PRIVACY POLICY

GRAJNAI Kft.

GRAJNAI Kft. (headquarters: 1117 Budapest, Nádorliget utca 7. C. building, 4th floor 401.; company registration number: 01 09 358673 ; tax number: 27951284243 ) as a data controller (hereinafter: "Service Provider", "Data Controller") hereby informs visitors to its website, its registrants, customers, and newsletter subscribers (hereinafter: Data Subject, User, You, Visitor) about the personal data it manages, its practices in the management of personal data, and the manner and possibilities of exercising the rights of the data subject.

The GRAJNAI webshop (hereinafter: Webshop) is part of the website available under the domain name www.grajnai.com (hereinafter: Website), which is considered the Data Controller's own website.

The Data Controller acknowledges the content of this legal notice regarding data management within the scope of its activities as binding. The Data Controller reserves the right to amend this Data Protection Notice (hereinafter: "Notice"). The Data Controller publishes the effective version of the Information on its website. The Data Controller handles personal data confidentially and securely and makes the necessary improvements and modifications as legal and technical possibilities change.

By using the Website, the User accepts the contents of the Information Sheet at the same time, so please read this Information Sheet carefully before using the Website.
The User gives his consent to the individual data management by using the Website, by registering, or by voluntarily providing the data in question.

DEFINITIONS

"personal data": any information concerning the data subject (identified or identifiable natural person); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;

"data management": any operation performed on personal data or data files in an automated or non-automated manner or a set of operations, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or other by making available, coordinating or connecting, limiting, deleting and destroying;

"data controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others;

"data transfer": making data available to a specific third party;

"user": visitor to the Website; and the person with consumer status who registers, places an order and has an account;

"consent": the voluntary, specific and well-informed and clear declaration of the data subject's will, by which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he/she consents to the processing of personal data concerning him/her;

"data processing": the performance of technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;

"data processor": the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;

"data protection incident": a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled;

"profiling" means any form of automated processing of personal data in which personal data is used to assess certain personal characteristics of a natural person, in particular work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement used to analyze or predict related characteristics;

"service": services provided on the Webshop available on the website, such as the fulfillment and delivery of orders for flowers and other products, as well as other services available on the Website, such as conducting workshops.

"third party": the natural or legal person, public authority or agency or any other body that is not the same as the User, the data controller, the data processor or the persons who, under the direct control of the data controller or data processor, are authorized to process personal data they got;

"website/website": www.grajnai.com

INFORMATION AND ACCESSIBILITY OF THE DATA PROCESSOR

Company name: GRAJNAI Kft.

Headquarters and mailing address: 1117 Budapest, Nádorliget utca 7. C. ép. 4th floor 401.

Company registration number: 01 09 358673

Tax number: 27951284243

Email address: info@grajnai.com

PRINCIPLES OF DATA MANAGEMENT, SCOPE OF MANAGED DATA

The Data Controller collects and processes personal data in a legal and fair manner, as well as in a transparent manner for the User.

The Data Controller collects and processes personal data only for specific, clear and legal purposes.

The personal data managed by the Data Controller are appropriate and relevant for the purposes of data management and are limited to what is necessary in terms of extent and duration.

Registration on the website is only permitted for persons over the age of 18, and the User is responsible for ensuring that his/her activities comply with the provisions of this Notice. The service provider makes every effort to filter out the processing of personal data of persons under the age of 18.

If the informant does not provide his own personal data, the informant is obliged to obtain the consent of the User.

DATA OF WEBSITE VISITORS

The range of personal data handled: identification number, date and time of the visit, IP address of the user's computer at the time of the visit.

The purposes of data management: the use of the website, the service provider's control of the operation of the services during the visit to the website, personalized service and prevention of abuse.

The legal basis for data management: the voluntary consent of the User, or Article 6 (1) point a) of the GDPR; the Elker. TV. 13/A. (3) of §

The range of Users: visitors to the Website.

Duration of data management, deadline for data deletion: 60 days from the date of viewing the website.

DATA MANAGEMENT RELATED TO ONLINE PURCHASES

Scope of processed personal data: name, e-mail address (it does not need to contain personal data), telephone number, billing data (name, country, zip code, town, street, house number), recipient's name, address, recipient's phone number, recipient's email address, in the case of a transfer, bank account number, bank card details, date of purchase, IP address at the time of purchase.

The purposes of data management: identification of the User, contacting, maintaining contact, completing a purchase, issuing a regular invoice, confirmation, more effective negotiation of questions related to purchases and invoicing, enforcement of claims, execution of technical operations.

The legal basis for data management: data management is necessary for the performance of the contract pursuant to GDPR Article 6 (1) point b) and Elker tv. 13/A. based on paragraph (3) of §

Scope of Users: all purchasing Users.

Duration of data management, deadline for data deletion: data related to the performance of the contract concluded electronically are used for the benefit of the contract and are deleted or destroyed upon its termination or upon expiry of the statutory deadline.
Pursuant to Section 169 (1) of the Accounting Act, accounting receipts and supporting documents must be kept for 8 years.

The person of the possible data controllers entitled to access the data, the recipients of the personal data: the personal data can be handled by the employees of the data controller.

We would like to inform you that the provision of personal data is essential for the conclusion of a contract concluded electronically in order to be able to fulfill your order; Failure to provide data will result in us not being able to process your order.

RESERVATION AND ORDER FOR WORKSHOP

Scope of processed personal data: name, e-mail address (it does not need to contain personal data), telephone number, billing data (name, country, postal code, town, street, house number), bank account number in the case of a transfer, bank card data, date of reservation , the IP address at the time of booking.

The purposes of data management: identification of the User, contact, maintaining contact, fulfilling a reservation, issuing a regular invoice, confirmation, more effective negotiation of questions related to reservations and invoicing, validation of claims, execution of technical operations.

The legal basis for data management: data management is necessary for the performance of the contract pursuant to GDPR Article 6 (1) point b) and Elker tv. 13/A. based on paragraph (3) of §

The range of Users: all booking Users.

The person of the possible data controllers entitled to access the data, the recipients of the personal data: the personal data can be handled by the employees of the data controller.

We inform you that

the provision of personal data is essential for the conclusion of the contract concluded electronically, so that we can fulfill your reservation and ensure your participation in the workshop;

failure to provide data will result in us not being able to ensure your participation in the workshop.

CUSTOMER CORRESPONDENCE

If you have any questions while using our services, you can contact the Data Controller using the contact information provided in this Information Sheet or the contact form located on the website under the "Contact" menu item.

The Data Controller deletes all messages received with the sender's name, e-mail address, date, time and other personal data provided in the message no later than 2 years after the date of communication.

NEWSLETTER

The Data Controller provides the possibility to subscribe to the newsletter on the Website. In this way, the User can, in advance and expressly - bearing in mind the provisions of this Information - consent to the Data Controller's offers, workshop events, promotions, and other mailings (newsletter) being sought at the contact details provided during registration, and the Data Controller managing his personal data necessary for sending advertising offers. The Data Controller does not send unsolicited advertising messages.

In the case of a newsletter, the Data Controller manages the data provided by the User during subscription to the newsletter until the User unsubscribes from the newsletter by clicking the "Unsubscribe" button at the bottom of the newsletter message or requests - without limitation or obligation to provide reasons - to be removed from the list of subscribers to the newsletter e by email or post. In case of unsubscribing, the Data Controller will not contact the User with further newsletters and offers. The User can unsubscribe from the newsletter free of charge and withdraw his consent at any time.

Scope of personal data processed: name, e-mail address, date of registration, IP address at the time of registration.

The purpose of data management is to identify the User, enable subscription to the newsletter, send the newsletter, and perform technical operations.

Scope of Users: all Users who subscribe to the newsletter.

The purpose of data management is to send electronic messages containing advertisements and offers to the User, to provide information on current information, products, and special offers.

Duration of data management, deadline for deletion of data: data management lasts until withdrawal of consent, i.e. until unsubscription. The User will be informed electronically about unsubscribing or deletion from the newsletter address list.

The person of the possible data controllers entitled to access the data, the recipients of the personal data: the personal data can be handled by the marketing staff of the data controller.

The User can unsubscribe from the newsletter at any time, free of charge.

The legal basis for data management: the User's voluntary consent, or Article 6 (1) point a) of the GDPR, Elkertv. 13/A.§a and Grt. Paragraph (5) of § 6.

We inform you that:

data processing is based on your voluntary consent;

if you want to receive a newsletter from us, it is necessary to provide personal data;

failure to provide data will result in us not being able to send you a newsletter.

DATA PROCESSORS REQUIRED

The Data Controller is entitled to use a data processor to carry out its activities.

After October 1, 2020, the Data Processors will record the personal data provided to them by the Data Controllers and managed or processed by them in accordance with the provisions of the GDPR, or are processed and a statement is made to the Data Controllers.

The Data Controller uses the following Data Processors for the operation of the IT system, the fulfillment of purchases/orders, settlement of accounts, and marketing activities:

Hosting provider

1. Activity provided by a data processor: hosting service

2. Name and contact information of data processor:

Name: Wix.com

Headquarters: Tel Aviv

3. Scope of managed data: all personal data provided by the User.

4. The range of Users: all Users who use the services of the Website or who have registered/placed an order on the website.

5. The purpose of data management: making the Website available and operating it properly. /Hosting service/

6. The duration of data management, the deadline for data deletion: lasts until the termination of the agreement between the Data Controller and the Storage Service Provider, or until the User's deletion request addressed to the Storage Service Provider.

7. The legal basis for data processing: the User's consent, or Article 6 (1) point a) of the GDPR, as well as Elkertv. 13/A. (3) of §

Transport

1. Name and contact information of data processors:

Name:

Headquarters:

Web:

Name:

Headquarters:

Web:

2. Activity performed by a data processor: delivery of products.

3. The fact of the data management, the scope of the managed data: delivery name, delivery address, telephone number, e-mail address.

4. The range of stakeholders: home delivery requesters and recipients.

5. Purpose of data management: home delivery of the ordered product.

6. Duration of data management, deadline for deletion of data: lasts until home delivery is completed.

7. Legal basis for data processing: performance of contract, GDPR Article 6 (1) point b).

Online payment

1. Name and contact information of data processors:

Web:

CIB Bank

Web: http://cib.hu

2. Activity provided by data processor: Online payment

3. The fact of the data management, the scope of the managed data: billing name, billing address, e-mail address.

4. Scope of Users: all Users requesting online payment.

5. The purpose of data management: to process online payments, confirm transactions and check abuses for the protection of users.

6. The duration of data management, the deadline for deleting data: lasts until the online payment is completed.

7. Legal basis for data processing: performance of contract, GDPR Article 6 (1) point b).

Invoicing

1. Name and contact information of data processor:

Name: KBOSS.hu Kft.

Headquarters: 1031 Budapest, Záhony utca 7.

Web: http://szamlazz.hu

2. Activity performed by a data processor: invoicing.

3. The fact of the data management, the scope of the managed data: name, billing name, billing address.

4. The range of Users: all Users placing orders on the Website.

5. Purpose of data management: issuing an invoice.

6. Duration of data management, deadline for deletion of data: 8 years based on Section 169 (2) of Act C of 2000 on accounting.

7. The legal basis for data processing: the User's consent, Article 6 (1) point a), and Elkertv. 13/A. (3) of §

MANAGEMENT OF TECHNICAL DATA, COOKIES

The data of the User's logged-in computer that is generated during the use of the service and recorded by the Service Provider's system as an automatic result of technical processes, in particular the date and time of the visit, the IP address of the User's computer, and the type of browser.

The automatically recorded data is automatically logged by the system upon entry and exit without any special declaration or action by the User. These data cannot be combined with other personal user data - except in cases made mandatory by law. Only the Data Controller has access to the data.

In order to provide customized service, the Data Controller and the designated external service providers store a small file containing a series of characters on the User's computer, so-called cookies are placed and read back. If the browser returns a previously saved cookie, the cookie management service provider has the option to connect the data saved during the User's current visits with the previous ones, but only with regard to its own content. It uses the following cookie:

Security cookie;

Temporary (session) cookies: they are automatically deleted after the User visits. These cookies are used so that the Service Provider's website can function more efficiently and securely, so they are essential for certain functions of the Website or certain applications to function properly;

Persistent cookies: these are stored for a longer time in the cookie file of the browser. The duration of this depends on the settings the User uses in his Internet browser.

Some of these cookies are used to enable the Service Provider's Website to function more efficiently and securely, they are essential for certain functions of the Website or certain applications to function properly. While other cookies have been placed for a better user experience (e.g. providing optimized navigation).

The "Help" or "Settings" function in the menu bar of most browsers provides information on how the User can disable cookies in his browser, how he can accept new cookies,

how to instruct your browser to set a new cookie or disable other cookies.

External servers assist in the independent measurement and auditing of the website's visitor and other web analytics data (Google Analytics, Facebook Analytics). The regulations for the service provide information on the handling of measurement data. Contact information: www.google.com/analytics/; https://analytics.facebook.com/.

If the User does not want the external service providers to measure the above data in the manner and for the purpose described, install the blocking add-on in his browser.

METHOD OF DATA MANAGEMENT

The Data Controller stores the data provided by the User for a specific purpose.

The purpose of automatically recorded data is to create statistics, to improve the technical development of the Website, and to protect the rights of the User. The statistical compilation may not contain any other data suitable for the identification of the concerned User in any form, therefore it is not classified as data management or data transmission.

The service provider does not check the personal data provided to him. The person providing the data is solely responsible for the accuracy of the data provided. When any User provides his/her e-mail address, he/she assumes responsibility for the fact that only he/she uses the service from the given e-mail address. In view of this responsibility, all kinds of responsibility related to logins to a specified e-mail address are borne solely by the User who registered the e-mail address.

The Data Controller does not use or may use the provided personal data for purposes other than those specified in this Notice. The Data Controller does not transfer the personal data it manages to third parties other than the Data Processors specified in this Information.

The release of personal data to third parties or authorities is possible with the prior express consent of the User, unless otherwise required by law. In any case, if the Data Controller intends to use the provided data for a purpose other than the purpose of the original data collection, the User shall be informed of this and his or her prior express consent shall be obtained, or the User shall be given the opportunity to prohibit the use.

If the User has any questions or problems while using the Data Controller's services, they can contact the Data Controller at the contact details provided on the website.

The User can contact the Service Provider's staff with any questions or comments related to data management via the known contact details. The Data Controller deletes e-mails received with the sender's name, e-mail address and other personal data provided in the message no later than 2 years after the date of data communication.

The Data Controller will provide information on data processing not listed in this Notice when the data is collected.

In response to an exceptional official request, or in the case of requests from other bodies based on the authorization of the law, the Data Controller is obliged to provide information, communicate and transfer data, and make documents available. In these cases, the Data Controller only releases personal data to the requester - if he has specified the exact purpose and the scope of the data - to the extent and to the extent that is absolutely necessary to achieve the purpose of the request.

USER RIGHTS

1. Right of access

The User is entitled to receive feedback from the Data Controller as to whether his personal data is being processed, and if such data is being processed, he is entitled to access the personal data and the information listed in the regulation.

2. Right to rectification

The User may request that the Data Controller correct inaccurate personal data concerning the User without undue delay. Taking into account the purpose of data management, the User may request the completion of incomplete personal data.

3. Right to erasure

The User may request that the Data Controller delete the personal data processed on the basis of his consent without undue delay under the conditions specified in the Regulation.

4. The right to be forgotten

If the Data Controller has disclosed the personal data and is obliged to delete it, taking into account the available technology and the costs of the implementation, it will take the reasonably expected steps - including technical measures - in order to inform the data controllers handling the data that the User has requested the personal data in question the deletion of links or duplicates of these personal data.

5. The right to restrict data processing

The User may request that the Data Controller restrict data processing upon request, in the event that the conditions specified in Article 18 (1) of the GDPR are met.

6. The right to data portability

The User is entitled to receive the personal data concerning him/her provided to the Data Controller in a segmented, widely used, machine-readable format, and is also entitled to forward this data to another data controller.

7. Right to protest

The user has the right to object to the processing of his personal data at any time, including profiling.

Request for information

The user has the right to request information from the Data Controller regarding the handling of his personal data at any time. The User can initiate access to personal data, its deletion, modification or restriction of processing, portability of data, objection to data processing in the following ways:

- by e-mail at the e-mail address admin@grajnai.

Action deadline

The Data Controller shall inform the User in writing of the measures taken following the above requests without undue delay, but no later than within 30 days of receipt of the request.

If necessary, this can be extended by 30 days. The Data Controller informs the User of the extension of the deadline, indicating the reasons for the delay, within 30 days of receiving the request.

If the Data Controller does not take measures following the User's request, it shall notify the factual and legal reasons for rejecting the request, the reasons for not taking action, and the fact that the User may file a complaint under X. at the supervisory authority specified in point or you can use your right of judicial remedy.

NOTIFYING THE USER ABOUT THE DATA PROTECTION INCIDENT

The Data Controller informs the User of the data protection incident without undue delay - in a clear and understandable manner - if the data protection incident is likely to involve a high risk for the rights and freedoms of the User(s).

In the information provided to the User, the Data Controller describes the nature of the data protection incident, and provides the name and contact information of the contact person providing further information; describes the likely consequences of a data protection incident; describes the measures taken or planned to remedy the data protection incident, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

The Data Controller is not obliged to inform the Users if one of the cases set out in Article 34, paragraph (3) of the GDPR is met.

ENFORCEMENT OPTIONS

1. The User can contact the Data Controller with comments regarding the handling of his personal data in the following way:

- by e-mail at the e-mail address admin@grajnai.com,

2. A complaint against a potential violation of the data controller can be filed with the National Data Protection and Freedom of Information Authority.

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, PO Box: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Website: www.naih.hu

3. The User may apply to court against the Data Controller in case of violation of his rights. The court acts out of sequence in the case.

4. If the User provided third-party data during registration to use the service or caused damage in any way while using the Website, the Data Controller is entitled to claim compensation from the User. In such a case, the Data Controller will provide all possible assistance to the acting authorities in order to establish the identity of the infringer.

OTHER PROVISIONS

1. The Data Manager's system may collect data on the activity of Users, which cannot be linked to other data provided by the User during registration, nor to data generated when using other websites or services.

2. The Data Controller undertakes to ensure the security of the data, and to take the technical measures to ensure that the recorded, stored and managed data are protected, and to do everything possible to prevent their destruction, unauthorized use and unauthorized changing it. You also undertake to call on all third parties to whom you may forward or transfer the data to fulfill their obligations in this regard.

3. The data controller declares that the cases covered by Article 37 (1) of the GDPR do not exist, so no data protection officer has been appointed.

The Data Controller pays attention to the fact that, during its data management, it acts in accordance with the applicable data protection legislation and established data protection official practice. Its basic data management principles are in line with the applicable legislation on data protection, and in particular with the following:

Regulation 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR);

CVIII of 2001 Act on certain issues of electronic commercial services and services related to the information society (Elkertv.);

Act V of 2013 on the Civil Code (Ptk.);

Act C of 2003 on electronic communications;

XLVIII of 2008 Act on the basic conditions and certain limitations of economic advertising activity (Grtv.).

This Data Management Notice enters into force on October 1, 2020.