Data Controller (Service Provider)
Name: Carpathian Basin Ltd.
Headquarters: 13. Rakoczi Street, Dunaföldvár, 7020, Hungary
Mailing address, complaint handling: 13. Rakoczi Street, Dunaföldvár, 7020, Hungary
Phone: +36 30 401 7835
Headquarters: 8 Racho P. Kazandzhiata Street, Sofia 1166, Bulgaria
Availability: email@example.com; +1 866 605 2484
Privacy Officer: under the GDPR Regulation, the Operator is not obliged to appoint a Data Protection Officer
Effective as of 15 September, 2020
The legal basis for data management is the voluntary consent of the data subject based on the prior information of the Data Controller. The Data Controller does not check the personal data provided to him or her, and excludes his / her responsibility and the legality of the data management of the partners. The data subject is entitled to withdraw his consent at any time. Withdrawal of consent does not affect the legality of the pre-withdrawal data management based on consent.
The Data Controller will only collect and process your data if you have given your consent. We can assure you that we will do our utmost to comply with the strict requirements of data management and confidentiality, and in all cases we will comply with all legal provisions related to data protection. We use all collected personal information solely to provide our customers with the highest quality of service and to optimize our services to meet your needs and expectations. The Data Controller is committed to respecting the right to information self-determination. Your personal information will be treated confidentially and will not be transferred to a third party unless it is necessary for the performance of the contract for certain business partners, subcontractors (e.g. courier services). For them, only the data they need to perform their tasks are transmitted. They are not entitled to use, store or forward any data received from us in any form whatsoever.
Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
CXII. Act on the Right to Informational Self-Determination and Freedom of Information
Data Controller: a natural or legal person, public authority, agency or any other body that defines the purposes and means of the processing of personal data independently or with others.
Data Management: any set of operations that are performed on personal data or data files in an automated or non-automated manner, such as collection, recording, systematization, distribution, storage, transformation or alteration, query, access, use, communication, distribution, or otherwise batch, alignment or interconnection, restriction, deletion or destruction.
Data Processor: a natural or legal person, public authority, agency or service provider who handles personal data on behalf of the Data Controller.
Personal data: any information relating to an identified or identifiable natural person (“affected”). Identifiable a natural person who is directly or indirectly identifiable by an identifier, such as name, number, positioning data, online identifier or one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of a natural person.
Subject: Any natural person identified or identifiable by any specific, direct or indirect personal data.
The consent of the data subject: a voluntary, concrete and clear indication of the will of the data subject by which he or she expresses his / her consent to the processing of the personal data affecting him or her by means of an act expressing the declaration unambiguously.
Addressee: natural or legal person, public authority, agency or any other body with or with whom personal data are disclosed, whether or not a third party is involved.
Third party: any natural or legal person, public authority, agency or any other body which is not the same as the data subject, the controller, the processor or the persons authorized to process personal data under the direct control of the controller or processor.
Principles of data management
should be conducted in a lawful, fair and transparent manner for the data subject (“legality, fairness and transparency”)
can be managed only for a specific purpose, or in order to exercise rights and fulfill an obligation (“purpose limitation”)
they must be relevant to the purposes of the data management and must be limited to what is necessary (“data saving”)
must be accurate and, if necessary, up to date (“accuracy”)
storage must be in a form that permits identification of data subjects for only the time necessary to achieve the purposes for which the personal data are processed (“limited storage”)
management must be carried out in such a way as to ensure that personal data are properly protected, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage (“integrity and confidentiality”)
The data supply on the website is voluntary and the Data Controller handles the personal data with the consent of the data subject. In the case of a person who is under the age of 16, the Data Controller shall in no case collect the personal data of the data subject. Personal data is not transferred to a data controller or data processor in a third country and is not passed on to third parties unreasonably.
Legality of data management
1. The processing of personal data shall be lawful only if and to the extent that at least one of the following is fulfilled:
(a) the consent of the data subject to the processing of his or her personal data for one or more specific purposes;
(b) the processing is necessary for the performance of a contract in which the data subject is required by one of the parties or at the request of the data subject before the conclusion of the contract;
(c) the processing is necessary for the performance of a legal obligation to the controller;
(d) the processing is necessary for the protection of the vital interests of the data subject or another natural person;
(e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public authority conferred on the controller;
(f) the processing is necessary for the legitimate interests of the controller or of a third party, unless such interests have priority over the interests or fundamental rights and freedoms of the data subject, in particular where the child concerned is concerned.
Data security measures
The Data Controller stores the personal data provided by the data subject at its headquarters and takes appropriate measures to ensure the security of the data, as well as to protect the personal data of those affected, including unauthorized access. The Data Controller ensures that the principles of data management are respected and that personal data cannot be made accessible to an undetermined number of individuals.
The purpose of data management
The purpose of data management is solely to prove the services of the Webshop, its contractual relations, the fulfillment of the orders and the subsequent proof of the order terms. In the course of data management, we strive to handle only the personal data necessary for the purpose.
Therefore, data management is for:
contact and customer identification
order processing, preparation of a contract
transport of goods; delivery of ordered product
The range and duration of data management
During data management, the Service Provider manages your name, address, telephone number, e-mail address, the characteristics of the purchased product, the date of purchase, the order number, the payment and delivery method, the IP address of the data subject and the content of the complaint. In any case, only the data strictly necessary for the purpose will be managed for the required or statutory period.
When contacting: the information you provide, such as email, name, phone number (until the contact is closed).
Ordering details: name, address, telephone number, e-mail address, characteristics of the purchased product, order number and date, and payment and delivery method (5 years according to the civil limitation period).
Invoice: name, address, telephone number, e-mail address (pursuant to Section 169 (2) of Act C of 2000 on Accounting, it shall be kept for 8 years from the date of issue of the invoice).
Delivery of goods: name, address, telephone number, e-mail address (until delivery of ordered goods).
Complaint handling: name, address, telephone number, e-mail address, content of the complaint and report (pursuant to CLV of 1997 Act 17 / A. § (7) on Consumer Protection, we are obliged to keep the complaint for 5 years).
During registration: email address and the personal information you have provided in your account, such as name, address, and orders placed. You may change or delete your data at any time in the Webshop user interface.
When registering, ordering and subscribing to the newsletter, we store the information related to the consent – the date of consent and the IP address of the data subject – in order to be able to prove it later in accordance with the legal requirements (until the consent to the data management is withdrawn).
The Data Controller uses the so-called cookies on the website to save certain settings, facilitate the use and optimization of our Webshop. In addition, we collect statistical information about our visitors using Google Analytics. The data recorded in this way (e.g. IP address, date of visit, in some cases browser type) is not suitable for user identification and cannot be linked to other personal data. Google will only pass this information on to third parties if required by law or processed by third parties on behalf of Google.
Google general cookie information: https://www.google.com/policies/technologies/types
Google Analitycs: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=en
Facebook prospectus: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
Further data management
If the Data Controller wishes to perform further data management, it will provide prior information on its essential information. Personal data will only be transferred to a third party if the data subject has explicitly agreed to it or is authorized by law to transfer the data.
Please note that the Data Controller is required to fulfill written requests for information by the authorities. The Data Controller cannot be held responsible for the resulting data transmission and possible consequences.
The Data Controller shall keep a record of the legality of the transmission of data in accordance with the Article 15 (2) – (3) of CXII. Act on the Right to Informational Self-Determination and Freedom of Information.
Data processing activities
The Data Processors and third-party service providers cooperate with the Data Controller to perform the activities of the Webshop, such as delivering ordered goods, invoicing and executing online payments. We will do our best to ensure that all personal data transmitted are handled in accordance with the law and used only for the purpose of performing their duties.
Data Processors, External Providers Used by the Service Provider:
Printful, Inc. (11025 Westlake Dr, Charlotte, NC 28273, USA)
PayPal ( S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal, L-2449, Luxembourg
Coinbase Commerce (One Marina Boulevard, #28-00, Singapore 018989.
Facebook (Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland)
Google LLC (1600 Amphitheater Parkway, Mountain View, CA 94043, United States of America)
In the course of data management, you have the following rights under the GDPR regulation:
right to access to personal data
right to rectification
right to erasure (“right to be forgotten”)
right to restriction of processing
right to data portability
right to object
Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (“right to be forgotten”)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services.
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
the processing is based on consent or on a contract; and
the processing is carried out by automated means.
2. In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right shall be without prejudice. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right shall not adversely affect the rights and freedoms of others.
Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. In the context of the use of information society services, the data subject may exercise his or her right to object by automated means using technical specifications.
5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
is based on the data subject’s explicit consent.
If you believe that the Service Provider has violated any statutory provisions on data management or has failed to comply with any of its requests, you may contact your National Authority for Data Protection and Freedom of Information or initiate an investigation procedure with your complaint directly to eliminate the alleged unlawful data management (address: 22/c, Szilágyi Erzsébet fasor, Budapest, 1125, Hungary, phone: +36 1 391 1400, email: firstname.lastname@example.org, website: www.naih.hu).
Please be advised that in case of unlawful data processing you are entitled to go to court and initiate a civil lawsuit against the Data Controller. The case may also be initiated by the person concerned at the court of the place of residence or domicile.
If you decide to unsubscribe from our newsletters or at any time to delete your personal information, please notify us of your request at email@example.com.
If you have any questions, complaints about the compliance of this policy, or if you want to make comments on improving the quality of it, please contact us at the following email address: firstname.lastname@example.org.
We welcome all inquiries and, to the best of our ability, we strive to satisfy the expectations of our visitors and customers.