the Controller pays increased attention to handle, store and use such data in compliance with the provisions of Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the controlling of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“Regulation”).

1. DESIGNATION OF THE DATA CONTROLLER

  • Company: Creative City Group Kft.
  • Registered seat, mailing address: 2040 Budaörs, Edison utca 3.
  • Phone: +36 1 490 0100
  • E-mail: info@zamnia.com
  • Tax numberTTax number: 27048533-2-13
  • Company registration number: 13-09-204841
  • Court of registration: Fővárosi Törvényszék Cégbírósága
  • Hosting service provider:

2. LEGAL REGULATIONS PROVIDING GROUNDS TO DATA CONTROLLING

  • Act CXII of 2011 on the right of informational self-determination and on freedom of information (“Information Act”),
  • Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the controlling of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“Regulation”),
  • Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (Advertising Act),
  • Act C of 2000 on Accounting,
  • Act CXXVII of 2007 on Value Added Tax (VAT Act),
    Act CVIII of 2001 on certain issues concerning electronic commerce and on information society services
  • Act CLV of 1997 on consumer protection.

3. CASES OF DATA CONTROLLING

3.1. Correspondence, communication with customers

Personal data Purpose of data controlling Time of data controlling Legal grounds for data controlling
Name If they have any question, Data Subjects can contact the Data Controller via the contacts displayed on the Website Purpose: contacting, communication The Controller shall process all e-mails and postal mails including the name and e-mail address of the sender, as well as any other personal data specified in the message for a period of time starting on the date of receiving the information ending on the date when the specific issue or remark of the Data Subject is solved or answered. Voluntary consent of the Subject as per Paragraph a) of Section (1) of Article 6 of the Regulation.
E-mail address
Phone number

Data source: Provided directly by the Data Subject.

Potential consequences of the failure to disclose data: Failure of communication via customer correspondence.

3.2. Data controlling related to data provided upon registration

Personal data Purpose of data controlling Time of data controlling Legal grounds for data controlling
Username

Essential for database registration and identification of the specific Data Subject. In addition

  • creating user account
  • communication between the Controller and the Data Subject
  • allowing the Subject to easily keep track of their orders in their user account
  • convenience function – no need for repeated data provision as the data previously provided by the Subject and stored in the system are automatically entered,
  • sending system message(s) related to the service.
The contact details provided upon registration are controlled by the Controller until the withdrawal of the relevant consent by the Data Subject. Registration can be deleted by way of deletion request sent to the Data Controller. Upon receiving deletion request, the Controller shall immediately delete the user account of the Data Subject, along with all personal data. Deletion, however, shall not include the destruction of any invoice related to already placed orders, as the Controller is required to retain such. After removal, data cannot be restored any more. If the Data Subject does not request the deletion of their registration, the Controller shall delete all registration data from the system within no later than 30 days after the termination of the Website.

Voluntary consent of the Data Subject as per Paragraph a) of Section (1) of Article 6 of the Regulation.

*

If you are not acting as a private individual, but on behalf of a company, the legal grounds for controlling your data is a legitimate interest provided under Paragraph f) of Section (1) of Article 6 of the Regulation.

E-mail address
Full name
(contact person)
Phone number To allow communication in relation to orders. (E.g. consultation in relation to delivery)
Password To allow access to the user account.

User name and e-mail address do not need to contain personal data, and accordingly, the e-mail address, for instance, does not necessarily include the Data Subject’s name. The Data Subject is free to decide whether the existing e-mail address provided is one that contains information on their personal identity.

Source of data: Provided directly by the Data Subject.

Potential consequences of the failure to disclose data: The Data Subject cannot use the convenience function provided with registration and is not entitled to create user account.

3.3. Order placed at the Website (Data controlled for the purpose of contracting)

Personal data Purpose of data controlling Time of data controlling Legal grounds for data controlling
Company name (optional): Required for invoicing in case of corporate customers. Following the performance of the contract, the Controller shall control the Subject’s data for the period of limitation under civil law (i.e. 5 years). Performance of the contract concluded with the Data Subject as a customer, in line with Paragraph b) of Section (1) of Article 6 of the Regulation.
Full name
(contact person)

The purpose of controlling of the data provided is

  • the conclusion and performance of the contract between the distant parties, as well as communication.
  • database registration and identification of the Data Subject,
  • communication

Providing such data is a condition of contracting and essential for fulfilling the order (online contract).

E-mail address

The Controller is required to send a confirmation e-mail on the fulfillment of the order to the specified e-mail address, and therefore it is essential for the performance of the contract (online contract).

Furthermore, the purpose of data controlling:

  • sending system message(s) related to the service (e.g. date of delivery).
  • Purpose of controlling the e-mail address
  • communication.
Phone number communication related to the order. (e.g. consultation with the courier)
Delivery information: zip code, city, street, number, floor and door as required Delivery information is required for the Controller to provide for the home delivery of the order. Providing such data is a condition of contracting and essential for fulfilling the order (online contract).
Invoicing information: zip code, city, street, number, floor and door as required Required for issuing the invoice related to the order. Providing such data is a condition of contracting and essential for fulfilling the order (online contract). The Controller is obliged to retain all data specified on the invoice for 8 years. Compliance with legal requirement as per Paragraph a) of Section (1) of Article 6 of the Regulation.

Source of data: Provided directly by the Data Subject.

Potential consequences of the failure to disclose data: The Data Subject is not able to place an order, as orders are impossible to be fulfilled without providing personal data. Failure to fulfill orders due to the fact that the Controller will not have such data that enable the order (e.g. delivery) to be fulfilled.

3.4. Invoicing

Personal data Purpose of data controlling Duration of data controlling Legal grounds for data controlling
Company name Mandatory content of the invoice, whose purpose is the management of invoices, preparation of accounting, record-keeping. The Controller is obliged to retain all data specified on the invoice for 8 years. Compliance with legal requirement as per Paragraph c) of Section (1) of Article 6 of the Regulation.
Invoicing address (Country, zip code, city, address, door/floor) Mandatory content of the invoice.
Tax number (optional data) Under which the product is sold or the service is provided to the person subject to tax payment obligation.

Source of data: Provided directly by the Data Subject.

Potential consequences of the failure to disclose data: The Controller is unable to comply with their legal requirements as per the provisions of the Accounting Act and the VAT Act.

3.5. Complaint management

Personal data Purpose of data controlling Time of data controlling Legal grounds for data controlling
Name If the Data Subject enforces any guarantee, warranty or other claim arising from a defective performance related to the purchased product, or the Controller handles any complaint of other kind, personal data are handled during such procedures.
The purpose of such data controlling is to provide claim and complaint handling procedure as per the legal requirements, as well as to allow communication between the parties in relation to the issue arisen.
As per the Consumer Protection Act, the Controller is required to retain all data and the related letters of complaint for 5 years following the complaint handling procedure. Compliance with the legal requirements set forth by the Consumer Protection Act and the Civil Code, as per Paragraph c) of Section (1) of Article 6 of the Regulation.
E-mail address (not mandatory/optional)
Phone number (not mandatory/optional)
Complaint submitted by the Data Subject Filing and retaining the complaint for the period of time specified in the relevant legal regulations.

Source of data: Provided directly by the Data Subject.

Potential consequences of the failure to disclose data: failure to handle warranty or other claims or complaints due to the fact that in the lack of personal data, the Controller is not be able to get and keep in contact with the Data Subject and remedy the issue in relation to the specific case.

3.6. Data controlling for other purposes

3.6.1. Newsletter, DM activity

Personal data Purpose of data controlling Time of data controlling Legal grounds for data controlling

Full name (first name, last name)

E-mail address

Registering the Subject’s subscription in the newsletter database, identifying the Subject. The purpose of data controlling is to allow the Controller to send newsletters with direct marketing content to the Subject by way of direct communications. The Controller keeps on controlling such data until the Data Subject unsubscribes from the newsletter by clicking on the unsubscribe link therein, or until the Data Subject requests the deletion of their registration by way of an e-mail or postal mail. In the case of unsubscription, the Controller will not contact the Data Subject with newsletters or offers any more. The Data Subject may unsubscribe from the newsletter at any time, free of charge, without any restriction or need for justification. Voluntary consent of the Data Subject as per Paragraph a) of Article 6 of the Regulation, and under Section (1) of Article 6 of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertisement activities.

Source of data: Provided directly by the Data Subject.

Potential consequences of the failure to disclose data: The Data Subject will not receive newsletters with direct marketing content, and will not have access to or information on the contents, offers, coupons, discounts therein.

4. DATA TRANSFER, ACCESS TO DATA AND DATA SECURITY MEASURES, SAFETY BACKUPS

4.1. Data transfer

Personal data can primarily be accessed by the Controller’s employees in order to perform their duties. In addition, the personal data of the Data Subject can be disclosed to the processor specified under Section 5 in order to perform their duties.

The Controller shall transfer the personal data to other bodies or government agencies only in the manner and for the purpose specified in the relevant legal regulation.

The Controller shall inform the Data Subject on the fact that the Controller can potentially be requested by the court, prosecutor, investigating authority, authority investigating violations, administrative authority, Hungarian National Authority for Data Protection and Freedom of Information, as well as by other agencies upon authorization provided in legal regulation to provide information, disclose or transfer data, as well as to make documents available.

If the accurate purpose and the scope of the required data has been specified by the authority, the Controller is allowed to disclose personal data only to such extent that is absolutely necessary for fulfilling the purpose of the request.

Data provided by the Data Subject will not be transferred for any other purpose.

4.2. Data security measures

The Controller shall take all necessary measures reasonably expectable to guarantee data security and provide proper level of protection, in particular against unauthorized access, alteration, transfer, disclosure, erasure or destruction, as well as against accidental destruction. The Controller shall provide for data security by implementing proper technical and organizational measures.

The IT system of the Website is installed on the servers of the Controller’s processor.

The Controller shall select and operate the IT devices used for data controlling and service provision so that the processed data:

  • are accessible to those with access authorization (accessibility);
  • are ensured to be authentic, and their authentication is provided (authenticity of data controlling);
  • can be verified to be integrate (data integrity);
  • are protected against unauthorized access (confidentiality of data).

When handling data, the Controller shall preserve

  • confidentiality: protects the information so that only those with relevant authorization can have access to it;
  • integrity: protects the accuracy and integrity of information and method of data controlling;
  • accessibility: ensures that the authorized user actually has access to the demanded information whenever it is needed, and the relevant devices are available to them.

4.3. Order of managing safety backups

In the scope of their tasks related to the protection of IT systems, the Controller shall implement particular measures that allow the restoration of data files – including regular safety backups, as well as isolated and safe handling of backup copies (safety backup).

Accordingly, the Controller – in order to prevent the loss of electronically stored data – shall create safety backup onto a dedicated storage media, on a daily basis from the data stored in the database containing personal data.

The place of storage of safety backups: H-1097 Budapest, Drégely utca 6-8, Building B, ground floor, door 3, Hungary

Access to the safety backup: The access to safety backups is restricted, they can only be accessed by persons with specific authorization. Access to data is subject to proper identification (at least username and password). Safety backups can be restored by the Controller only in the case of system destruction or data loss.

5. DATA PROCESSING

As per the relevant legal regulations, the Controller is entitled to engage processors for the purpose of providing specific technical activities or services. The processor is only entitled to execute the instructions and decisions of the Controller.

Processors include:

  • courier service providers
  • operator of the corporate management system
  • operator of the Website
  • accounting company
  • Zamnia employees.

6. RIGHTS OF THE DATA SUBJECT

6.1. Information and access to personal data

The Data Subject can request information from the Controller by way of sending written request to any of the contacts specified under Section 1, about the following:

  • what personal information is controlled,
  • on what legal grounds,
  • for what data controlling purpose,
  • from what source,
  • for how long,
  • Who is provided access to what personal data, where personal data have been transferred to, on what regulatory basis.

The Controller shall provide such information to the Data Subject in a widely-used electronic format, unless the Data Subject has requested such to be provided in writing on hardcopies. The Controller shall not provide any verbal information on phone in relation to the Data Subject’s data controlled by them.

For the first time, the Controller shall provide the copy of the personal data to the Data Subject free of charge. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. If the Data Subject requests the copy to be provided in electronic format, the Controller shall provide such information via e-mail, in widely used electronic format.

Should the Data Subject – having received the information – disagree with data processing or the correctness of the controlled data, they can request the rectification, completion, erasure of personal data relevant to them and the restriction of processing, they can object to the processing of such personal data, and they can initiate procedure as set forth in Section 7.

6.2. Right to rectification and completion of the controlled personal data

Upon the written request of the Data Subject, the Controller shall – without undue delay – rectify the inaccurate personal data specified by the Data Subject in writing or in person at any of the Controller’s stores, as well as complete any deficient data with the content specified by the Data Subject. The Controller shall communicate any rectification or completion carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Subject shall be informed of the details of such recipients if requested in writing.

6.3. Right to restriction of processing

The Data Subject may request restriction of processing from the Controller by way of written request, where one of the following applies

  • the accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data,
  • the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims,
  • the Data Subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Personal data subject to restriction shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A Data Subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.

6.4. Right to erasure (right to be forgotten)

Upon the Data Subject’s request, the Controller shall erase personal data concerning them without undue delay where one of the following grounds applies: i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Controller; ii) the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; iii) the Data Subject objects to processing – due to reasons related to their own situation – and there are no legitimate grounds for the processing, iv) the Data Subject objects to processing of personal data concerning them for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing, v) the personal data are unlawfully processed by the Controller; vi) the personal data have been collected in relation to the offer of information society services targeted directly at children.

The Data Subject may not exercise their right to erasure (right to be forgotten) when the data processing is required i) for exercising the right of freedom of expression and information; ii) for reasons of public interest in the area of public health; iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as exercising such right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or iv) for the establishment, exercise or defense of legal claims.

6.5. Right to data portability

If data processing is required for the performance of the contract, or it is based on the voluntary consent of the Data Subject, the Data Subject shall have the right to request the data provided by the Data Subject to the Controller to be received in a machine-readable format. If technically feasible, the Data Subject may request the data to be transferred to another Controller. In all cases, such right is restricted to the data provided by the Data Subject, in respect of any other data (e.g. statistics, etc.), the option of portability is not provided

The Data Subject shall have the right to receive the personal data concerning them, contained in the Controller’s system (e.g. upon newsletter subscription):

  • in a structured, commonly used and machine-readable format,
  • have the right to transmit those data to another controller,
  • have the right to request the data to be directly transferred to another controller – as long as it is technically feasible in the Controller’s system.

The Controller shall fulfill the request for data portability only upon written request sent via e-mail or postal mail. To fulfill the request, the Controller needs to make sure if the specific Data Subject is actually entitled to exercise such right. Under such right, the Data Subject may request the portability of such data that have been provided to the Controller by them. Exercising such right does not automatically entail the erasure of data from the Controller's systems, and therefore the Data Subject will – even after exercising such right – remain registered in the Controller’s systems, unless the erasure of data is also requested.

6.6. Objection to processing of personal data

By way of their statement submitted to the Controller, the Data Subject shall have the right to object to the processing of their personal data, on condition that the legal grounds for data processing is

  • public interest as per Paragraph e) of Section (1) of Article 6 of the GDPR, or
  • legitimate interest as per Paragraph f) of Section (1) of Article 6 of the GDPR.

In the event of exercising the right to object, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims. The Controller shall decide whether data processing is justified by compelling legitimate grounds. On their relevant standpoint, the Controller shall inform the Data Subject in an opinion.

The Data Subject may exercise their right to object in writing (via e-mail or postal mail), or – in the case of newsletter – by clicking on the unsubscribe link in newsletters.

6.7. Enforcement of rights on behalf of a deceased Data Subject

The rights of a deceased Data Subject – such as the right to access, rectification, erasure, restriction of data processing, data portability and object – can be enforced within five years following the death of the Data Subject, by the person authorized to act on behalf of the deceased in administrative provision, or in a statement to the Controller as included in public deed or a private document with full probative force. If the deceased person has made more than one such statement to the Controller, the person specified in the latter statement shall be entitled to enforce such rights.

If the deceased has not made such statement, the rights that the deceased was entitled to in their life and that are specified in the previous paragraph may be enforced by a close relative as specified in the Civil Code, within five years following the death of the Data subject (in case there are more than one such close relatives, the first one to exercise such right is entitled to act).

As per Subsection 1 of Section 1 of Article 8:1 of the Civil Code, close relative shall mean the spouse, the lineal relative, the adopted child, the stepchild and the foster child, the adoptive parent, the step-parent and the foster parent and the sibling. The close relative of the deceased person is required to prove:

  • the fact, as well as date of the death of the deceased Data Subject by presenting the copy of the death certificate or court decision, and
  • their own personal identity – as well as their close relative status – by presenting relevant public deed.

The person enforcing the rights of the deceased person shall have the rights and obligations that the deceased person had in their life, with particular regard to rights and obligations against the Controller, as well as those specified by the Hungarian National Authority for Data Protection and Freedom of Information, provided during court proceedings, and being in accordance with the Information Act and the Regulation.

Upon written request, the Controller is required to inform the close relative on the actions taken, unless such has expressly been prohibited by the deceased person in a relevant statement.

6.8. Deadline for the fulfillment of the request

The Controller shall inform the Data Subject on the actions taken without undue delay, and in any case within one month following the receipt of any request as per Sections 6.1–6.6. Considering the complexity and number of requests, the deadline may be extended by an additional period of two months as necessary; in such cases, however, the Controller shall inform the Data Subject of the causes of delay, as well of the Data Subject’s option to file a complaint at the supervising authority and exercise their right for judicial review.

Should the Data Subject's request be manifestly unfounded or excessive (with particular regard to its repeated nature), the Controller may charge a reasonable fee for fulfilling the request, or refuse to act on it. To prove it, the Controller is responsible to provide relevant evidence.

Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means, unless otherwise requested by the Data Subject.

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the Data Subject about those recipients if the data subject requests it.

6.9. Compensation and grievance award

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the Controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the legal regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller. A Controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

7. REMEDIES

The Data Subject can exercise their rights in a written request sent via e-mail or postal mail.

The Data Subject cannot enforce their rights if the Controller evidences that they are not in a position to identify the Data Subject. Should the Data Subject’s request be manifestly unfounded or excessive (with particular regard to its repeated nature), the Controller may charge a reasonable fee for fulfilling the request, or refuse to act on it. To prove it, the Controller is responsible to provide relevant evidence. Where the Controller has doubts concerning the identity of the natural person submitting the request, the Controller may request the provision of additional information necessary to confirm the identity of the requestor.

As per the Information Act, the Regulation and the Civil Code (Act V of 2013), the Data Subject shall have the right to appeal to

  1. the Hungarian National Authority for Data Protection and Freedom of Information (H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.; www.naih.hu ) or enforce their rights
  2. before court. Upon the Data Subject’s decision, proceedings can be initiated at the tribunal court competent at the place of residence of the Data Subject (the list and contact details of the tribunal courts can be accessed on the following link: http://birosag.hu/torvenyszekek ).
    1. 8. HANDLING OF PERSONAL DATA BREACHES

      Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In order to verify the actions related to personal data breach, inform the supervisory authority, as well as for the information of the Data Subject, the Controller shall maintain a registry that contains the scope of personal data subject to breach, the scope and number of Data Subjects, the date, circumstances, effects of the breach, as well as the actions for mitigation. The Controller shall notify the Data Subject and the supervisory authority of any personal data breach without undue delay and within a maximum of 72 hours, unless such notification risks the rights and freedoms of natural persons.

      9. MISCALLANEOUS PROVISIONS

      The Controller reserves the right to unilaterally amend this Privacy Notice with prior notice to Data Subjects using the Website. Such amendments shall enter into force and become applicable to the Data Subject on the date specified in the notice, unless the Data Subject objects to such amendments.

      If the Data Subject has provided third-party data to use the services, and such act has caused damage in any way, the Controller is entitled to enforce damage compensation claims against the Data Subject.

      The Controller shall not verify the personal data provided to them. The person providing the data shall have sole responsibility for the accuracy of data provided. By providing any data, the Data Subject shall take responsibility for the truthfulness of the data provided, as well as for the fact that such are their own personal data, and they will be the only one to use the services under such data.

      Effective date of this Privacy Policy: 15 October 2019

      You can access the downloadable and printable version at HERE