Privacy and policy

I. INTRODUCTION OF THE DATA CONTROLLER

MVTML Clothing Kft. (hereinafter referred to as: the Company, the Data Controller, or “We”) issues the following Privacy Notice in order to ensure the lawfulness of its internal data processing activities and to safeguard the rights of the data subjects.

The Company manages personal data in compliance with all applicable laws, but primarily in accordance with the following regulations:

• • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: “Info Act”),

• • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: the “Regulation” or “GDPR”).

• • Civil Code Act V of 2013 (hereinafter: “Civil Code”).

The Company handles personal data confidentially and takes all technical and organizational measures related to data storage and processing to ensure secure data management.

*****

II. CHARACTERISTICS OF SPECIFIC DATA PROCESSING PURPOSES

1. Management of cookies on the website

The https://mybrand.hu/ website and its subpages use so-called cookies to maintain and improve their services and to enhance the user experience.

What is a cookie?

Cookies are small text files placed on the user’s device by the browser, used for identification and information collection. A cookie consists of a unique sequence of numbers and primarily serves to distinguish the computers and other devices downloading the website. Cookies have several functions: they collect information, remember user settings, and allow the website owner to learn about user habits to improve the overall user experience.

For what purposes may we use cookies?

• • to improve our websites,

• • to create and analyze web analytics about how visitors use the website,

• • to enhance the user experience,

• • to facilitate the management of our websites,

• • to obtain information about user behavior,

• • to place targeted advertisements.

On what legal basis do we use cookies?

Cookies necessary for the operation of the website are processed based on Article 6 (1) (f) of the GDPR, relying on our legitimate interest. These cookies are essential for the proper functioning of the website.

What exact cookies do we use?

The https://mybrand.hu/ website uses the following cookies:

Detailed information on the cookies used by the website is also available through the website’s cookie manager.

The information collected by cookies is not sold, rented, or otherwise distributed to third parties, except to the extent necessary to provide services for which the data subject has voluntarily provided such information in advance.

Exercise of data subject rights

Data subjects are entitled to exercise their rights related to data processing as described in the Website’s Privacy Notice, available at the following link: mybrand.hu/adatkezelesi-tajekoztato.

How can you check and disable cookies?

All modern browsers allow the modification of cookie settings. Most browsers automatically accept cookies by default, but these settings can usually be changed to prevent automatic acceptance and to offer a choice each time as to whether cookies should be allowed or not.

Since the purpose of cookies is to facilitate or enable the usability and processes of the website, disabling or deleting cookies may result in users being unable to fully use the website’s functions, or that the website may not function as intended in their browser.

You can find information about cookie settings in the most popular browsers at the following links:

• • Google Chrome: https://support.google.com/accounts/answer/61416

• • Firefox: https://support.mozilla.org/hu/kb/sutik-informacio-amelyet-weboldalak-tarolnak-szami?redirectlocale=hu&redirectslug=S%C3%BCtik+kezel%C3%A9se

• • Microsoft Edge: https://support.microsoft.com/hu-hu/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy

• • Microsoft Internet Explorer: https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-11

• • Opera: https://help.opera.com/en/presto/browser-behavior/#cookies

• • Safari: https://support.apple.com/hu-hu/HT201265

*****

2. Registration

On the https://mybrand.hu/ website, visitors can purchase merchandise products of performers, athletes, public figures, events, and venues. Each celebrity has their own webshop through which their products are available. Individual webshops can be accessed from the homepage.

It is possible to make purchases on the website without creating a user account; however, by registering your own account, you can provide your data once, so you don’t need to enter them for every purchase. During registration, the data subject is only required to provide an e-mail address. The registration is confirmed by the system via e-mail.

The data subject is obliged to keep the provided password confidential. If the data of the data subject become accessible to an unauthorized third party due to the fault of the data subject, the Data Controller shall not be liable for any resulting damages or disadvantages.

Purpose of data processing

The purpose of the data processing is to create a user account on the website.

Personal data processed

To create a registration, we only process the e-mail address and password of the data subject.

After registration, the data subject may also provide the following data at any time:

• • first name and surname,

• • display name,

• • shipping address,

• • billing address,

• • telephone number.

If these data are provided, there is no need to re-enter the shipping and billing information for each order. Providing this information in the user account is voluntary; however, purchases cannot be fulfilled without providing the necessary data.

Legal basis of data processing

The processing of the above data of the data subjects is based on Article 6 (1) (b) of the Regulation (GDPR), that is, processing necessary for the performance of a contract created between the data subject and the Data Controller through registration.

Source of personal data

The source of personal data is generally the data subject. Since the data subject is the source of the personal data, the Data Controller provides information directly to the data subject at the time of data collection regarding any possible changes in the scope of the processed data.

Recipients of the provided personal data

The personal data of the data subjects may only be accessed by those employees of the Data Controller whose job duties include operating the webshop.

Data Processor(s):

[W5 Informatikai Korlátolt Felelősségű Társaság (7678 Abaliget, Kossuth Lajos utca 12.)]

The Data Processor may process the personal data of the data subject solely for the purpose defined by the Data Controller and recorded in a contract, in accordance with the Data Controller’s instructions, and has no independent decision-making authority regarding the processing. The Data Processor has undertaken confidentiality obligations and contractual guarantees regarding the protection of the personal data obtained during the performance of its duties.

Transfer of personal data to third countries or international organizations

The Data Controller does not transfer the above personal data of the data subject to any third country or international organization.

Duration of personal data processing

The data subject may request the deletion of their user account at any time via e-mail at hello@mybrand.hu.

Automated decision-making and profiling

No such activities are carried out during data processing.

Provision of personal data

The provision of personal data is a basic requirement for registration.

*****

3. Data processing related to electronic communication

In today’s fast-paced world, the Data Controller primarily maintains contact with interested parties, customers, partners, and clients via electronic means. Anyone may contact the Data Controller directly by e-mail or by sending a message through the “Contact” tab on any subpage of https://mybrand.hu.

During electronic communication with the data subject – related to any matter – the Data Controller processes the personal data of the data subject in accordance with the provisions of this notice.

Purpose of data processing

Electronic communication. The data provided by the data subject are processed solely for the purpose of communication with them and for the administration related to the content of the message. The data subject is entitled to contact us electronically on any matter.

The Data Controller initiates contact with any data subject only in connection with the performance of an existing contract or based on another legitimate legal ground, in compliance with data protection regulations.

Processed personal data

Name, e-mail address, phone number (provided voluntarily if the data subject wishes to be contacted by phone), and any other information that the data subject considers relevant to the matter initiated by them.

Legal basis for data processing

The legal basis for processing personal data is Article 6 (1) (b) of the Regulation, meaning that processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract. The Data Controller considers communication with data subjects to constitute preliminary processing related to a future contract (agreement) or processing associated with an existing contract.

Additionally, Article 6 (1) (f) of the Regulation (legitimate interest) also provides a legal basis for data processing. The legitimate interest of the Data Controller is to process personal data necessary to respond to inquiries addressed to it.

Source of personal data

The data subject. Since the data subject is the source of personal data, the Data Controller provides information directly to them at the time of data collection regarding any possible changes in the scope of the processed data.

Recipients of the provided personal data

The personal data provided by the data subject may only be accessed by those employees of the Data Controller who have the authority to make recommendations or decisions related to the message sent by the data subject or the administration required on its basis.

Data Processor(s):

Google – our company’s e-mail service provider.

The data processors may process the personal data of the data subject solely for the purpose defined by the Data Controller and recorded in a contract, in accordance with the Data Controller’s instructions, and have no independent decision-making authority regarding the processing. The data processors have undertaken confidentiality obligations and contractual guarantees regarding the protection of the personal data obtained during the performance of their duties.

Transfer of personal data to third countries or international organizations

The Data Controller does not transfer the above personal data of the data subject to any third country or international organization.

Duration of personal data processing

If any type of contract (obligation) is established between the Data Controller and the data subject, the personal data obtained during communication are processed in connection with that contract, for a maximum period up to the expiration of the limitation period.

If no contract or agreement is concluded between the Data Controller and the data subject following pre-contractual data processing, the message(s) will be deleted by the Data Controller after the communication has been closed.

Automated decision-making and profiling

No such activities are carried out during data processing.

Provision of personal data

The processing of personal data is a prerequisite for responding to messages and thus for communication between the data subject and the Data Controller. Providing a phone number is voluntary.

*****

4. Issuing and retaining invoices

Purpose of data processing

The purpose of the Data Controller’s data processing is the issuance and retention of invoices

• • pursuant to Sections 159 (1) and 169 of Act CXXVII of 2007 on Value Added Tax (VAT Act), and

• • in accordance with Section 169 (2) of Act C of 2000 on Accounting.

Processed personal data

The data specified in Section 169 of the Value Added Tax Act (hereinafter: VAT Act), but at least:

1. name,
2. billing address.

Legal basis for data processing

The legal basis for data processing during the issuance of invoices is Article 6 (1) (c) of the Regulation, i.e. compliance with a legal obligation as described above.

Source of personal data

The data subject. Since the data subject is the source of the personal data, the Data Controller provides information directly to them at the time of data collection regarding any possible changes in the scope of the processed data.

Recipients of the provided personal data

Personal data are processed exclusively by those employees of the Data Controller whose job responsibilities include tasks related to invoicing.

The Data Controller uses the following data processors in relation to invoicing:

Major és Dr. Tóth Könyvvizsgáló és Tanácsadó Kft. (7625 Pécs, Tettye u. 47.): performs accounting activities for the Data Controller.

KBOSS.hu Kft. (1031 Budapest, Záhony utca 7/c)

The data processors may process the personal data of the data subject solely for the purpose defined by the Data Controller and recorded in a contract, in accordance with the Data Controller’s instructions, and have no independent decision-making authority regarding the processing. The data processors have undertaken confidentiality obligations and contractual guarantees regarding the protection of the personal data obtained during the performance of their duties.

Transfer of personal data to third countries or international organizations

The Data Controller does not transfer the above personal data of the data subject to any third country or international organization.

Duration of personal data processing

The Data Controller retains the personal data of the data subject for at least 8 years from the date of issuance, in accordance with Section 169 (2) of Act C of 2000 on Accounting.

Automated decision-making and profiling

No such activities are carried out during data processing.

Provision of personal data

All data processing is based on legal obligations and is therefore mandatory.

*****

5. Data processing related to sales activities

Purchases through the webshop can be made either with or without an existing user account. During the purchase process, the Data Controller processes the data necessary to fulfil orders.

During the purchase, the data subject may also indicate their wish to subscribe to the newsletter.

Purpose of data processing

Data processing necessary for fulfilling orders placed through the webshop.

Processed personal data

Data required for placing and delivering an order:

• surname,
• first name,
• e-mail address,
• phone number,
• delivery address,
• billing address (if different from the delivery address),
• any additional information provided by the data subject.

The Data Controller also processes data related to the ordered product(s) (type, price, quantity), delivery details such as parcel tracking number and characteristics (size, fragile, etc.), the current delivery status, events related to the shipment, and, in the case of cash on delivery, payment-related data.

If the data subject has a user account, the Data Controller also processes their order history.

Legal basis for data processing

The legal basis for processing is Article 6 (1) (b) of the Regulation, meaning that the processing is necessary for the performance of the sales contract concluded between the data subject and the Data Controller as a result of the order.

Source of personal data

The data subject. Since the data subject is the source of the personal data, the Data Controller provides information directly to them at the time of data collection regarding any possible changes in the scope of the processed data.

Recipients of the provided personal data

The personal data of the data subject may only be accessed by those employees of the Data Controller whose job duties include such processing activities.

Data Processor:

Webshippy Kft. (1044 Budapest, Ezred utca 2. B2. building 13.) – Webshop fulfillment service provider.

The data processor may process the personal data of the data subject solely for the purpose defined and recorded in a contract by the Data Controller, in accordance with the Data Controller’s instructions, and has no independent decision-making authority regarding the processing. The data processor has undertaken confidentiality obligations and contractual guarantees regarding the protection of the personal data obtained during the performance of its duties.

Transfer of personal data to third countries or international organizations

The Company does not transfer the above personal data of the data subject to any third country or international organization.

Duration of personal data processing

The Data Controller deletes the personal data of the data subject after the fulfilment of the contract, following the expiration of the limitation period, that is, after 5 years.

Automated decision-making and profiling

No such activities are carried out during data processing.

Provision of personal data

The provision of personal data is a fundamental prerequisite for making purchases in the webshop.

*****

6. Complaint handling

The Data Controller, in compliance with consumer protection regulations, provides consumers with the opportunity to submit complaints regarding its services.

Purpose of data processing

The purpose of data processing is to handle complaints submitted by service users in accordance with the provisions of the Consumer Protection Act (Fgytv.).

Processed personal data

Based on Section 17/A (5) of the Consumer Protection Act (Fgytv.), in the case of a consumer complaint:

1. the name and address of the service user,
2. the place, time, and method of submitting the complaint or request,
3. a detailed description of the consumer’s request or complaint, including the list of documents and other evidence presented by the consumer,
4. the company’s statement regarding the consumer’s request or complaint, if it can be answered or investigated immediately,
5. the name of the person recording the report and – except for verbal complaints made by phone or other electronic communication services – the consumer’s signature,
6. the place and time the report was recorded,
7. in the case of a verbal complaint submitted via phone or other electronic communications service, the unique identification number of the complaint.

If the complaint or request is submitted electronically, the Data Controller stores the data subject’s e-mail address; if the complaint is made by phone, the Data Controller stores the data subject’s phone number, as specified in this privacy notice.

Legal basis for data processing

The legal basis for data processing is compliance with a legal obligation pursuant to Article 6 (1) (c) of the Regulation, which in this case means fulfilling the requirements set forth in Section 17/A of the Consumer Protection Act (Fgytv.).

Source of personal data

The personal data are provided directly by the data subject. Since the data subject is the source of the personal data, the Data Controller provides direct information to the data subject at the time of data collection regarding any possible changes in the scope of the processed data.

Recipients of the provided personal data

The personal data of the data subject may only be accessed by employees of the Data Controller who are involved in handling the complaint.

If the complaint is received via e-mail, the following data processor participates in the processing:

[Google – Gmail] – The Company’s e-mail service provider.

The data processor may process the personal data of the data subject solely for the purpose defined and recorded in a contract by the Data Controller, in accordance with the Data Controller’s instructions, and has no independent decision-making authority regarding the processing. The data processor has undertaken confidentiality obligations and contractual guarantees regarding the protection of the personal data obtained during the performance of its duties.

Transfer of personal data to third countries or international organizations

The Data Controller does not transfer the above personal data of the data subject to any third country or international organization.

Duration of personal data processing

According to Section 17/A (7) of the Consumer Protection Act (Fgytv.), the Data Controller is required to retain documents related to complaints for 5 years.

Automated decision-making and profiling

No such activities are carried out during data processing.

Provision of personal data

Providing personal data is mandatory for complaint handling purposes.

*****

7. Conducting recruitment procedures and evaluating job applications

Purpose of data processing

To conduct the selection process necessary for filling the advertised position, and to assess applicants’ professional and personal characteristics, educational background, and prior work experience in order to identify the most suitable candidate for the position.

Processed personal data

The CV (curriculum vitae) and, where applicable, motivation letter provided by the data subject. If the data subject provides any additional personal data to the Company, such data will also be processed in accordance with this notice. If any documents are unnecessary for evaluating the application, they will be deleted or destroyed immediately.

If the position applied for requires specific qualifications, licenses, or educational certificates, the related data will also be reviewed.

Legal basis for data processing

The legal basis for processing job applications is Article 6 (1) (b) of the Regulation, meaning that the processing is necessary to take steps, at the request of the data subject, prior to entering into an employment contract. By submitting their CV in response to a job posting, the data subject clearly indicates their intention to participate in the recruitment process.

Source of personal data

The personal data are provided by the data subject. Since the data subject is the source of the personal data, the Company provides direct information at the time of collection regarding any potential changes in the scope of the processed data.

Recipients of the provided personal data

The personal data are processed exclusively by employees of the Company who have the authority to make recommendations or decisions in relation to the advertised position.

If the CV is submitted via e-mail, the following data processor’s service is used:

[Google – Gmail] – The Company’s e-mail service provider.

The data processor may process the personal data of the data subject solely for the purpose defined and recorded in a contract by the Company, in accordance with the Company’s instructions, and has no independent decision-making authority regarding the processing. The data processor has undertaken confidentiality obligations and contractual guarantees regarding the protection of the personal data obtained during the performance of its duties.

Transfer of personal data to third countries or international organizations

Personal data are not transferred to any third country or international organization.

Duration of Personal Data Processing

Exclusively until the final filling of the position (after the completion of the probationary period of the selected candidate), but for a maximum of 1 year.

Automated Decision-Making and Profiling

Neither automated decision-making nor profiling takes place during the processing of personal data.

Provision of Personal Data

The processing of personal data is a fundamental requirement for evaluating the application and conducting the recruitment process.

*****

8. Sending of Newsletters

Purpose of Data Processing

The purpose of data processing is to inform current and potential customers/partners about the products, services, promotions available in the webshop, as well as about current news, updates, and promotions related to the webshop’s operation.

Processed Personal Data

E-mail address and name. In the case of newsletter subscription, we also process the data related to the time of subscription and the consent given.

Legal Basis for Data Processing

Based on Article 6 (1) (a) of the GDPR, personal data is processed on the basis of the data subject’s consent.

Recipients of Provided Personal Data

The personal data provided by the data subject may only be accessed by our employees whose job responsibilities include the processing of such data.

The following data processor is involved in the processing:

[W5 Informatikai Kft.]

The data processor may process the data subject’s personal data only for the purposes defined by the Data Controller and recorded in a contract, in accordance with the Controller’s instructions, and has no independent decision-making rights regarding the processing. The data processor has undertaken confidentiality obligations and contractual guarantees regarding the protection of the personal data handled during the performance of its tasks.

Duration of Personal Data Processing

Data processing continues until the data subject withdraws their consent. The data subject may unsubscribe from the newsletter at any time by clicking the unsubscribe link included in the newsletters, or may send a deletion request to hello@mybrand.hu.

Automated Decision-Making and Profiling

Neither automated decision-making nor profiling takes place during the processing of personal data.

*****

III. RIGHTS OF THE DATA SUBJECT IN CONNECTION WITH DATA PROCESSING

Right to Information

The data subject has the right to be informed about the processing of their personal data, which the Company fulfills by providing this Privacy Notice.

Data Processing Based on Consent

If the legal basis for any data processing is the data subject’s consent, the data subject may withdraw their consent at any time. However, it is important to note that the withdrawal of consent applies only to data for which there is no other legal basis for processing. If there is no other legal basis, the Company will permanently and irreversibly delete the personal data after the withdrawal. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

Right of Access

Upon the data subject’s request, the Company shall confirm whether personal data concerning them are being processed and, if so, provide access to the personal data and the following information:

1. the purposes of processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
4. the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the Company rectification, erasure, or restriction of processing of personal data, and to object to such processing;
6. the right to lodge a complaint with a supervisory authority or to seek judicial remedy;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right to Rectification

The data subject has the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning them. Considering the purpose of processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data subject must promptly notify the Company of any changes in their personal data to ensure lawful processing and the effective exercise of their rights.

Right to Erasure (“Right to be Forgotten”)

The data subject has the right to request the erasure of their personal data by the Company without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based, and there is no other legal ground for processing;
3. the data subject objects to the processing, and there are no overriding legitimate grounds for processing, or the data subject objects to processing for direct marketing purposes;
4. the personal data have been unlawfully processed;
5. the personal data must be erased to comply with a legal obligation in EU or Member State law to which the Company is subject;
6. the personal data have been collected in relation to the offer of information society services.

Right to Restriction of Processing

The data subject has the right to obtain restriction of processing from the Company where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
2. the processing is unlawful, and the data subject opposes the erasure of the data and requests the restriction of their use instead;
3. the Company no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or
4. the data subject has objected to processing, pending the verification whether the legitimate grounds of the Company override those of the data subject.

Right to Object

If the processing of personal data is based on the Company’s legitimate interests (Article 6 (1)(f) of the GDPR) or on the performance of a task carried out in the public interest (Article 6 (1)(e)), the data subject has the right to object at any time to the processing of their personal data on grounds relating to their particular situation, including profiling based on these provisions.

If personal data are processed for direct marketing purposes (such as sending newsletters), the data subject has the right to object at any time to processing of personal data for such purposes, including profiling related to direct marketing. If the data subject objects, the personal data shall no longer be processed for such purposes.

Right to Data Portability

The data subject has the right to receive the personal data concerning them, which they have provided to the Company, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller, where:

1. the processing is based on consent or on a contract pursuant to Article 6 (1)(b) of the GDPR; and
2. the processing is carried out by automated means.

*****

PROCEDURE FOR EXERCISING DATA SUBJECT RIGHTS

The data subject may exercise their rights by sending an email to hello@mybrand.hu, by post to the Company’s registered address, or in person at the Company’s premises. The Company will start processing the request without undue delay and will provide information on the actions taken within 30 days of receipt. If the Company is unable to comply with the request, the data subject will be informed within 30 days about the reasons for refusal and their available legal remedies.

Within five years after the death of the data subject, the rights specified in this Notice that applied to the deceased during their lifetime may be exercised by a person authorized by the data subject through a notarized or fully conclusive private document filed with the Company. In the absence of such authorization, a close relative, as defined by the Civil Code, may exercise the rights specified in Articles 16 (right to rectification), 17 (right to erasure), 18 (right to restriction of processing), and 21 (right to object) of the GDPR within five years after the death of the data subject.

*****

IV. LEGAL REMEDIES RELATED TO DATA PROCESSING

In order to enforce their right to judicial remedy, the data subject may bring an action against the Company before a court if they believe that the Company or a data processor acting on its behalf or instructions has processed their personal data in violation of the applicable data protection laws or EU regulations. The court shall handle the case as a matter of priority. The case falls under the jurisdiction of the regional court. The action may be brought before the court of the data subject’s place of residence, habitual residence, or the registered office of the Company (Budapest-Capital Regional Court).

Anyone may also lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) if they believe that a violation or imminent risk of violation of rights related to personal data processing has occurred, or if the Company restricts or refuses to comply with their request to exercise such rights.

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Postal address: 1530 Budapest, P.O. Box: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL: https://naih.hu

Budapest, 2019.09.01.

MVTML Clothing Kft.