Adatkezelési tájékoztató angolul

• 1. Privacy Policy

  
  Identification of controller

  We inform you that the website https://totallsport.com/ is run by

  Goal Hungary Trading and Service Limited Liability Company 

  Short name: Goal Hungary Kft. (Goal Hungary Ltd.)
  Registration number: 03-09-125370 -  Registry Court of Kecskemét (Kecskeméti Törvényszék Cégbírósága)
  Tax number: 24146041-2-03
  Headquarters:  11 Gazdasági dűlő , Helvécia, Hungary 6034 (Magyarország, 6034 Helvécia, Gazdasági dűlő 11.)
  Place of establishment: 16 Kada Elek Street, Kecskemét 6000 Hungary (Magyarország, 6000 Kecskemét, Kada Elek u. 16.)
  Place of business: 16 Kada Elek Street, Kecskemét 6000 Hungary (Magyarország, 6000 Kecskemét, Kada Elek u. 16.)

  (Controller hereafter).

   

  2. Legal requirements concerning processing, scope of present policy

  2.1. Service of website identified by address above (website hereafter), run by Controller identified above (Controller hereafter), is supplies services from Hungary. In accordance with this, Hungarian and European law applies to service, Users during they are using services (including processing). Controller uses information about Users primarily based on these regulations:

  - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (GDPR hereafter)
  (AZ EURÓPAI PARLAMENT ÉS A TANÁCS (EU) 2016/679 RENDELETE (2016. április 27.) a természetes személyeknek a személyes adatok kezelése tekintetében történő védelméről és az ilyen adatok szabad áramlásáról, valamint a 95/46/EK irányelv hatályon kívül helyezéséről (általános adatvédelmi rendelet),

  - Regulation CVIII of 2001 on Electronic commercial services and services related to some aspects of information society
  (az elektronikus kereskedelmi szolgáltatások, valamint az információs társadalommal összefüggő szolgáltatások egyes kérdéseiről szóló 2001. évi CVIII. törvény (Ekertv.)),
  - and Regulation XLVIII of 2008 on  Basic conditions and some limits of economic advertising activities (és a gazdasági reklámtevékenység alapvető feltételeiről és egyes korlátairól szóló 2008. évi XLVIII. törvény (Grt.)).

  2.2. Present policy applies to processing done during the usage of the website, drawing on services offered there, as well as fulfilling orders on the webshop.

  2.3. Based on present policy, Users are: natural persons browsing website and drawing on services of website, and natural persons ordering products from Controller.

   

  3. Legal bases of processing

  3.1. Legal basis of processing done by Controller lies upon GDPR Article 6, Paragraph (1), Point a) about consent of User to processing, and Article 6, Paragraph 1, Point b) of GDPR, which states that processing is necessary for fulfillment of contracts in which User is one of the parties.

  3.2. In case of processing based on given consent, User previously agrees to processing by marking an indicator box above processing agreement placed at relevant places. User can read about processing anytime under “Privacy Policy” appearing at every page of the website, or by clicking on “Privacy Policy” link in processing agreement mentioned in this point, through which Controller provides User in advance with obvious and detailed information. By marking the indicator box above processing agreement, User declares that they have read Privacy Policy and consents to handling their data in accordance with present policy knowing its content.

  3.3. In certain cases, Controller is required to do some processing actions, or its rightful interest might be the legal basis to process data. User can read about these in more detailed below, in chapters about each case of processing.

   

  4. Processing related to operation of information technology service

  4.1. Concerned parties in processing: All Users visiting website, regardless of whether they use the offered services or not at website.

  4.2. Legal basis of processing: Act CVIII of 2001, § 13/A authorizes Controller to handle information technically absolutely necessary to provide services. Consequently, it is the rightful interest of Controller to do so, based on GDPR Article 6, Paragraph (1), Point f). Relying on this legal basis, Controller handles exclusively those types of data that are necessary to ensure a user-friendly operation of website, and works with them only until it is needed. These pieces of information are such technical data which is essential to provide an enjoyable appearance of website, proper and comfortable use of its functions. Data are not forwarded to a third party and are not used for any other purposes. Controller works with service providers indicated in Chapter 14 under in connection with these data. As a result, processing does not have any risks on User’s side, however, using the website properly is not possible without handling data. It is the rightful interest of Controller to operate website properly, as it can only provide its services this way, it is an inevitable condition for its functioning. Consequently, Controller handles information mentioned above in order to fulfil this goal as its rightful interest, and based on which rightful interest – because processing is not high risk for User – Controller limits User’s autonomy to a proportional extent. 

  Legal basis to data management and marketing activities lies upon GDPR Article 6, Paragraph (1), Point a) about consent of User to data management. User can give its consent to data collection for data processing and marketing purposes by clicking on the check boxes that pop up when User starts browsing on the website.

  4.3. Determining the scope of handled data: Information-technological processing affects data related to the operation of “cookies” used for the operation of the website and data that is necessary for using diary files applied by the operator of website, according to the following.

  In order to ensure user-friendly browsing the handled data is:

  - websites visited during entering website and the order of opening them
  - User’s IP address.

  Data handled to measure popularity of website (anonymous data that cannot be linked to User):

  - websites visited during entering website and the order of opening them
  - frequency of opening certain webpages on the website
  - which other website User has come from to present website (only in case of websites that have a link to present website)
  - determining User’s geographical position (based on Internet service company, only approximate data about the device used for browsing)
  - time when browsing is started
  - time when browsing is finished
  - period until website is surfed.

  Data that is handled to check entry rights when entering website:

  - user name and password (can be stored based on User’s consent)
  - User’s e-mail address
  - IP address of User’s device.

  4.4. Purpose of processing: “Cookies” and diary files are necessary to provide a user-friendly and safe operation of the website. Aim of processing these is to provide a safe and user-friendly functioning of website for concerned Users and also collecting data about the usage of the webpage.

  This includes the following:

  - Identification of User’s browser device, and remembering identifying data - through browsing time - based on IP address. Surfing the Internet becomes smoother, as without this function, User should be obliged to identify themselves at each website they visit.

  Data that is necessary for the following purposes are recorded in case of User’s contribution: 

  - Measuring the popularity and frequency of visits at webpages of website and the time spent on webpages in order to shape website to the needs of Users.
  - Identifying approximate place of User’s device used for browsing, mapping the demand for Controller’s service.
  - Identifying website from which User has arrived, in order to provide information about services of other websites that have links to present one, and to be able to offer information about topics of User’s interest.

  Controller’s IT system uses the devices of Google Analytics (Google Ireland Ltd.) for measuring data described above. During visiting websites that applies the devices of Google Analytics Google cookies take note of preferences and information indicated by User that also means the recognition of data handled for measuring visits of the website and for mapping searching habits.

  Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) also has access to data described above as the owner and operator of the devices of Google Analytics.Google Ireland Ltd. uses data described above to perform analysis and also to send targeted advertisements to surfing User. While doing so, Google Ireland Ltd. sets out the possible interests by connecting data described above and the IP address of the device that was used for searching then targeted advertisements are sent to the given tool. Google Ireland Ltd. Has no access to any other data mentioned in this Policy except those described in this section.

  Cookies (facebook-sign) that allows visiting Controller's Facebook Community page and giving a like to present website through the community site easier are provided by the services of Facebook Ireland LTD. Consequently Facebook Ireland LTD. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) has access to anonim data handled by these cookies.
   
  Facebook Ireland Ltd. has access to data in connection with measurement of webpage visitors and mapping of searching habits through its services. Facebook Ireland Ltd. uses data described above to perform analysis and also to send targeted advertisements to surfing User. While doing so, Google Ireland Ltd. sets out the possible interests by connecting data described above and the IP address of the device that was used for searching then targeted advertisements are sent to the given tool. Google Ireland Ltd. Has no access to any other data mentioned in this Policy except those described in this section.

  Service provider uses services of providers mentioned above to send advertisements about its own services to Users device used for searching after visiting the website.

  Data assigned to these goals are recorded in a way that Users can be identified, however, they are only accessible by Controller:

  - incidental storage of username and password for an easier entry (according to User’s decision)
  - check of User’s entry entitlement (username, e-mail address, password).

  Passwords are stored exclusively in a coded way, so Controller cannot come to know them either.

  4.5. Period of processing: Controller handles a part of data for the period of browsing, other data is stored for a variable time, but maximum 2 years.

  Data necessary for operation of website in a user-friendly way (IP address, order of webpages visited during browsing) is recorded for the duration of browsing session, they are deleted when browsing finishes. Handling of these data is done by own devices of Controller, third party does not have any access to them, except for information technology processing (see chapter below: “Use of a Processor”).

  Data necessary for checking entry and usage entitlements are stored for the duration of browsing session, when it finishes, they are deleted. Handling of these data is done by own devices of Controller, third party does not gain access to them, except for information technology data processing (see chapter below: “Use of a Processor”).

  Username and password may be stored permanently based on User’s decision by cookies being stored on User’s device. User can delete them, thus control data storage period.

  Data which serve as basis for measuring visits and mapping habits of the usage of website is stored in Controller’s IT system in a way which does not make possible connect to a person. For measuring these data Controller’s IT system uses Google Analytics devices. Only that cookie is stored on User’s device which gives a permission to Google Analytics for data processing. User can delete this in the settings of the browser.

  Facebook Ireland Ltd. - that provide cookies that make visiting Controller’s community websites, sharing and liking present website  on the community website easier - also has access to Data handled for measuring website visits and mapping habits of the usage of website is. These data are stored durable by Facebook Ireland Ltd.’s devices but with cookies that work for no more than two years which cookies hold on User’s device that is used for searching. User can delete or block the operation  of these cookies in the settings of their browser any time.

  Controller’s information technology system stores data to measure number of visitors and to map browsing habits right from the start in an anonymous way, they cannot be linked to anyone. Cookies storing these pieces of information are recorded on User’s browser device. User can delete them at any time in the settings of their browser.

  4.6. Storage of data: on separate lists in Controller’s information technology system. Data related to providing a user-friendly service (IP-address, the order of sites visited during browsing session) is not stored by Controller. Pieces of information provided by cookies are stored on User’s device. Diary cookies used by webpage service provider are stored on service provider’s server.

  4.7. User may get more information about the process of information technology processing and about information technology data processing that is realized by using Google Analytics and Facebook Ireland Ltd.’s devices from the prospectus that can be reached  at the start of searching the website from the pop-up window or by clicking on the sign “Information report about using cookies”. Furthermore, on the website of Google Analytics https://www.google.com/intl/hu_ALL/analytics/support and on the website of Facebook Ireland Ltd. https://developers.facebook.com/products. Controller uses those functions recommended by Google Analytics and Facebook Ireland Ltd. only which were described above.

   

  5. Processing related to receiving and answering messages

  5.1. Concerned parties in processing: Users who have sent messages to Controller by sending an e-mail to Controller using the e-mail address(es) appeared on the webpage.

  5.2. Legal basis for processing: User’s consent according to GDPR Article 6, Paragraph (1), Point a). 

  5.3. Determining the scope of data handled:

  The following data of User who sent an e-mail
  - name
  - e-mail address
  - other possible data that was given in a message sent by User

  Controller handles information concerning received messages from User only content wise, and does not require User to give personal data within. When such non-required information is provided though, they are not stored and Controller deletes them immediately from the information technology system.

  5.4. Purpose of processing: to ensure exchange of messages between Controller and User.

  Services involved:

  - receiving e-mail messages (by using e-mail address(es) on the website), replying to messages sent to Controller the above mentioned ways within 2 working days.

  5.5. Duration of processing: until answering a request or accomplishing a claim. Afterwards, Controller deletes data that is handled for these purposes. If there are more exchanges of messages, data are erased after the claim has been accomplished.

  If contracting occurs during the process of exchange messages, and content of messages is important with regard to the contract, legal basis and period of processing happens based on Point 9.

  5.6. Method of data storage: on separate data managing lists in the information technology system of Controller until the end of information exchange.

   

  6. Processing related to sending newsletters

  6.1. Concerned parties in processing are: Users who sign up for newsletters at website by providing personal data through filling up the related form on the website.

  6.2. Legal basis of processing: User’s consent based on GDPR Article 6, Paragraph (1), Point a) and User’s consent based on law regulating economic advertising activities § 6, Paragraph (1) and (2). User gives voluntary consent by reading this Privacy Policy and filling up the form about receiving newsletters, clicking on the consenting agreement box there. Either way, User consents to handle their personal data described in Privacy Policy, and to receive newsletters.

  6.3. Newsletters provide useful information to users, as well as aims direct sales purposes. User can sign up for this service regardless of drawing on other services, and it is voluntary. It is based on User’s decision after being informed. In case User does not take the newsletter service, they do not encounter any drawbacks when using website or any other services, it is not a criterion to use any other services at website.

  6.4. Scope of data:
  - surname,
  - first name,
  - e-mail address.

  6.5. Goal of processing: sending newsletters to User by Controller in e-mails about Controller’s services, information about the latest products/services and actualities, offers and advertisements.

  6.6. Duration of processing: Controller handles information until User’s cancellation of consent (User unsubscribes), or until deleting data based on User’s request.

  6.7. Method of data storage: on separate data managing lists in Controller’s information technology system.

   

  7. Data management related to making direct sales through sending SMS and MMS messages 

  7.1. Concerned with data management: Users who consent to receiving SMS and MMS messages for direct sales purposes, and mark relating declaration. Furthermore, Users who give their consent to receiving SMS and MMS messages for direct sales purposes during contracting with Controller in a written form on paper or without contracting in a written form on paper. 

  7.2. Legal basis of data management: User’s consent based on GDPR Article 6, Paragraph (1), Point a) and law regulating economic advertising activities § 6, Paragraph (1) and (2). User’s voluntary contribution is given by accepting present Privacy Policy and by clicking on contribution statement of sending SMS and MMS for the purpose of direct sales or by signing the contribution statement which appears in the written contract and signing the contract itself or filling up and signing a separate paper based declaration. By doing so User declares its consent to have their data handled by the way it is specified in the data processing report and in the contract/declaration and to sending them SMS and MMS for the purpose of direct sales.

  SMS and MMS messages provide Users with useful information, as well as aim at direct sales. User can sign up for this service independently from drawing on other services, and is voluntary. It is based on User’s decision after being informed. In case User does not take the SMS and MMS service as part of direct sales, they do not encounter any drawbacks when using website or any other services. Controller does not give consent to direct sales purposes as a condition to use any other services at website.

  7.3. Scope of data:
  - surname
  - first name
  - telephone number.
   
  7.4. Goal of data management: sending SMS and MMS messages as part of direct sales to User from Controller. They contain information about Data Manager’s services, the latest products/services and actualities, offers and advertisements.

  7.5. Duration of data management: Controller uses stored information to send SMS and MMS messages as part of direct sales until User’s cancellation of consent (User unsubscribes), or until deleting data based on User’s request.

  7.6. Method of data storage: on separate data managing lists in the information technology system of Controller. Furthermore, in case User gave data that is necessary for sending SMS and MMS messages for direct sales purposes to Controller on paper, storage happens by filing paper based contracts/statements. 

   

  8. Processing related to registration

  8.1. Scope of parties concerned: Users registering at website.

  8.2. Legal basis of processing: based on GDPR Article 6, Paragraph (1), Point a), User’s consent. Voluntary consent is given by clicking on”Registration” and filling up the form, as well as clicking at the indicator box, and finally sending the registration.

  8.3. Scope of handled data: Data asked and answered in the registration form mentioned above.

  8.4. Scope of data:
      - surname
      - first name
      - e-mail address
      - telephone number
      - username
      - password.
      
  8.5. Goal of processing: to simplify registration and frequent purchase at website.

  8.6. Services are
      - browsing website after log in,
      - simplifying online ordering of products by storing data necessary for accomplishing order, or enabling User to modify these data independently,
      - storing previous orders and enable User to access them in a User account.

  8.7. Duration of processing: As for registered Users, duration of processing lasts until Users request for data deletion. Processing may finish when User deletes their registration or when Controller deletes User’s registration. User may delete their registration anytime, or can ask Controller to do so. Such incoming requests are handled and accomplished immediately, but  within no more than 10 working days after the request arrives .

  8.8. Method of storing data: on separate processing list within Controller’s information technology system.

   

  9. Processing related to orders

  9.1. Scope of parties concerned: Users put in an order at website.

  9.2. Legal basis of processing: based on GDPR Article 6, Paragraph (1), Point b), according to which processing is necessary to accomplishing contracts where User is one of the parties. 

  9.3. Scope of data handled: Processing involves personal data and contacts.

  In case of User is a natural person:

  - surname
  - first name
  - e-mail address
  - telephone number
  - e-mail address
  - billing name
  - billing address
  - name for delivery (if different)
  - address of delivery (if different)
  - country
  - indication of product(s)/service(s) ordered
  - price of product(s)/service(s) ordered
  - delivery method
  - payment method
  - other information User might have provided in order to accomplish order
  - time of order
  - time of payment
  - User’s bank account number in case of pre-paid bank transfer.

  In case of representative/contact person of  businesses:

  - contact person’s surname
  - contact person’s first name
  - e-mail address
  - telephone number
  - billing name (name of business)
  - billing address (address of business)
  - tax number of the business
  - delivery name (if different)
  - address of delivery.

  In case of online payment, data of bank card used for payment is not revealed to Controller, as User provides payment service provider directly with such data.
      
  9.4. Goal of processing: to make and fulfil contracts realized through orders.

  9.5. Duration of processing: in order to fulfil orders, Controller handles information mentioned above until it is prescribed by the Act on Accounting (Számviteli Törvény) about keeping certificates. According to the Act on Accounting (Számviteli Törvény), this period is at least 8 years after making out an invoice, after passing this deadline, Controller deletes data within one year.

  During delivery - through which order is fulfilled - processing of necessary data (name, address of delivery, telephone number) lasts until the delivery is accomplished. When Controller forwards personal information to delivery company exclusively necessary for delivery, uses processing limitation, so data forwarded can be used only to a limited extent and time.

  It is the rightful interest of delivery company to store above mentioned data or some parts of them for a certain period, in case of possible discontent, complaints or civil legal disputes. However, delivery company does this as independent Controller, User may read about this in specific service provider’s privacy policy. User can get more information about such service providers in chapter “Using a Processor” of present policy, where their websites containing their privacy policy is indicated as well.

  Other data possibly processed during ordering – e.g. important messages between User and Controller about orders – are processed by Controller for 5 years after contracting – general term of limitation concerning civil demands.

  9.6. Method of data storage: On separate processing list within the Controller’s information technology system, and on accounting documents (prepayment requests, bills) that correspond to related laws about keeping bills for certain periods of time.

   

  10. Processing without further consent, and after withdrawal of consent

  10.1. Controller can handle recorded information about User with their previous consent, and needs no further consent. After withdrawal of consent based on Article 6, Paragraph 1 of GDPR, data are handled the following ways.

  10.2. If personal data was recorded with User’s consent, Controller can handle recorded data further on, if distinct legal regulations do not exist, without the further explicit consent of User, and Controller can handle information after withdrawal of consent, too, if:

  - processing is necessary to fulfil Controller’s  legal requirements;
  - processing is necessary to protect essential interests of a concerned or another natural person;
  - processing is necessary to provide rightful interests of Controller or any third party, except when interests or essential rights and freedoms of concerned people have priority over these interests that require the protection of personal data, especially if the concerned party is a child.

  
   
  11. Further possible legal bases of processing – independent from User’s consent

  11.1. Further legal basis of processing in referential cases if processing is necessary for fulfilling legal requirements based on GDPR Article 6 Paragraph (1) Point c). Controller may need to do obligatory processing in some cases, prescribed by law or other measure. In addition, Controller has to act according to requests from authorities that might also involve handling and forwarding personal information. This is also  Controller’s obligation by law.
   
  11.2. Furthermore, we inform you that according to GDPR Article 6, Paragraph (1), Point d) and f) Controller can handle User’s personal information in cases when managing data is necessary to protect essential interests of another natural person, and processing is necessary to put across rightful interests of Controller or a third party – except for cases when this interest is in conflict with concerned User’s such interests or basic rights and freedoms that require protection of personal information, especially if User is a child.

  11.3. Controller informs User about the followings based on Act CVIII of 2001, § 13/A on some questions of electronic trading services and services related to information society.

  Controller’s service based on this law is considered to be an electric trading service related to information society.

  Controller may handle identifying information and address of User in order to create a contract, determine its content, modify it and to monitor its accomplishment, make out invoices of fees about related costs, and to realize claims.

  Controller may handle User’s natural identifying data, address and information about using services, its period and location in order to be able to make out invoices laid down in contract about offering Controller’s service.

  Controller may handle personal information that is technically essential for providing services. Controller chooses and runs devices used during offering services so that personal data is only handled when it is absolutely necessary to provide such a service and to fulfil legal requirements. However, in similar cases, it does only on a necessary level and time. (Further characteristics of technically necessary processing is laid down in the document “Cookies Policy” and in Point 4 of present policy.)

  Controller may handle personal information – unlike any cases described above, especially to improve the efficiency of its service, electronic advertisements or forwarding any other content to User to do market research – in relation to service based on User’s previous consent.

   

  12. Forwarding data

  12.1. Scope of concerned: Users choosing online payment after shopping at website, regardless of using other services.

  12.2. Addressee of data forwarding:

  PayPal (Europe) S.a.r.l. et Cie, S.C.A. (PayPal)

  Short name: PayPal  S.a.r.l.
  Corporate registration  number: B118349
  Tax number: LU 22046007
  Premises: 22-24, Boulevard Royal, 2449 Luxembourg, Luxembour
  Postal address: 22-24, Boulevard Royal, 2449 Luxembourg, Luxembour
  Telephone:  -
  E-mail: dpo@paypal.com
  Website: https://www.paypal.com

  as service provider company of online payment service available at Controller’s website

  Furthermore,

  OTP Mobile Services Ltd. (SimplePay)
  (OTP Mobil Szolgáltató Kft.)

  Corporate registration  number: 01-09-174466
  Tax number: 24386106-2-42
  Premises: 17-19, Hungária Boulevard Budapest 1143 Hungary (Magyarország, 1143 Budapest, Hungária körút 17-19.)
  Postal address: 17-19, Hungária Boulevard Budapest 1143 Hungary (Magyarország, 1143 Budapest, Hungária körút 17-19.)
  Telephone: +36 1 1/20/30/70 3-666-611
  E-mail: ugyfelszolgalat@simple.hu
  Website: https://www.simplepay.hu/

  as service provider company of online payment service available at Controller’s website.

  12.3. Legal basis of data forwarding: User’s legitimate interest based on GDPR Article 6, Paragraph (1), Point a). Recipient is obliged to run a fraud prevention and scout system in connection with offering payment services and has the right to handle personal data that is necessary for these. Recipient has developed its system regarding to legal obligations, for its operation data forwarding by Controller is necessary. Accordingly to this it is Recipient’s legitimate interest to run a fraud prevention and scout system to meet its legal obligations. Recipient falls under the following provisions:
  - Act CCXXXVII of 2013 165. § (5) Paragraph on Credit Institutions and Financial Enterprises (a hitelintézetekről és a pénzügyi vállalkozásokról szóló 2013. évi CCXXXVII. törvény 165. § (5) bekezdése),
  - Act CCXXXV of 2013 92/A. § (3) Paragraph Point f) on some payment services (az egyes fizetési szolgáltatókról szóló 2013. évi CCXXXV. törvény 92/A. § (3) bekezdés f) pontja),
  - Act LXXXV of 2009 14. § (1) Paragraph Point v) on providing payment services (a pénzforgalmi szolgáltatás nyújtásáról szóló 2009. évi LXXXV. törvény 14. § (1) bekezdés v) pontja).

  Fraud prevention and providing proper operation of online services are both Controller’s and Recipient’s legitimate interest. Both organisations’ main source of revenue connects to proper operation of payment services. Nevertheless these are User’s interests as well, in particular to avoid abuse of bank card data.

  Data forwarding allows preventing and detecting frauds and troubleshooting of possible stumbling block that might appears during  the process of payment.

  Forwarded data comes from User’s data handled during booking/ordering and these data are forwarded through electronic channels which ensure encrypted data traffic solely for Recipient and only after payment is done and which are not used for any other purposes by Recipient. Therefore, data forwarding puts no significant risk on User , it has no other visible effect on them.

  Forwarding data is necessary for reaching goals described here and is suitable for making payment services safer.

  In view of the above and taking the built in guarantee operations into account, forwarding does not mean unreasonable degree encroachment into Users’ personal lives, therefore data forwarding is a necessary and proportional data processing operation.

  
  12.4. Scope of data forwarding:

  - surname
  - first name
  - telephone number
  - e-mail address
  - address
  - IP address
  - transaction identification
  - sum of transaction
  - object of transaction 

  Bank card data given during payment is directly provided for payment service provider, so Controller does not gain access to them.

  12.5. Goal of forwarding data: Operating and managing online payment service appropriately, confirmation of transactions, operating fraud-monitoring to protect users’ interests. This is a system to reveal frauds related to online payment, supporting the control of bank transactions – and providing help through customer support service.

  12.6. Controller does not forward information to third parties for business or marketing purposes. 

  12.7. Controller forwards information only to official bodies in accordance with legal requirements beyond the above mentioned cases.

   

  13. Using data processing

  Controller draws on the following businesses to process data.

  13.1. Storage space service provider

  13.1.1. Parties involved in data processing: Users visiting website, regardless of using services.

  13.1.2. Controller uses

  SYSTECH GLOBAL Limited Liability Company
  (SYSTECH GLOBAL Korlátolt Felelősségű Társaság)

  Short name: SYSTECH GLOBAL Kft
  Corporate registration number: 01-09-980104
  Tax number: 22913285-2-42
  Premises: 80 Király Street Budapest 1068 Hungary (Magyarország, 1068 Budapest, Király utca 80.)
  Postal address:  80 Király Street Budapest 1068 Hungary (Magyarország, 1068 Budapest, Király utca 80.)
  Telephone:+36 20 996 9661
  E-mail: support@systech.hu
  Website: https://systech.hu/

  as website storage place provider (Data Processor hereafter).

  13.1.3. Defining the scope of data involved in data processing: this relates to all information mentioned in present policy.

  13.1.4. Goal of data processing: To ensure functioning of website in an information technological way for Users who are involved.

  13.1.5. Period of data processing: It correlates with processing periods indicated in this policy for processing with various objectives.

  13.1.6. Processing data exclusively means to provide storage space necessary for the operation of website in an information technological way.

  
  13.2. Data processing in relation with sending newsletters

  13.2.1. Concerned parties: Users subscribing to newsletters, regardless of whether they use any other services.

  13.2.2. Controller uses services of

  E.N.S. IT and System Integration Private Limited Company(Webgalamb)
  E.N.S. Informatikai és Rendszerintegrációs Zártkörűen Működő Részvénytársaság (Webgalamb)

  Short name: E.N.S. Zrt.
  Corporate registration  number:  01-10-046975
  Tax number: 14032868-2-42
  Headquarters: 2nd Floor 2nd Building 10 Fehér Road Budapest 1106 Hungary (Magyarország, 1106 Budapest, Fehér út 10. 2. ép. 2. em.)
  Establishment: 1 Dr Dunay Alajos Street Békésszentandrás 5561 Hungary (Magyarország, 5561 Békésszentandrás, Dr. Dunay Alajos utca 1.)
  Postal address: 2nd Floor 2nd Building 10 Fehér Road Budapest 1106 Hungary (Magyarország, 1106 Budapest, Fehér út 10. 2. ép. 2. em.)
  Telephone: +36 30 555 1100 
  E-mail: info@ens.hu

  as company that has developed and operates the newsletter sending software that is used by Controller (Data Processor hereafter).

  13.2.3. Definition of data to be processed: User’s name and e-mail address who subscribed for receiving newsletters.

  13.2.4. Goal of data processing: to provide information technological conditions for sending newsletters by Controller, in processing apparent through technical operations necessary for operating the software safely.

  13.2.5. Duration of processing: Controller handles information until User’s cancellation of consent (User unsubscribes), or until deleting data based on User’s request.

  13.2.6. Processing data exclusively refers to technical operations to manage software about sending newsletters in an information technological way.

  
  13.3. Data processing related to sending newsletters

  13.3.1. Concerned parties: Users subscribing on newsletters independently from using other services available on the website.

  13.3.2. Controller draws on data processor services of

  Nagy Norbert ev.

  Short name: Nagy Norbert ev.
  Registration number: 51829788
  Tax number: 68496452136
  Establishment: 19 Földesi Street, Túrkeve 5420 Hungary (Magyarország, 5420 Túrkeve, Földesi utca 19.)
  Postal address: 19 Földesi Street, Túrkeve 5420 Hungary (Magyarország, 5420 Túrkeve, Földesi utca 19.)

  As operator of the newsletter sending software used by Controller (Data Processor hereafter).

  13.3.3. Defining the scope of data involved in data processing: this relates to all information mentioned in in chapter about sending newsletters of present policy.

  13.3.4. Goal of processing: Running the software that is used for sending newsletter by Controller, sending newsletters based on Controller’s decision. 

  13.3.5. Period of data processing:: It correlates with data processing periods indicated in the chapter about sending newsletters in present Policy. .

  13.3.6. Processing data exclusively refers to technical operations to manage software about sending newsletters in an information technological way.

  13.4. Data processing related to using cookies 

  13.4.1. Concerned with data processing: Users visiting the website regardless of the fact whether they used any of the services the website provides.  

  13.4.2. Controller draws on as data processor 

  Google Ireland Ltd.

  Corporate registration  number: 11603307
  Tax number: IE 6388047V
  Headquarters: Gordon House, Barrow Street, Dublin 4, Ireland
  Establishment: Gordon House, Barrow Street, Dublin 4, Ireland
  Postal address: Gordon House, Barrow Street, Dublin 4, Ireland
  Telephone: +353 1 436 1000
  E-mail: not available
  Website: https://www.google.hu/

  Company as online marketing provider (Data Processor hereafter)

  Furthermore,

  Facebook Ireland Ltd.

  Corporate registration  number:  462932
  Tax number: IE 9692928F
  Headquarters: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  Establishment: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  Postal address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  Telephone: + 353 1 5530588 
  E-mail: fbirelandlobbyingreport@fb.com
  Website: https://www.facebook.com/privacy/explanation

  Company as online marketing provider (Data Processor hereafter)

  13.4.3. Defining the scope of data involved in data processing: this relates to data marked in Chapter 4.

  13.4.4. Goal of using Data Processors: To analyze visitoe’s habits and sending targeted advertisements to Users device which was used for searching by using Data Processors’ devices. 

  13.4.5. Period of data processing: It correlates with data processing periods indicated in chapter 4 in present Policy.

  13.4.6. Processing data exclusively refer to technological operations necessary to manage website in an information technical aspect and to send targeted advertisement to the right place.

  13.5. Data processing related to delivery company

  13.5.1. Concerned parties: Users placing an order and asking for delivery.

  13.5.2. Controller uses services of

  GLS General Logistics Systems Hungary Csomag-Logisztikai Korlátolt Felelősségű Társaság
  (GLS General Logistics Systems Hungary Parcel Logistics Company Limited GLS General Logistics Systems Hungary Co.Ltd.)

  Short name: GLS General Logistics Systems Hungary Kft.
  Corporate registration  number: 13-09-111755
  Tax number: 12369410-2-44
  Headquarters: Magyarország, 2351 Alsónémedi, GLS Európa u. 2. (Hungary, 2351 Alsónémedi, GLS 2 Európa Street)
  Postal address: Magyarország, 2351 Alsónémedi, GLS Európa u. 2. (Hungary, 2351 Alsónémedi, GLS 2 Európa Street)
  Telephone: +36 29 886 670
  Fax: +36 29 886 610
  E-mail: info@gls-hungary.com
  Website:  https://gls-group.eu/HU/hu/home

  as delivery company that delivers ordered products (Processor hereafter).

  13.5.3. Scope of data involved in data processing: Data processing involves User’s following data that is necessary to fulfil the obligation (fulfillment of delivery) that comes from the contract based on User’s order:

  - surname
  - first name
  - e-mail address
  - telephone number
  - address of delivery.

  13.5.4. Goal of processing: In order to fulfil the contract made when User places an order, the goal is to deliver the ordered product to an address indicated by User, checking delivery address and time if necessary on the phone.

  13.6. Data processing serves no other purposes. 

  13.7. Controller does not draw on services of any other businesses except for the above mentioned companies.

   

  14. User’s rights concerning data processing

  14.1. Right to access: Controller gives information for User’s request about data being handled by itself and by Data Processor, their sources, goals of data processing, its legal basis, period, name and address of Data Processor, its activities related to data processing, consequences and effects of a possible data protection incident and actions done in order to avoid such cases, furthermore, in case of forwarding concerned person’s personal data, about the legal basis and addressee of data forwarding. Controller provides information without any unreasonable delay, within maximum one month after the arrival of the request.

  Within the framework of the right to access, Controller provides User with a copy of personal data involved in processing, within maximum one month after the arrival of the request. For further demands from User, Controller calculates a reasonable fee based on administrative costs (see Chapter 15).

  14.2. Right to portability of data: User has the right to get personal data about themselves in an articulate, widely used format, readable on devices, furthermore, has the right to forward these pieces of information to another Controller without the obstruction of Controller that has User’s data according to User’s consent, if:

  a) processing is based on User’s consent or contract; and
  b) processing is automatized.

  Practising the right to portability of data, User has the right – if it is technically practicable – to ask Controllers to forward information between each other directly.

  14.3. Right to correction: User has the right to ask for correction of their data, which Controller fulfills without any unreasonable delay, within maximum one month after the  arrival of the request. Considering the goal of processing, User has the right to ask for completing their missing personal data – for example through an additional declaration.

  14.4. Right to limitation of processing: Controller marks personal data in order to limit processing. User may ask for such limitation if one of the following cases occur:
  a) User disputes accuracy of personal data, in this case limitation exceeds for the period that enables Controller to check the accuracy of personal data;
  b) processing is illegal, and User objects against deleting their data and asks for limitation of use;
  c) Controller does not need personal data for processing, however, concerned party lays claim to them in order to propose, realize or protect legal demands; or
  d) User has objected to legal processing done by Controller; in such cases limitation exceeds over a period in which it becomes clear whether Controller’s legal interests dominate over concerned party’s legal interests.

  14.5. Right to cancellation (right to “effacing”): Controller deletes information if:
  a) personal data is no longer needed for reasons they were recorded, or were handled differently;
  b) User withdraws their consent to processing, and there are no other legal bases for it;
  c) User objects to processing and there are no prior rightful reasons for processing, or User objects to processing with direct sales objectives;
  d) personal data was handled illegally;
  e) personal data must be deleted to fulfil legal obligations claimed by European Union or member state laws;
  f) User requests deletion or objects to processing, and data was recorded to offer services related to information technological society directly to children.

  If Controller made personal data public – and according to cases mentioned above – has to erase them and must take reasonable steps, including technical ones – considering technology available and costs of realization – in order to inform Controllers involved about User requesting their personal data and the links referring to them or copies of personal data to be deleted.

  Controller informs User and all Controllers that are provided with information about the correction, limitation and deletion. Notification might be neglected if it seems to be impossible, or requires unreasonable efforts. Controller informs User on demand about these addressees.

  14.6. Right to objection: User has the right to object to their data being managed rightfully by Controller at any time because of personal reasons, including profile creation based on mentioned actions. In such cases, Controller cannot handle personal information any longer, except when Controller proves that there are obligatory rightful reasons for processing, having priority over concerned person’s interests, rights and freedoms, or reasons that are related to proposal, enforcement or defence of legal demands.

   

  15. Fulfilling of User’s requests

  15.1. Controller offers notification and taking actions for free, as described in Point 14. If User’s request is obviously unfounded, or – especially for its repeated nature – exaggerated, Controller

  a) might charge a reasonable price, or
  b) might deny taking actions based on request,
  considering data requested, or administrative costs of measures to be taken to fulfil request.

  15.2. Controller informs User without any unreasonable delay, but maximum one month after receiving the request about actions that has been taken, including issuing copies of data. If necessary, considering the complexity of request and numbers of requests this deadline can be made longer with additional two months. Controller informs User about elongation of deadline together with indicating reasons of delay within one month after receiving the request. If concerned User sends their request electronically, Controller provides information electronically, except when concerned User asks for it in a different way.

  15.3. If Controller does not take any steps as reaction to User’s request, without delay but within maximum of one month after receiving the request, Controller informs User about reasons why there have been no actions taken, and about the possibility of filing a complaint at Authority mentioned in Point 17 and can have the right to legal remedy described there as well.

  15.4. User can hand in their request to Controller in any way that identifies them. Identifying Users who hand in a request is necessary because Controller can deal with only those requests that are entitled. If Controller has justified doubts about the identity of natural person handing in a request it can ask for other pieces of information to assure the identity of concerned User.

  15.5. User can send their requests to Controller to the address 16 Kada Elek Street, Kecskemét 6000 Hungary or to the e-mail address info@totallsport.com Controller considers requests sent in e-mail genuine only if it was sent from an e-mail address registered at Controller’s database. However, using another e-mail address does not mean in observance of such requests. Time of receiving e-mails is the first day after the e-mail was sent.

   

  16. Data protection, data safety

  16.1. Controller assures the safety of data and through technical and organizational actions, as well as internal rules of procedure ensures that laws and other data and secret protection rules are kept. Controller protects data especially against illegal access, change, forwarding, making public, deletion or effacement of data, moreover, it protects against accidental effacement and damage, as well as inaccessibility of data as a result of change in applied technology.

  16.2. Data related to measuring number of visitors of the website and habits describing use of website are handled in Controller’s information technological system in a way that prevents Controller to link data to anyone, right from the beginning.

  16.3. Processing takes place to reach articulated and legal goals described in present policy to a necessary and proportional degree, based on relevant laws and recommendations, keeping appropriate safety measures.

  16.4. In order to achieve these, Controller uses “https” protocol to reach the website, through which web communication can be encrypted and individually identifiable. Controller stores information in encrypted data stocks on separate lists insulated from each other based on processing goals to which certain Controller employees – performing tasks indicated in present policy – have access to, who have to protect data and it is their responsibility to handle this policy and relevant laws in an appropriate manner.

   

  17. Prosecution of rights

  Concerned parties may practice their prosecution of rights based on Civil Code Act V of 2013 (Polgári Törvénykönyvről szóló 2013. évi V. törvény) and GDPR at a courthouse, and can turn to the National Authority for Data Protection and Freedom of Information:

  Nemzeti Adatvédelmi és Információszabadság Hatóság
  (National Authority for Data Protection and Freedom of Information)

  Address: 9-11. Falk Miksa Street, Budapest 1055 Hungary (Magyarország, 1055 Budapest, Falk Miksa utca 9-11.)
  Postal address: P.O. Box 9 Budapest 1363 Hungary (Magyarország 1363 Budapest, Pf. 9.)
  Telephone: +36 1 391 1400
  Fax: +36 1 391 1410
  E-mail: ugyfelszolgalat@naih.hu
  Website: http://www.naih.hu/

  In case choosing a process involving a courthouse, the lawsuit – based on concerned User’s choice – can be initiated at the courthouse in concerned person’s residence or place of stay, as courthouses are competent in confiscation of such a lawsuit.

   

Goal Hungary Kft.