Welcome to the Espera shop: Free shipping all summer!

Privacy Policy

1. Data Controller Information:

Company Name: ESPEARA Clothing Kft.
Registered Office: 1124 Budapest, Fodor utca 93.
Tax ID Number: 32543962-2-43
Company Registration Number: 01-09-429747
Representative: Ildikó Tóth, CEO
Phone Number: +36 70 944 3460
Email Address: info@esperamoments.com

2. Purpose of the Privacy Policy:

The data controller recognizes the content of this legal notice as binding for itself. The purpose of this Privacy Policy is to inform its customers, clients, and partners regarding the processing of their personal data.

The data controller processes personal data only in compliance with applicable laws and strictly adheres to the provisions related to data processing and protection, taking into account the principles of legality, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, and confidentiality.

The data controller takes all necessary technical and organizational measures to ensure the secure processing of personal data in accordance with the requirements of the European Parliament and Council (EU) Regulation 2016/679.

The data controller has adapted its daily activities and has developed its policies, records, forms, and notices to comply with the aforementioned regulations.

The data protection guidelines related to the data controller’s data processing practices are continuously available at the data controller’s registered office and website. The data controller reserves the right to modify this policy at any time. Any changes will be communicated in a timely manner to the public.

The data controller is committed to protecting the personal data of its clients and partners, and highly values respecting the information self-determination rights of its customers. The data controller processes personal data confidentially and implements all necessary security, technical, and organizational measures to guarantee the safety of the data. The data controller outlines its data processing practices below.

3. Scope of the Privacy Policy:

The scope of this Privacy Policy applies to the data controller as well as the individuals whose data are processed under the data processing activities described herein, and to those whose rights or legitimate interests are affected by the data processing.

The material scope of the policy covers all data processing activities carried out by the data controller.

This Policy enters into force on the date of approval and is valid indefinitely until further notice.

4. Key Definitions:

Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Special Categories of Data: Personal data that belong to special categories, such as those relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a person, health data, and data concerning a person’s sex life or sexual orientation.

Data Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller: The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller.

Joint Controllers: Where two or more data controllers jointly determine the purposes and means of processing personal data, they are considered joint controllers.

Third Party: A natural or legal person, public authority, agency, or any other body that is not the data subject, the data controller, the data processor, or persons who, under the direct authority of the data controller or processor, are authorized to process personal data.

Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them.

Data Protection Incident: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

5. Lawful Data Processing by the Data Controller:

The personal data processing by the Data Controller occurs only in the following cases:

  1. If the data subject has given their consent to the processing of their personal data for one or more specific purposes,
  2. The data processing is necessary for the performance of a contract to which the data subject is a party,
  3. The data processing is required for the compliance with a legal obligation to which the Data Controller is subject,
  4. The data processing is necessary for the protection of the vital interests of the data subject or another natural person,
  5. The data processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party.
  6.  

The Data Controller reviews the lawfulness of data processing at every stage of its activities and processes only the data that is necessary and for which a valid legal basis can be demonstrated. If a legal basis for processing ceases to exist, the processing can only continue if the Data Controller can provide a valid alternative legal basis.

The means of proving the legal basis is generally in writing; in cases where the legal basis arises from implied actions, it should be ensured that such actions can be clearly demonstrated afterward. In case of doubt, reasonable and cost-effective measures should be taken to confirm the data processing through written consent.

For data processing based on consent, the data subject provides written consent for the processing of their personal data. The consent does not require a specific format but must be verifiable afterward, either in paper or electronic form.

Data processing based on legal obligations occurs independently of the data subject’s consent, as the processing is mandated by law. Regardless of the compulsory nature of the processing, the Data Controller must inform the data subject before starting the processing that it is mandatory and cannot be avoided. The data subject must also be informed, clearly and in detail, of all significant facts regarding the processing of their data before it begins.

According to the GDPR (General Data Protection Regulation), personal data may also be processed if the data processing is necessary for the performance of a contract to which the data subject is a party, or if the processing is necessary to take steps requested by the data subject before entering into a contract. The Data Controller may process personal data for the purpose of entering into, fulfilling, or terminating a contract.

6. Personal Data Processing by the Data Controller:

The Data Controller is engaged in the sale of custom-designed clothing. During this activity, it processes personal data of natural persons. The following data processing activities are carried out:

A. The Data Controller accepts orders through the website www.esperamoments.com. Customers can be individuals or legal entities. The customer may choose to make a purchase either with or without registration. During registration, the data subject is required to provide their name, address, email address, phone number, username, and password. Registered customers, after logging in (by entering their email address/username and password), can view their previous orders, the status of ongoing orders, and make new orders more easily as they do not need to re-enter their personal data. The purpose of processing personal data is to create a customer account and record personal data. The legal basis for processing personal data is the performance of a contract (Article 6(1)(b) of the General Data Protection Regulation). In the case of legal entities, the personal data of the contact person is processed, based on their consent (Article 6(1)(a) of the General Data Protection Regulation). The personal data provided during registration will be deleted by the Data Controller immediately after the customer deletes their account, but no later than 30 days after deletion. If the customer does not delete the account, the personal data will be kept by the Data Controller for up to 1 year from the last purchase. If no order is placed after the account is created, the personal data will be deleted by the Data Controller 1 year after registration.

In the case of an order, the Data Controller processes the customer’s name, address, email address, and phone number. The purpose of this data processing is to fulfill the obligations under the contract and maintain communication. The legal basis for processing personal data is the performance of a contractual obligation (Article 6(1)(b) of the General Data Protection Regulation). In the case of a legal entity, the contact person’s personal data is processed with the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).

The Data Controller issues invoices for the products sold, which include the customer’s name, address, and possibly the tax identification number. The issuance of invoices is a legal obligation of the Data Controller. The legal basis for processing the personal data on the invoice is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The personal data on the invoice is stored by the Data Controller for 8 years in accordance with the retention requirements set out in Section 169 of Act C of 2000 on Accounting.

B. In the course of its work, the Data Controller also enters into contractual relationships with subcontractors, suppliers, and service providers, which also provides a basis for processing personal data. In this case, the legal basis for processing personal data (in the case of natural persons or sole proprietors) is the performance of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation), and for the contact person of a legal entity, it is based on prior informed consent (Article 6(1)(a) of the General Data Protection Regulation).

C. In performing its duties, the Data Controller processes the email addresses and phone numbers of its customers, clients, and partners, for the purpose of fulfilling its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation), or based on their individual consent (Article 6(1)(a) of the General Data Protection Regulation).

D. Occasionally, the Data Controller takes photographs or video recordings of customers, clients, partners, and other data subjects. If a recognizable individual appears in the recording, the recording will only be made and used with the data subject’s (or in the case of minors, the legal guardian’s) written, informed, voluntary consent. This applies to usage on the Data Controller’s website, social media, or other public appearances.

If the recording is not made by the Data Controller but is submitted by the customer or another data subject, the Data Controller will still request written, informed consent from the data subject (or the legal guardian). The legal basis for processing in these cases is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation). If the data subject withdraws their consent and requests the discontinuation or deletion of the recording, the Data Controller will comply with this request promptly, but no later than 30 days after the withdrawal of consent.

E. The Data Controller also presents its products in photos, which occasionally feature models. The purpose of these photos is to showcase and promote the products. The legal basis for the processing of personal data in this context is the fulfillment of the obligations under the contract with the model (Article 6(1)(b) of the General Data Protection Regulation).

F. The Data Controller operates the website www.esperamoments.com, where it presents its activities and products. The website uses cookies, which also collect personal data from visitors. The legal basis for processing this data is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).

G. The Data Controller provides a form for the exercise of the right of withdrawal (returning a product) on the website. The form requires the customer to provide their name, email address, phone number, order number, and IBAN bank account number for the refund. The purpose of processing this personal data is to contact the data subject and handle the withdrawal request. The legal basis for processing the personal data provided in this context is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The Data Controller’s legal obligation is to provide the right of withdrawal to customers. The applicable regulation is Government Decree 45/2014 (II. 26.), and personal data will be retained by the Data Controller for 3 years as required by law.

H. The Data Controller also operates social media accounts, where personal data is processed. The legal basis for processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).

I. During complaint handling, the purpose of data processing is to enable the reporting of the complaint, identify the data subject and their complaint, and record legally required data, as well as communicate regarding the investigation and resolution of the complaint. Processing personal data in connection with complaints is mandatory under the Hungarian Consumer Protection Act (1997. CLV). The legal basis for processing personal data is compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

The Data Controller keeps a record of these data processing activities. The record includes the deadlines for the deletion of personal data. The record is an annex to this Privacy Policy.

7. Data Processors Associated with the Data Controller:

If the data processing is carried out on behalf of the data controller by another party, the data controller may only engage data processors who provide adequate guarantees of compliance with the requirements of the General Data Protection Regulation (GDPR), or who implement appropriate technical and organizational measures to protect the rights of data subjects.

The data controller hereby declares that, during its operations, it only works with data processors who provide sufficient guarantees of compliance with the GDPR and implement appropriate technical and organizational measures to protect the rights of data subjects. Relevant declarations from the data processors are available upon request.

By reviewing and acknowledging this Privacy Notice, the data subjects agree that the data controller may transfer their personal data to the data processors and joint data controllers listed below.

  • Data Processor – The accounting firm entrusted by the data controller:
    • Mucsné és Társa Kft.
  • Data Controller’s Partner – Responsible for issuing invoices:
  • Data Controller’s Partner – Responsible for payment by credit card, who qualifies as an independent data controller:
    • PayPal (Europe) S.a.r.l. et Cie, S.C.A.
    • 22-24 Boulevard Royal L-2449, Luxembourg
      The legal basis for processing personal data is the performance of the contract, followed by the fulfillment of the retention obligation as required by law.
  • Data Processor (also acting as an independent data controller in the performance of its duties) – The courier company used by the data controller:
  • Data Processor – The company providing the hosting services for the data controller’s website:
    • Sybell Informatika Kft.
    • 1158 Budapest, Késmárk u 7/B 2. em. 206.
    • hello@sybell.hu
  • Data Processor – Due to the use of Google Analytics on the data controller’s website:
    • Google Ireland Limited
    • Gordon House, Barrow Street, Dublin 4, Ireland
  • Data Processor – The contractor collaborating with the data controller who has access to the website:
  • Data Processor – The service provider for the data controller’s email system:
    • Sybell Informatika Kft.
    • 1158 Budapest, Késmárk u 7/B 2. em. 206.
    • hello@sybell.hu
  • Joint Data Controllers – Due to the use of social media platforms:
    • Meta Platforms Ireland Ltd.
    • 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
    • TikTok Technology Limited
    • 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
    • reports@tiktok.com
  • The data controller also forwards customers’ and buyers’ personal data to the National Tax and Customs Administration.

The contracted data processors and data controller partners process personal data strictly according to the instructions provided by the data controller (except when required by law) and are bound by confidentiality obligations.

8. Data Processing Related to Contracts Entered into by the Data Controller:

Customer Contracts:

The data controller accepts orders via the website www.esperamoments.com. Customers can be both individuals and legal entities. On the webshop, the customer can choose whether to register or purchase without registration. During registration, the data controller requests the customer’s name, address, email address, phone number, username, and password. Registered customers, after logging in (by providing email/username and password), can view their past orders, the status of ongoing orders, and their current situation, and it becomes easier to place a new order as they do not need to provide their details again. The purpose of processing personal data is to create a customer account and record personal data. The legal basis for processing personal data is the creation of the contract (Article 6(1)(b) of the General Data Protection Regulation (GDPR)). In the case of a legal entity, the personal data of the contact person are processed, based on the consent of the data subject (Article 6(1)(a) of GDPR). The personal data collected during registration will be deleted by the data controller immediately, but no later than 30 days after the customer account is terminated by the customer. If the customer account is not terminated by the customer, the personal data provided during registration will be kept by the data controller for a maximum of 1 year from the last purchase. If no order is placed after the creation of the customer account, the data controller will delete the personal data provided during registration 1 year after the registration date.

In the case of an order, the data controller processes the customer’s name, address, email address, and phone number. The purpose of processing personal data is to fulfill the obligations under the contract and for communication purposes. The legal basis for processing personal data is the performance of the contractual obligations (Article 6(1)(b) of GDPR). In the case of a legal entity, the personal data of the contact person are processed based on the consent of the data subject (Article 6(1)(a) of GDPR).

The data controller issues an invoice for the products sold, containing the customer’s name, address, and possibly their tax number. Issuing the invoice is a legal obligation of the data controller. The legal basis for processing personal data on the invoice is the fulfillment of a legal obligation (Article 6(1)(c) of GDPR). The personal data on the invoice will be stored by the data controller for 8 years in accordance with the retention obligation set out in Section 169 of Act C of 2000 on Accounting.

Supplier Contracts:

The data controller also processes supplier contact information (name, email address, phone number) and works with service providers and subcontractors. In these cases, personal data of the contact person or individual entrepreneur are processed for the purpose of maintaining contact with the partners. The legal basis for processing personal data is the fulfillment of the contractual obligations (Article 6(1)(b) of GDPR), or the contact person’s consent (Article 6(1)(a) of GDPR).

The data controller has the contact persons of companies complete a consent form, informing them of their rights related to personal data and requesting their consent to process their data. In such cases, the legal basis for processing personal data is the written, informed consent of the data subject (Article 6(1)(a) of GDPR). If the contract with the partner is terminated and no statutory retention obligation applies to the data or documents, the phone numbers and email addresses will be deleted. The personal data on the contract and the invoice will be stored for 8 years in accordance with the retention obligation set out in Section 169 of Act C of 2000 on Accounting.

9. Processing of Invoices Issued to Customers and the Personal Data Contained in Them:

The data controller issues invoices to customers for the products sold. The invoice contains the customer’s name, address, and possibly tax number. The invoice is issued to fulfill a legal obligation. The legal basis for processing personal data on the invoice is the fulfillment of a legal obligation (Article 6(1)(c) of GDPR). The personal data collected in this way will be stored by the data controller for 8 years in accordance with the retention obligation set out in Section 169 of Act C of 2000 on Accounting.

10. Processing of Children’s Data and Special Categories of Personal Data:

By consenting to the use of cookies on the website, the data subject declares that they are over the age of 16. Persons under the age of 16 cannot consent to the data collection through cookies on the website, as, according to Article 8(1) of the General Data Protection Regulation (GDPR), the consent to data processing must be given by the legal representative of the child in order for it to be valid. The data controller is not able to verify the age and eligibility of the person giving consent, so the data subject guarantees that the information provided is accurate.

The data controller does not record any special categories of personal data that have been disclosed to or come to the attention of the data controller. If such data enters any system of the data controller without its knowledge, it will be immediately deleted upon detection.

11. Handling of Email Addresses and Phone Numbers:

During its activities, the data controller comes into possession of the email addresses and phone numbers of its customers, clients, and partners. Personal data obtained in this manner is processed primarily to fulfill the data controller’s contractual obligations (Article 6(1)(b) of the General Data Protection Regulation (GDPR)). If the contract with the partner is terminated, and no legal retention obligation applies to the data or documents, the phone numbers and email addresses will be deleted. In some cases, the data controller may still have a legitimate interest in retaining the data, in which case the data subject’s prior consent is requested to retain their personal data (Article 6(1)(a) of GDPR).

12. Personal Data Processing Related to Photographic and Video Recordings Made by the Data Controller:

The data controller occasionally takes photographs or video recordings of its customers, clients, partners, and other data subjects. If the recording features a recognizable individual, the recording will only be made and used (on the data controller’s website, social media platforms, or in other publications) with the written, informed, prior, and voluntary consent of the data subject (or the legal representative in the case of minors).

In some cases, the recording is not made by the data controller but by the customer or another data subject, who then sends the recording to the data controller. In these cases, the data controller will still request the written, informed consent of the data subject (or their legal representative) for the use of the recording. The legal basis for this data processing is the consent of the data subject (Article 6(1)(a) of GDPR). If the data subject withdraws their consent and requests the cessation of the use of the recording or its deletion, the data controller will comply with this request promptly, but no later than 30 days after the withdrawal of consent.

The data controller’s products are presented in photographs, occasionally featuring models. The purpose of creating and using these photos is to showcase and promote the products. The legal basis for processing personal data during the creation and use of these photos is the fulfillment of contractual obligations with the model (Article 6(1)(b) of GDPR).

13. Data Controller’s Website:

The data controller showcases its activities and products on the website www.esperamoments.com for the information of interested parties.

The data controller’s website uses cookies during its operation. The legal basis for processing personal data obtained through these cookies is the visitor’s consent (Article 6(1)(a) of the General Data Protection Regulation (GDPR)).

The following cookies are used on the website www.esperamoments.com:

  • CookieConsent
    • Duration: 1 year
    • Type: Strictly necessary
  • _ga
    • Duration: 1 year, 1 month, 4 days
    • Type: Statistical – Google Analytics
  • _ga_2WHK4XKL98
    • Duration: 1 year, 1 month, 4 days
    • Type: Statistical – Google Analytics
  • sbjs_current
    • Duration: Until the end of the browsing session
    • Type: Statistical – Sourcebuster
  • sbjs_current_add
    • Duration: Until the end of the browsing session
    • Type: Statistical – Sourcebuster
  • sbjs_first
    • Duration: Until the end of the browsing session
    • Type: Statistical – Sourcebuster
  • sbjs_first_add
    • Duration: Until the end of the browsing session
    • Type: Statistical – Sourcebuster
  • sbjs_migrations
    • Duration: Until the end of the browsing session
    • Type: Statistical – Sourcebuster
  • sbjs_session
    • Duration: 30 minutes
    • Type: Statistical – Sourcebuster
  • sbjs_udata
    • Duration: Until the end of the browsing session
    • Type: Statistical – Sourcebuster
  • woocommerce_cart_hash
    • Duration: Until the end of the browsing session
    • Type: Strictly necessary
  • woocommerce_items_in_cart
    • Duration: Until the end of the browsing session
    • Type: Strictly necessary
  • wp_woocommerce_session_988b049893b6470d08dce0f259cc05d1
    • Duration: 2 days
    • Type: Strictly necessary
  • elementor
    • Type: Strictly necessary
  • wpEmojiSettingsSupports
    • Duration: Until the end of the browsing session
    • Type: Strictly necessary
  • wc_fragments_e0e1a91736298b4294adb2fff6215cd3
    • Duration: Until the end of the browsing session
    • Type: Other

 

Cookies (Cookies):

The purpose of the cookies:

  • Collect information about visitors and their devices;
  • Remember individual settings that may be used later;
  • Facilitate the use of the website;
  • Provide a quality user experience.

To provide personalized services, a small data package, known as a cookie, is placed on the user’s computer and later retrieved on subsequent visits. If the browser sends a previously saved cookie, the service provider that handles the cookie can link the user’s current visit to previous visits, but only regarding their own content.

 

Strictly Necessary, Session Cookies:

These cookies are used to ensure that visitors can fully and seamlessly browse the website, use its features, and access the services provided. The validity of these cookies lasts until the end of the browsing session (session ends when the browser is closed). They are automatically deleted from the computer or other devices used for browsing once the browser is closed.

 

Data Subject’s Choice Regarding Cookies:

Web Browser Cookies:

In the browser settings, the data subject can accept or reject new cookies and delete existing cookies. It is also possible to set the browser to notify when a new cookie is placed on the computer or other device. Further information on handling cookies can be found in the browser’s “Help” function.

If the visitor decides to disable some or all cookies, they may not be able to use all the features of the website.

 

Third-Party Cookies (Analytics, Statistics):

Use of Google Analytics (Analytics, Statistics):

The data controller’s website also uses Google Analytics third-party cookies. By using the Google Analytics web analytics and statistical service, the data controller collects information about how visitors use the website. The data is used for improving the website and user experience. These cookies remain on the visitor’s computer or other device until they expire, or until the visitor deletes them.

If websites or applications use Google Analytics alongside other Google advertising products, such as Google Ads, additional advertising identifiers may also be collected. Users can disable this service in the Ad Settings, or adjust their cookie preferences.

Google Analytics collects the users’ IP addresses to ensure service security and to provide website owners with insights into the geographical origin (country, state, or city) of their visitors (referred to as “IP-based geolocation”). Google Analytics offers the option to mask the collected IP addresses, though website owners may still see the user’s IP address if they do not use Google Analytics.

Within Google Analytics, the IP address transmitted by the visitor’s browser is not linked to other Google data. Cookie storage can be prevented by adjusting the browser software settings; however, this may result in not being able to fully use all the website’s functions.

Additionally, the visitor can prevent Google from collecting data generated by cookies related to their use of the website (including the IP address) and processing this data by Google by downloading and installing the browser plugin available via the following link: http://www.google.com/policies/privacy/ads/.

Google acts as the data processor for the data controller under the General Data Protection Regulation (GDPR). Google Analytics collects and processes data on behalf of its clients (such as the data controller), according to their instructions.

 

Consent for Cookie Use:

By accepting the use of cookies on the data controller’s website, the data subject declares that they are over the age of 16. A person under 16 cannot provide consent to the use of cookies on the website, as, according to Article 8(1) of the GDPR, consent to data processing requires the approval of a legal representative. The data controller cannot verify the age or eligibility of the consenting individual, and thus the data subject ensures that the information provided is accurate.

 

Personal Data Processing During Use of the Product Return Form:

On the website, a form is available for exercising the right of withdrawal (product return). The form requires the buyer’s name, email address, phone number, order number, and IBAN bank account number where the refund is requested. The purpose of processing this personal data is to contact the data subject and manage the withdrawal process. The legal basis for processing personal data in this context is the performance of a legal obligation (Article 6(1)(c) of the GDPR). The data controller is legally obligated to ensure the right of withdrawal for customers. The relevant provisions are governed by the 45/2014 (II. 26.) Government Decree. The personal data will be retained by the data controller for 3 years in accordance with legal requirements.

14. Data Controller’s Social Media Pages:

The data controller operates social media pages, where personal data processing also takes place. The data controller uses its Facebook page to promote its activities, showcase its products and services.

  1. Facebook Page
    • https://www.facebook.com/profile.php?id=61566478797129
    • URL: Esperamoments Facebook profile
      The data controller promotes its products and services and interacts with users through its Facebook page. The purpose of the data processing is advertising and information sharing on the social media platform. The data controller does not receive personal data directly from Facebook. Any personal data shared by the user is only used to respond to inquiries and not for advertising purposes. Facebook may use the data for its own purposes, including profiling and targeted advertising.
  1. Instagram Page:
  1. TikTok Page

Personal data processing on social media is based on voluntary consent from the data subject. Consent is considered granted when the user likes, follows the page, comments on posts, or otherwise interacts with the data controller. Data processing on social media platforms is subject to the privacy policies of Facebook, Instagram, and TikTok.

15. Complaints Handling in Connection with the Data Controller’s Activities:

The purpose of handling complaints related to the data controller’s activities is to enable the submission of complaints, identify the data subject and their complaint, and record the data required by law, as well as to investigate and resolve the complaint.

  • Legal basis: Compliance with a legal obligation (GDPR Article 6(1)(c)).
  • Data retention: The data related to complaints will be stored for 3 years in accordance with the legal requirements.

16. Data Security:

The data controller is committed to ensuring the security of personal data. It takes appropriate technical and organizational measures to ensure that the collected, stored, and processed data is protected, preventing its destruction, unauthorized use, or unauthorized alteration.
The data controller ensures:

  • Physical security: Paper-based data is stored in secure, locked locations such as safes and monitored rooms.
  • IT security: Computer systems are protected with antivirus software, password protection, and other security measures.
  • Access control: Only the data controller and their trusted data processors have access to the personal data.

The data controller guarantees that unauthorized persons cannot access, disclose, modify, or delete personal data. Only the data controller and authorized data processors have access to the personal data.

Although the data controller makes every effort to ensure the security of the data, complete security cannot be guaranteed in online and computer systems. If an unauthorized access or data breach occurs, the data controller will follow the necessary procedures, as described in this policy, and notify the affected individuals in accordance with applicable laws.

  1. Rights of Data Subjects:
  • Right to Transparent Information: This Privacy Notice aims to provide clear, concise, transparent, and understandable information about the data processing activities conducted by the data controller.
  • Right of Access: The data subject has the right to obtain confirmation from the data controller as to whether their personal data is being processed, and if such processing is taking place, the data subject is entitled to access the following information:

• the purpose of the data processing,
• the categories of personal data concerned,
• the recipients to whom the personal data have been disclosed,
• the intended retention period of the personal data.

The data subject can request information on the above matters at the following address, or via email:
ESPERA Clothing Ltd.
1124 Budapest, Fodor Street 93,
Email: info@esperamoments.com

The data controller will respond to your request within 30 days. For requests sent by post, a response will be provided by post; for email requests, a response will be provided via email.

  • Right to Rectification: The data subject has the right to request that the data controller rectify any inaccurate personal data concerning them.

The data subject can request information on the above matters at the following address, or via email:
ESPERA Clothing Ltd.
1124 Budapest, Fodor Street 93,
Email: info@esperamoments.com

The data controller will respond to your request within 30 days. For requests sent by post, a response will be provided by post; for email requests, a response will be provided via email.

  • Right to Erasure (Right to be Forgotten): The data subject has the right to request the deletion of personal data concerning them. The data controller is obliged to delete the personal data based on such a request if any of the following reasons apply:

• the personal data is no longer necessary for the purposes for which it was collected,
• the data subject withdraws their consent on which the processing is based and there is no other legal ground for processing,
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
• the personal data has been unlawfully processed,
• the personal data must be erased in order to comply with a legal obligation under Union or Member State law.

The data subject can request information on the above matters at the following address, or via email:
ESPERA Clothing Ltd.
1124 Budapest, Fodor Street 93,
Email: info@esperamoments.com

The data controller will respond to your request within 30 days. For requests sent by post, a response will be provided by post; for email requests, a response will be provided via email.

  • Right to Restrict Processing: The data subject has the right to request the restriction of processing when:

• the accuracy of the personal data is contested,
• the data subject considers the processing to be unlawful but does not request the erasure of the personal data.

The data subject can request information on the above matters at the following address, or via email:
ESPERA Clothing Ltd.
1124 Budapest, Fodor Street 93,
Email: info@esperamoments.com

The data controller will respond to your request within 30 days. For requests sent by post, a response will be provided by post; for email requests, a response will be provided via email.

  • Right to Data Portability: The data subject has the right to receive their personal data concerning them in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller.
  •  

The data subject can request information on the above matters at the following address, or via email:
ESPERA Clothing Ltd.
1124 Budapest, Fodor Street 93,
Email: info@esperamoments.com

The data controller will respond to your request within 30 days. For requests sent by post, a response will be provided by post; for email requests, a response will be provided via email.

  • Right to Object: The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data, as described in Article 21 of the European Parliament and Council Regulation (EU) 2016/679.
  •  

The data subject can request information on the above matters at the following address, or via email:
ESPERA Clothing Ltd.
1124 Budapest, Fodor Street 93,
Email: info@esperamoments.com

The data controller will respond to your request within 30 days. For requests sent by post, a response will be provided by post; for email requests, a response will be provided via email.

  • Right in Relation to Automated Decision-Making: The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Automated decision-making refers to any process or methodology where technical automation evaluates the personal characteristics of the data subject, and which results in legal consequences or significantly affects the data subject. The data controller does not use automated decision-making, including profiling, that has significant effects on the data subject’s rights.

The data subject can request information on the above matters at the following address, or via email:
ESPERA Clothing Ltd.
1124 Budapest, Fodor Street 93,
Email: info@esperamoments.com

The data controller will respond to your request within 30 days. For requests sent by post, a response will be provided by post; for email requests, a response will be provided via email.

The data controller undertakes to inform all recipients, with whom personal data has been shared, about the requests received concerning the above rights, unless this proves impossible. Furthermore, the data controller undertakes to notify the data subject of the decision related to their request, at the latest, within 30 days.

18. Data Protection Incident:

A data protection incident is defined as a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data that has been transmitted, stored, or otherwise processed.

In the case of a data protection incident, the security breach must be of a serious nature, meaning the breach must be of a degree that results in:

  • the destruction,
  • loss,
  • alteration,
  • unauthorized disclosure, or
  • unauthorized access to personal data.
  •  

An incident is considered to have occurred if any of the above happens, but this does not exclude the possibility that multiple points may occur simultaneously. This category includes not only intentional, malicious actions but also breaches caused by negligence. Therefore, the incident occurs if the breach is caused by an accidental or unlawful act.

Examples of data protection incidents include:

  • illegal transmission of personal data via document, portable device, data carrier, or IT system (e.g., email),
  • unauthorized access to an IT system or application that processes personal data,
  • damage to or loss of part or all of a personal data-containing database,
  • the inaccessibility of part or all of the IT system due to a virus or other malicious software, etc.

Without appropriate and timely measures, a data protection incident may cause physical, financial, or non-material damage to individuals, including the loss of control over their personal data, restriction of their rights, discrimination, identity theft or misuse, financial loss, unauthorized de-anonymization, harm to reputation, damage to the confidentiality of personal data protected by professional confidentiality obligations, and other significant economic or social disadvantages affecting the individuals involved.

In the event of a data protection incident (unless the incident is unlikely to result in a risk to the rights and freedoms of individuals), the data controller must immediately notify the National Authority for Data Protection and Freedom of Information. Once the incident comes to the data controller’s attention, it must be reported without undue delay, and no later than 72 hours after becoming aware of the data protection incident. If the report cannot be made within 72 hours, the reason for the delay must be specified, and the required information must be provided in phases, without further undue delay.

The National Authority for Data Protection and Freedom of Information operates a system on its website specifically for reporting data protection incidents, which allows submissions to be made electronically.

The data controller keeps a record of data protection incidents, detailing the facts surrounding the incident, its effects, and the measures taken to address it. The data controller must maintain records of incidents, including their causes, events, and the scope of personal data affected. Additionally, the register must include the effects and consequences of the incidents, the corrective actions taken, and the controller’s conclusions (e.g., why the incident was not reportable, or if the report was delayed, the reason for the delay).

An incident need not be reported to the supervisory authority if it is unlikely to result in a risk to the rights and freedoms of individuals.

If the data protection incident is likely to result in a high risk to the rights and freedoms of the data controller’s customers, clients, or partners, the affected party must be informed without delay. The information provided to the affected party must clearly and understandably describe the nature of the data protection incident and provide the most important details and actions taken.

The data subject does not need to be informed in the following cases:

  • the data controller has implemented appropriate technical and organizational protection measures, and these measures were applied to the personal data affected by the incident, particularly those measures that render the data unintelligible to unauthorized persons;
  • the data controller has taken further measures after the incident that ensure the high risk to the rights and freedoms of the affected data subjects is no longer likely to occur;
  • informing the data subject would require disproportionate effort. In such cases, the data subjects should be informed through publicly available communications or similar measures that ensure the data subjects are effectively informed.
    19. Information on Relevant Legislation:
  • Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act);
  • Act V of 2013 on the Civil Code (Civil Code);
  • Act C of 2000 on Accounting (Accounting Act);
  • Government Decree 45/2014 (Feb. 26) on the Detailed Rules of Contracts between Consumers and Businesses;
  • Act CLV of 1997 on Consumer Protection.

    20.Right to Appeal to the Court:

In the event of a violation of their rights, the data subject has the right to appeal to the courts against the data controller. The court will handle the case on an expedited basis.

  1. Data Protection Authority Procedure:

A complaint can be filed with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information
Headquarters: 1055 Budapest, Falk Miksa u. 9-11.
Mailing Address: 1363 Budapest, P.O. Box 9.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

22. Other Provisions:

The data controller provides information about data processing not listed in this privacy notice at the time of data collection. In such cases, the provisions of applicable legislation will be followed.

The data controller hereby informs its customers and clients that the court, the prosecutor’s office, the investigating authorities, the administrative authority, the National Authority for Data Protection and Freedom of Information, the Hungarian National Bank, or other bodies authorized by law may request information, data disclosure, transfer, or access to documents. The data controller will only release personal data to the authorities to the extent necessary for the purpose of the request, provided that the authority has specified the exact purpose and scope of the data.

The website of the Data Protection Authority contains further information about the data protection rights referenced in this Privacy Notice.

Budapest, 2024.11.01.

Tóth Ildikó

Owner

FEEL FREE to CONTACT us with ANY QUESTION or CONCERNS.