Discount prices
Save the foodKifli.hu Shop Kft. – Data Protection and Data Processing Notice for website
Kifli.hu Shop Kft. – Data Protection and Data Processing Notice for website
Dear Customer!
We are pleased that you are interested in our services. The protection of your personal data is very important to us, therefore in the following we will inform you in detail about our data processing activities and how we use your personal data in order to provide a better and more personalised customer experience for you. When you get in touch with us, you acknowledge that depending on the type of contact, we will process some of your personal data according to this Notice.
Our company strictly adheres to the effective data protection provisions during the use and processing of personal data. We only process personal data according to the effective data protection regulations.
This short data protection and data processing notice is an extract of our Data Protection and Data Security Policy (hereinafter referred to as Policy), which we have created in order to briefly inform you about the most important regulations concerning data protection and data processing.
This Notice shall be considered as an appendix of our Policy, and in case of issues or topics not addressed in the Notice, the provisions of the Policy and the relevant regulations are effective, and they shall be interpreted together.
The Notice and the Policy are always available in their full extent at the actual place of the data processing, the headquarters of our Company (H-1111 Budapest, Lágymányosi utca 12., fszt. 2.) as well as our premises (H-1106 Budapest, Jászberényi út 45.).
Our Company reserves the right to modify this Notice at any time, and will notify the data subjects through its website by publishing the new notice.
We inform you that because of the IT environment used together with our parent company, our parent company in the Czech Republic (hereinafter referred to as “Parent Company”), Velká Pecka společnost s ručením omezeným, s.r.o. (headquarters: Sokolovská 100/94, 186 00 Praha 8 – Karlín, Czech Republic; contact email: kancelar@rohlik.cz or zakaznici@rohlik.cz, website: https://www.rohlik.cz) may also collect and use your personal data in order to develop our products and services together with maximal regard to your needs, and for other reasons.
The data protection policy of our Parent Company is available at: https://www.rohlik.cz/stranka/zasady-zpracovani-osobnich-udaju?companyId=1.
1. Definition and contact details of controller
The Controller is Kifli.hu Shop Kft. (hereinafter referred to as Controller or Company)
Our contact details:
- Company name: Kifli.hu Shop Korlátolt Felelősségű Társaság
- Headquarters: H-1111 Budapest, Lágymányosi utca 12., fszt. 2.
- Premises: H-1106 Budapest, Jászberényi út 45.
- Tax number: 26693075-2-43
- Company registration number: 01-09-339560
- Postal address: H-1106 Budapest, Jászberényi út 45.
- Telephone number: +36 80 444 333
- Email address for general enquiries: info@kifli.hu
- Email address of our Data Protection Officer: dpo@kifli.hu
- Website: www.kifli.hu
Controller consents to be bound by the contents of this Notice and accepts responsibility for all contents of this Notice and its Policy being developed according to the applicable provisions of regulations effective in Hungary and in the EU and corresponding to their requirements.
2. Personal data, data subjects and the concept of data processing
Personal data is any data or information, based on which a specific person can be identified, independently or together with other data or information, directly or indirectly.
Thus, data subjects are primarily those enquiring, customers, natural persons using the Controller’s services, our own Employees, natural person partners of the Controller, not natural person partner’s representatives, contact persons, possibly other employees. The data subjects have been exactly specified during the individual data processing.
Data processing includes any action performed with the personal data, such as the collection, storage, usage, systematisation, forwarding, modification, connection to other data, deletion and destruction of data. Data processing activities performed by Controller are based on the voluntary consent of data subjects, in accordance with the regulatory provisions, except for mandatory data processing in order to adhere to legal, regulatory responsibilities.
3. Data processing in relation to the service
3.1. One-time information request
Controller makes it possible for data subjects to request information from the Controller, for example regarding Controller’s service, by submitting data detailed in the following.
Legal basis of data processing: requesting information is based on the data subject’s voluntary consent.
Scope of data subjects: every natural person who contacts Controller by phone, email or through Controller’s website, and requests information and provides personal data.
Scope of processed data and aim of use:
Scope of processed data aim of use of data
name identification
phone number contact
email address contact
content of the question response
Aim of data processing: providing adequate information to the data subject and staying in contact with the data subject.
Activity and process concerning data processing:
• Data subject can discuss the services of Controller and/or other related issues with Controller, through a way or method provided by and available to Controller.
• Controller answers data subject’s question and sends it – in the same way that the information request was received, if data subject does not require otherwise – to them.
• Data subject voluntarily accepts, in accordance with the aim of data processing, that if they provided their contact details during the information request, Controller may contact them to specify the question or to provide an answer to it.
Duration of data processing: until the aim is reached. In case a legal effect is connected to requesting information and/or providing information, or concerns the data subject or Controller on a similarly significant level, Controller processes the data in the respective limitation period.
3.2. Continuous, regular contact with data subjects
Controller ensures that the data subject can remain in contact in various ways and forums continuously or regularly. This includes for example electronic communication, such as emails and chat provided on the website, or communication via post or telephone, thus for example correspondence with data subject about Controller’s service, or with the aim of discussing a partnership before signing a contract.
Legal basis of data processing: the data subject’s voluntary consent. In case Controller and data subject enter into an agreement with each other, for example about using one of the services of Controller, the legal basis of data processing is henceforth based on the contract.
Getting in touch and remaining in contact, thus the processing of the pertinent data can be based on the legitimate interest of data subject, a third person or Controller, as well as on other legal basis determined in regulations, for example it may be mandatory according to regulations (see the Legal basis, legality chapter of Policy). In case of a request, Controller informs data subject about the legal basis according to which it processes their data.
Scope of data subjects: Every natural person, including a natural person acting on behalf of or representing a legal person – company, organisation, who remains in contact with Controller continuously or regularly beyond a one-time information request.
Scope of processed data and aim of use:
Scope of processed data aim of use of data
name identification
phone number contact
email address contact
question, content of the question, other data provided by the data subject response
The aim of data processing is contact with the data subject, answering or solving any arising questions, requests and others.
Activity and process concerning data processing:
• Data subject can discuss the services of Controller and/or other related issues with Controller, through a way or method provided by and available to Controller. In order to use the chat application available on the website, data subject provides their email address.
• According to the content of the contact and regulations, inner policies Controller takes the necessary steps, for example informs the data subject.
• Data subject voluntarily accepts, in accordance with the aim of data processing, that if they provided their contact details during the information request, Controller may contact them to specify the question or to provide an answer to it.
Controller uses a Data Processor to process data handled during contact through the chat application provided on its website:
Name of Data Processor: Daktela s.r.o.
Activity connected to data processing: identification, contact, interpretation and processing of text sent in via chat application
Headquarters: Pod Krejcárkem 975, 130 00, Praha 3, Czech Republic
Email: daktela@daktela.com
Place of data processing (address or website): Pod Krejcárkem 975, 130 00, Praha 3, Czech Republic
Data processing technology: with informatics system
Duration of data processing: until the aim is reached, or if it is in the interest of the data subject, a third person or Controller or if it is necessary for fulfilling responsibilities, then after the aim is reached, until the interest ends or until the responsibility is fulfilled. If the type of data processing or another regulation mandatorily determines the duration of data processing, then Controller processes the data for the duration determined in the relevant regulation.
For the chat application available on the website, the duration of the data processing is 24 months. The detailed description of data processing in relation to the chat application used on the website can be found in xxx chapter of this Notice.
3.3. Processing of customer data in relation to the use of service
Controller provides the possibility of assembling a shopping cart, ordering a delivery and settling the cost of goods and services to its customers on the website, by using a mobile application or through its telephone customer service.
The legal basis of data processing is the voluntary consent of data subjects and the legal interest of Controller, because the data processing is necessary for the completion of the order/contract [Article 6(1)(b) of the GDPR] according to Section 169(2) of the Accounting Act.
Scope of data subjects: Every natural person, including a natural person acting on behalf of or representing a legal person – company, organisation, who uses the services of Controller, for example orders food(s) and/or other product(s) through Controller’s website.
Scope of processed data and aim of use:
Scope of processed data in case of registration on the website aim of use of data
name identification
phone number contact
email address contact
question, content of the question, other data provided by the data subject response
Apple ID (if the customer uses their Apple ID to register/log in) identification
Email address used on Facebook (if the customer uses the Facebook login possibility to register/log in) identification
Publicly available data on customer’s Facebook profile production of statistics
Home address, or the address provided for delivery completing the purchase/service
Name and quantity of products purchased completing the purchase/service
statistical analysis of purchasing habits, profile creation
Credit card details payment
Aim of data processing: Purchase through Controller’s service (website, mobile application), creating invoice, registering and distinguishing customers, documenting purchase and payment, fulfilling accountancy responsibilities, customer contact, analysing customer habits, more targeted service for customers.
In case of credit card payment, the data of the credit card and the payment transaction by credit card is processed by Global Payments Europe, s.r.o. (V Olšinách 626/80, Strašnice, 100 00 Prague 10, Czech Republic, company ID No.: 27088936, DIČ: CZ27088936)
Activity and process concerning data processing:
• Data subject uses Controller’s service in a way that is provided by and available to Controller, for example orders food(s) and/or other product(s) from Controller.
• Controller provides according to the order based on the Terms and Conditions.
• Customer habits are analysed during the purchasing process, thus the customer habits are analysed. Displaying advertisements/individual or partnership offers on the website or in the mobile application is done by automated decision making. The logic applied in automated decision making: personal data provided by data subject, geographic location, external factors (e.g. weather, time of day), as well as data of completed customer activity are used for targeting advertisements and display personalised marketing messages.
Duration of data processing: eight years according to Section 169(2) of the Accounting Act.
Automated decision making, profile creation: done in relation to data processing.
Effect of profile creation on the data subject: displaying messages different for individual customers, personalised and, in case of consent, containing marketing content.
According to Article 22(3) of the GDPR, data subject may ask for human intervention from Controller; may express their standpoint; may submit an objection against the decision.
Forwarding of data:
• In case of credit card payment, the identification of payer, the amount, date and time of transaction towards Global Payments Europe, s.r.o. (V Olšinách 626/80, Strašnice, 100 00 Prague 10, Czech Republic, company ID No.: 27088936, DIČ: CZ27088936).
• In case of delivery of purchased products, towards contracted delivery partners of Controller.
Legal basis of data forwarding: the data processing is necessary for fulfilling the contract [Article 6(1)(b) of the GDPR].
3.4. Data processing during credit card payment
Controller does not process data related to the payment, it uses the Global Payments Europe, s.r.o GP webpay - 3D Secure payment portal service for payments, during which the data of credit card and payment transaction are not stored in the informatics system of Controller.
Legal basis of data processing: the voluntary consent of data processing, and the data processing is necessary for the fulfilment of contract [Article 6(1)(b) of the GDPR]
Scope of data subjects: every natural person who has submitted an order to Controller and fulfils the payment for the order by using a credit card.
Scope of processed data: Selling products and providing service, as data related to purchases done in connection with the purpose of data processing is forwarded for the purpose of financial transaction, transaction safety and transaction monitoring through the credit card accepting network of the Global Payments Europe, s.r.o GP webpay - 3D Secure payment portal. Scope of forwarded data: surname, first name, delivery address, billing address, phone number, email address, data related to the payment transaction. Data processed for the purpose of online payment: credit card details*. Controller does not store data related to the payment, it is provided directly for the payment, to which only Global Payments Europe, s.r.o has access.
If data marked with * is not provided, then Controller and Data Subject do not enter into contractual relationship, as the data processors cannot complete the payment transaction.
Aim of data processing: payment for the order.
Duration of data processing: 8 years after the completion of the service.
Process of data processing: the Customer submits the order and the necessary payment information on Controller’s website or mobile application.
Type of data processing: electronic
Source of data: directly from the data subject
Using a data processor: for online payment, Controller uses the following data processor: Global Payments Europe, s.r.o. (V Olšinách 626/80, Strašnice, 100 00 Prague 10, Czech Republic, company ID No.: 27088936, DIČ: CZ27088936)
3.5. Operation of chat service (customer service) on the www.kifli.hu website
Controller operates a so-called chat service on its website and messenger on its social media profile available on Facebook (Facebook Messenger). While using the service, Controller’s customer service employees respond to the written text from the data subject according to key words found in the text written by the data subject.
When Data Subject contacts us through the chat service, Controller may collect personal data about data subject. Information collected by Controller can be sorted into two categories:
• information and personal data provided by data subject during the conversation, and
• certain data from data subject’s social media profile and social activities while using the social media profile for the service.
Legal basis of data processing: It is the legal interest of Controller to simplify and make the communication with data subject processable [Article 6(1)(f) of the GDPR], as well as the consent of the data subject, if they use the chat service with a social media profile [Article 6(1)(a) of the GDPR].
Aim of data processing: Based on the communication of the data subject, response to data subject’s questions by the customer service, based on the communication of data subject, categorisation of the conversation with customer service for the purpose of creating statistics (e.g. submitting quality claims related to products, other complaints, enquiries about sales, etc.), in case of consent, displaying individual offers according to the data provided by data subject, geographical location and other information.
Data Processor:
Name of Data Processor: Velká Pecka společnost s ručením omezeným, s.r.o.
Activity connected to data processing: web hosting
Headquarters: Sokolovská 100/94, 186 00 Praha 8 – Karlín
Email: kancelar@rohlik.cz, zakaznici@rohlik.cz
Place of data processing (address or website): https://www.rohlik.cz
Data processing technology: with informatics system
Name of Data Processor: Daktela s.r.o.
Activity connected to data processing: identification, contact, storage of text sent in via chat application
Headquarters: Pod Krejcárkem 975, 130 00, Praha 3, Czech Republic
Email: daktela@daktela.com
Place of data processing (address or website): Pod Krejcárkem 975, 130 00, Praha 3, Czech Republic
Data processing technology: with informatics system
Name of Data Processor: SentiSquare s.r.o.
Activity connected to data processing: interpretation of text sent in via chat application, analysing and measuring customer satisfaction
Headquarters: Bezrucova 146/10
301 00 Pilsen
Czech Republic
Email/telephone: info@sentisquare.com
+420 603 402 755
Data processing technology: with informatics system
Name of Data Processor: Hotjar Ltd
Activity connected to data processing: analysing and measuring customer habits and satisfaction
Headquarters: Dragonara Business Centre
5th Floor, Dragonara Road,
Paceville St Julian's STJ 3141
Malta, Europe
Email/telephone: +1 (855) 464-6788
support@hotjar.com
Data processing technology: with informatics system
Privacy Policy: https://www.hotjar.com/legal/policies/terms-of-service/
https://help.hotjar.com/hc/en-us/categories/360003405813?section=360007812474
Scope and aim of the processed data:
Data Subject may give the following information during registration:
Date and time of using the chat service identification
data recorded during the visit on the website, if Data Subject uses the chat service on the website (IP address, type of browser, version number, name of operating system, build number) improving the quality of service
Name (first name, last name, username) identification
Platform used for the service by data subject (Facebook or web widget) identification
personal or other information provided during the chat conversation identification, improving the quality of service, response, standardisation of conversation, measuring user satisfaction.
Information collected with automated methods while using a Facebook Account:
Data Subject has the possibility of registration for Controller’s services with a Facebook Account, in which case Data Subject accepts that the operator of Facebook provides some data related to the Facebook Account according to Facebook’s respective, relevant policies. Facebook’s effective policies are available through the following link:
https://www.facebook.com/legal/terms/plain_text_terms
If Data Subject uses the chatbot service with a Facebook Account, depending on their own settings on different social media platforms, they make certain data of their social media profile (thus for example, but not limited to name, username, email address, phone number, social media profile, gender, age, information about how the User uses the social media site and what activities they perform on it, interests, relationship status, photos, comments made by the Data Subject, other information about their online behaviour) available for Controller as well as for the Data Processor. Controller would like to bring to Data Subject’s attention that the tools provided by different social media sites and platforms create a possibility for choosing how they share – i.e. make publicly available – their personal data in their social media profiles.
Facebook’s relevant notice is available through the following link:
https://www.facebook.com/help/www/203805466323736?helpref=platform_switcher&ref=platform_switcher&rdrhc
Controller does not take any responsibility in any form for the settings applied by Data Subject and the scope of data made available during the use of the chatbot with the social media profile.
Duration of data processing: two years after the first activity (using the chatbot), if Data Subject does not use the chatbot service again in two years after the first activity, or five years, if Data Subject uses the chatbot service again in two years after the first activity. Data Processor anonymisation (in a way that is not suitable for identifying the Data Subject) stores and uses data recorded during the use of the chatbot service even after the retention period of two or five years.
Sharing and forwarding data: towards Data Processors determined in this chapter.
Type of data processing: electronic, automated.
Source of the processed data: directly from the Data Subject, in case of using a social media profile identification from social media site, depending on the security settings of Data Subject.
Organisational and technical measures for the protection of processed data: see in a separate chapter.
Automated decision making, profile creation: done in relation to data processing.
Effect of profile creation on the data subject: displaying messages different for individual customers, personalised and, in case of consent, containing marketing content.
According to Article 22(3) of the GDPR, data subject may ask for human intervention from Controller; may express their standpoint; may submit an objection against the decision.
3.6. Handling complaints, handling quality claims, returning ordered products
Aim of data processing: Handling quality complaints occurring in relation to products and services provided by Controller, according to Controller’s Complaint Handling Policy and the Terms and Conditions document.
Legal basis of data processing: the data processing is necessary for the fulfilment of contract [Article 6(1)(b) of the GDPR] and Section 17/A(7) of the Consumer Protection Act.
Scope of data subjects: every natural person, who submits a complaint to Controller regarding products and services provided by Controller.
Scope of processed data and aim of use:
Scope of processed data aim of use of data
name identification
phone number contact
email address contact
unique identification number of complaint complaint handling
description of complaint complaint handling
Aim of data processing: handling the submitted complaint.
Duration of data processing: Regarding the copies of records about the complaint and responses to written complaints, it is five years according to Section 17/A(7) of the Consumer Protection Act.
Sharing and forwarding data: does not occur.
4. Data processing activities for the purpose of marketing and market research
4.1. Sending newsletters
Data Subject may subscribe to the newsletter on the website, through the mobile application, or before or during the use of services, or in a different way by submitting data determined hereinafter.
Legal basis of data processing: subscribing to the newsletter is based on voluntary consent.
Scope of data subjects: Every natural person who wishes to be informed about Controller’s news, sales and discounts, and therefore subscribes to the newsletter service by submitting their personal data.
Scope and purpose of the processed data:
name identification
email address sending newsletters
Aim of data processing: The purpose of the data management related to newsletter sending is to provide the recipient with full general or personalised information about the latest offers, events, news of Data Controller, and notify about any changes or delays in services.
Use of a data processor: Data Controller uses a Data Processor to process the personal data related to Newsletter sending:
Name of Data Processor: The Rocket Science Group LLC. (Mailchimp)
Activity connected to data processing: Newsletter sending, storing and managing of the database of newsletter subscribers
Headquarters: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA
Data processing technology: with informatics system
Access to Privacy Policy https://mailchimp.com/legal/privacy/
Name of Data Processor: Sailthru, Inc.
Activity connected to data processing: Newsletter sending, storing and managing of the database of newsletter subscribers
Headquarters: One World Trade Center. Suite 48A.
New York, NY 10007
Data processing technology: with informatics system
Access to Privacy Policy https://www.sailthru.com/legal/privacy-statement/
https://www.sailthru.com/legal/agreements/
The newsletter is sent by the data processor entrusted with this task, as defined above, in the name and for the benefit of Data Controller, on the basis of the relevant contract.
The data management process:
- On the website of Data Controller and in its mobile application, data subject has the opportunity to subscribe to newsletters, by providing their email address and confirming to have read the data management information.
- Data subject can subscribe to the feed published on social media, especially on the Facebook wall, by clicking on the “like” link on the page, and can unsubscribe by clicking the “dislike” link on the same page, and can delete unwanted feeds that appear on the messaging wall by using its settings. You can find information about social network site feeds, unsubscribing and subscribing, and the data management of the given social networking site on the specific site.
Data management method: it is carried out with an IT system, electronically.
Data source: directly from the data subject. The data subject can unsubscribe from the newsletter at any time, at the bottom of the emails or by sending a cancellation request to the email address: info@kifli.hu. Data subject can unsubscribe from the newsletter by post, through a letter sent to the marketing department of Kifli.hu Shop Kft., to the address H-1106 Budapest, Jászberényi út 45.
Data management duration: at the request of the data subject until cancellation or if the data subject does not give further consent.
Data Controller and the Data Controller’s data processor will only manage the personal data collected for this purpose until the data subject has unsubscribed from the newsletter list.
Data Controller reviews the newsletter list every three years and after three years requests a confirmatory consent to send newsletters. The data of the data subject who does not give confirmatory consent will be deleted by Data Controller from its records.
Data Controller keeps statistics on the readings of the newsletters sent out, by means of the clicks made on the links found in the newsletters.
4.2. Organising prize competitions
Data Controller allows data subjects to participate in prize competitions by providing their data detailed below and in accordance with the rules applicable to the specific competition. The current competition(s) and the relevant game rule(s) and conditions are available on Data Controller’s website.
Legal basis of data management: participation in the prize competition is based on voluntary consent.
Scope of data subjects: Any natural person who, by providing their data, wishes to participate in a prize competition organised by Data Controller.
Scope and purpose of the processed data:
name identification
phone number contact
email address contact
Address contact
The data management’s purpose is to identify data subjects during the draw and to maintain contact.
Activity and process concerning data processing:
• The data subject, in accordance with the rules of the relevant prize competition, may enter the prize competition by providing their details.
• Data Controller shall record the data electronically and/or on paper and carry out the draw in accordance with the rules of the prize competition.
• Data Controller will contact the winners using the provided contact details.
• Data Controller may make the winners’ names available to other data subjects and third parties on its website in accordance with the relevant game rules, therefore notifies data subjects to consider participating in the prize competition while taking this fact into account.
• In conformity with the purpose of data processing the data subject voluntarily agrees to the Data Controller contacting him/her through the provided contact details, inform him/her of the potential impossibility of the prize draw or to clarify receipt of the prize, respond to his/her possible complaints or to take other steps related to such complaint.
Duration of data processing: in relation to identification and contact information its period shall end until limitation of the enforceability of rights and obligations under the legal relationship in relation to which the Data Controller processes personal data; with regard to data entered on supporting documents, and such supporting documents support accounting records, the period of data processing is at least 8 years pursuant to Section 169(2) of Act C of 2000.
4.3. Completion of questionnaires, feedback, satisfaction surveys, market research
The Data Processor shall enable data subjects to complete questionnaires related to satisfaction surveys, market research or serving other purposes, such as prize draws, by providing their detailed data below, by which they provide feedback.
Legal basis of data processing: completion of questionnaires is based on voluntary consent.
Scope of data subjects: all natural persons at a minimum age of 16, who wish to participate in completion of the questionnaire sent by the Data Controller or published on the Data Controller’s website by providing their data.
Scope and purpose of the processed data:
name identification
email address contact
mobile number contact through text messages and “push notification”
Data processing has the purpose of identifying data subjects in the draw organised with persons completing the questionnaire and of maintaining contact.
Activity and process concerning data processing:
• The Data Controller shall send questionnaires and satisfaction surveys to the email address provided by the data subject during shopping/registration. For prize draws, the data subject may apply to participate in the prize draw by providing his/her email address.
• During shopping/registration the data subject may agree to receiving “push notifications” or text messages related to his/her mobile phone number; in case of such consent, the Data Controller may send such types of messages related to customer satisfaction surveys and feedback to the mobile phone of the data subject.
• The Data Controller shall record data electronically and/or on paper.
• In conformity with the purpose of data processing the data subject voluntarily agrees to the Data Controller contacting him/her through the provided contact details.
Duration of data processing: in relation to identification and contact information its period shall end until limitation of the enforceability of rights and obligations under the legal relationship in relation to which the Data Controller processes personal data; with regard to data entered on supporting documents, and such supporting documents support accounting records, the period of data processing is at least 8 years pursuant to Section 169(2) of Act C of 2000, otherwise 2 years.
Data management method: it is carried out with an IT system, electronically.
Data source: directly from the data subject.
4.4. Building of marketing database
In the course of using services on the Data Controller’s website and/or mobile application (e.g. shopping of products) and upon separate requests (as an indicative example, during events, the delivery of products), the Data Controller may request the consent of the data subject to direct marketing, customised offers, discounted offers, the analysis of shopping habits for development of the Data Controller’s services.
Legal basis of data processing: the data subject’s voluntary consent pursuant to Section 6(5) of the Act on Business Advertising Activity.
Scope of data subjects: Natural persons at a minimum age of 16 who have given their consent to the Data Controller performing direct marketing enquiries and to the analysis of shopping habits, i.e. profiling.
Scope and purpose of the processed data:
unique buyer identification code identification
name identification
email address contact
address, delivery address contact, profiling
analytical data of IT systems (IP address, type of browser, type of phone, time spent on website, in mobile app, route taken during shopping, type and number of products purchased, demographic data, shopping transaction data) customer profiling
Aim of data processing: the generation of business-purpose database, the sending of electronic newsletters to data subjects also including financial advertisement, the preparation of personalized offers using online analytical data, and the forwarding of the data subjects’ and their partners’ offers, the creation of customer profiles, the development of the services of the data controller.
Duration of data processing: until the withdrawal of the data subject’s consent. The Data Controller notes that the deletion of the customer account created on the website/mobile application does not mean the automatic withdrawal of the data processing consent, it shall be done by the data subject separately. In addition, the Data Controller notes that the withdrawal of the consent does not result in the termination of the processing of customer data (e.g. payment transactions), the processing of which is laid down in legal provisions (e.g. Act on Taxation, VAT Act).
Data management method: it is carried out with an IT system, electronically.
Automated decision making, profile creation: done in relation to data processing.
Effect of profile creation on the data subject: displaying messages different for individual customers, personalised and, in case of consent, containing marketing content.
According to Article 22(3) of the GDPR, data subject may ask for human intervention from Controller; may express their standpoint; may submit an objection against the decision.
Data source: directly from the data subject and data generated during the shopping by the data subject
Use of a data processor:
Name of Data Processor: Velká Pecka společnost s ručením omezeným, s.r.o.
Activity connected to data processing: web hosting
Headquarters: Sokolovská 100/94, 186 00 Praha 8 – Karlín
Email: kancelar@rohlik.cz, zakaznici@rohlik.cz
Place of data processing (address or website): https://www.rohlik.cz
Data processing technology: with informatics system
5. IT data processing
5.1. Logging the kifli.hu website server and the servers of the mobile apps
The Data Controller records user data to operate its website and mobile application safely and continuously, with the analysis of which the given user can be identified.
The browsing of the website does not record data directly suitable for the identification of the data subject without user registration or shopping.
Legal basis of data processing: The legal interest of the Data Controller. [Article 6(1)(f) of the GDPR] and Section 13/A(3) of Act CVIII of 2001.
Scope of data subjects: Those data subjects who browse the website of the Data Controller available at kifli.hu or use the mobile application.
Scope and purpose of the processed data:
IP address, data of the operating system and the Internet browser, time when the website is visited, time spent on the website, the time when the mobile application is used, the duration of the mobile app use, the geolocational data of the data subject if the data subject authorizes their use on the given device. the ensuring of IT operation,
service provision
Aim of data processing: The safe and continuous operation of the Data Controller’s website and mobile application
Duration of data processing: one year
Data management method: it is carried out with an IT system, electronically, automatically.
Automated decision making, profile creation: not done in relation to data processing.
Data source: directly from the data subject.
Use of a data processor:
Name of Data Processor: Velká Pecka společnost s ručením omezeným, s.r.o.
Activity connected to data processing: web hosting
Headquarters: Sokolovská 100/94, 186 00 Praha 8 – Karlín
Email: kancelar@rohlik.cz, zakaznici@rohlik.cz
Place of data processing (address or website): https://www.rohlik.cz
Data processing technology: with informatics system
5.2. Handling cookies
The handling of cookies is governed by those specified in the Cookie statement of the Data Controller
5.3. Location data
With the website and mobile application, the Data Controller collects data about the exact location of the data subject’s PC / mobile phone.
Legal basis of data processing: The legal interest of the Data Controller. [Article 6(1)(f) of the GDPR] and Section 13/A(3) of Act CVIII of 2001.
Scope of data subjects: Those data subjects who browse the website of the Data Controller available at kifli.hu or use the mobile application.
Scope and purpose of the processed data:
Location data service provision
Aim of data processing: The ensuring of the delivery service by the Data Controller
Duration of data processing: two years. The majority of computers, tablets, mobile phones allows the users to withdraw the consent given to collect the above information with the device or browser settings. It may occur that certain services do not work appropriately without location data. For example, when authorizing localization, the website appears in the language of the country where the device is used.
If the data subject requests the deletion of their location data, please contact us.
Data management method: it is carried out with an IT system, electronically, automatically.
Automated decision making, profile creation: not done in relation to data processing.
Data source: directly from the data subject. manual provision by the data subject or with the location data provided by the device used by the data subject
Use of a data processor:
Name of Data Processor: Velká Pecka společnost s ručením omezeným, s.r.o.
Activity connected to data processing: web hosting
Headquarters: Sokolovská 100/94, 186 00 Praha 8 – Karlín
Email: kancelar@rohlik.cz, zakaznici@rohlik.cz
Place of data processing (address or website): https://www.rohlik.cz
Data processing technology: with informatics system
6. Processing in relation to the consent
The Data Controller requests paper-based or electronic consent from the data subjects to become familiar with their data, process, or, where appropriate, transmit them.
Legal basis of data processing: consent is based on voluntary consent.
Scope of data subjects: Every natural person who consents to the processing of their data for any reason.
Scope and aim of the processed data:
name identification
place and date of birth identification
data indicated in the statement of consent necessary to make the consent
Aim of data processing: the process of the statements of consent is necessary for the provability of the legal basis for the data processing, and for making the consent (principle of accountability), as well as for contact.
Use of a data processor:
Name of Data Processor: Velká Pecka společnost s ručením omezeným, s.r.o.
Activity connected to data processing: web hosting
Headquarters: Sokolovská 100/94, 186 00 Praha 8 – Karlín
Email: kancelar@rohlik.cz, zakaznici@rohlik.cz
Place of data processing (address or website): https://www.rohlik.cz
Data processing technology: with informatics system
Activity and process concerning data processing:
• The data subject consents to the processing of the data through or by the means made available to him or her by the Data Controller, for example the data subject gives its prior consent to data processing electronically on the website of kifli.hu or on paper.
• The Data Controller stores and processes the statements of consent on paper or electronically for future reference and provability. The Data Controller processes the statements of consent confidentially.
Duration of data processing: its period shall end until limitation of the enforceability of rights and obligations under the legal relationship in relation to which the Data Controller processes personal data; or, if no such relationship has been established, at the request of the data subject, until erasure.
7. Data security measures
The Data Controller shall ensure the security of the processing of personal data during their storage and retention in accordance with the applicable legal requirements, using the technical means at its disposal, in such a way as to ensure the privacy of the data subjects.
The Data Controller shall always take all measures to prevent unauthorised access to the personal data and unauthorised processing of personal data in any form.
The Data Controller shall physically store the electronically processed data by the following hosting service provider: the data centre of the Czech Master Internet společnost s ručením omezeným, s.r.o. (registered seat: Jiráskova 21, 602 00 Brno – střed, Czech Republic; telephone: +420 515 919 805, email: info@master.cz, website: https://www.masterdc.com/) in Prague (MasterDC Prague data center), under the address Kodaňská 46, 101 00 Praha 10 – Vršovice, Czech Republic (website: https://www.masterdc.com/data-center-prague/).
For more information please visit the website of our hosting service provider, in particular: the GTC of the Master Internet, s.r.o., which is available here: https://www.masterdc.com/terms-and-conditions/, and for more information on privacy issues please read the privacy policy of Master Internet, s.r.o., too, which is available here: https://www.masterdc.com/privacy-policy/.
In order to protect electronically processed data, the Data Controller shall ensure, by appropriate technical means (including pseudo-anonymisation), that the stored data cannot be directly linked and attributed to the data subject, except where permitted by law:
• in all cases, the controller of your personal data is our Company;
• we use IT security tools such as firewalls and data encryption, and we also use physical access protection tools in our buildings and records to ensure data security;
• we only give access to personal data to those employees whose work absolutely requires it;
• we also protect the security of your information when it is transmitted by encrypting it, for example by using Secure Sockets Layer (SSL);
• we use physical, electronic and procedural security devices to collect, store and share personal data, and we may also ask for proof of identity before sharing your personal data with you;
• we will keep your personal data only for the necessary period of time, which will depend on why we collected it in the first place, how long we have kept your personal data, whether there is a legal/official requirement to keep these data, and whether your personal data is necessary for the purpose of protecting you or us – after the contract has been performed.
8. What are your rights regarding data processing?
You have the right at any time to:
• request information about the processing of your personal data,
• request the correction of your personal data,
• request the restriction of the processing of your personal data (withdraw your consent to certain processing or change the way of contact previously requested),
• request the erasure of your personal data (fully withdraw your consent),
To exercise your rights, contact our Data Protection Officer.
You may request information from our Company about the processing of your personal data. Our Company will respond to your request in writing within 30 days.
You may withdraw your consent regarding the processing of all or part of the data you have already given at any time in writing, without restriction and without giving any reason. Our Company will ensure the termination of the data processing within 15 working days after receiving the notification of the withdrawal of consent, and will permanently delete from its records the personal data affected by the withdrawal. Exceptions to this are personal data processed by our Company for the purpose of fulfilling a legal obligation to which it is subject, as described above.
9. IV. In case of a complaint
You may lodge a complaint about the processing of your data with our Data Protection Officer at any time. You can find the contact details of our Data Protection Officer in section 1. Definition and contact details of Controller of this Guide. The Data Protection Officer will investigate complaints within 30 days of receipt of the complaint, take action as necessary and inform you of the outcome of the investigation and the action taken.
While as a Company we will do our best to ensure that your data is handled appropriately, if you disagree with the results of our investigation and our actions, or otherwise believe that you have suffered a violation of rights in relation to the processing of your personal data, you may contact the Hungarian National Authority for Data Protection and Freedom of Information (postal address: H-1363 Budapest, Pf.: 9.; address: H-1055 Budapest, Falk Miksa utca 9-11..; phone: +36 (1) 391-1400; fax: +36 (1) 391-1410; email: ugyfelszolgalat@naih.hu; web: http://naih.hu) or you can apply to the competent court (including the court competent at your place of residence).
We recommend that you send your complaint or enquiry directly to our Company by contacting us in one of the ways listed in the Contact details, so that you can have any problems resolved as soon as possible.
10. Data protection l
The following principles apply to data processing by the Data Controller:
The principles set out in the GDPR are implemented as a minimum requirement in our Company’s data management practices. Our Company complies with the following principles and the following requirements are met to the maximum extent possible.
The principles set out in the GDPR are:
- Principles of lawfulness, fairness and transparency
We process personal data lawfully and fairly and in a manner that is transparent for the data subject. We ensure the fairness of the processing of personal data concerning natural persons.
It is transparent to natural persons how personal data concerning them are collected, used, consulted or otherwise processed. Information and communication relating to the processing of personal data is easily accessible and easy to understand, and it is presented in clear and plain language.
- The purpose limitation principle
We process your personal data only for specific purposes, for exercise of rights and performance of obligations. At all stages of data processing, the purpose of the processing is fulfilled and the collection and processing of data is fair and lawful.
- The data economy principle
Data processing must be necessary and relevant.
The processing of personal data is only allowed if the processing cannot be carried out in any other reasonable way. Personal data must be adequate and relevant for the purpose for which they are processed and the scope of the data must be limited to the minimum necessary for that purpose. Our company fulfils this requirement.
- The principle of accuracy
Personal data must be accurate and up to date, thus we implement every necessary measure in order to promptly delete or correct personal data that is inaccurate regarding the aim of data processing.
- The principle of limited storability
We store data for the shortest amount of time possible. When determining this duration we take into account the background of data processing, as well as the legal obligation concerning the preservation of data for a definite duration.
- The principle of integrity and confidentiality
We must process personal data in a way that ensures the adequate safety of personal data by implementing appropriate technical or organisational measures, including protection against unauthorized or unlawful processing, coincidental loss, destruction or damage of data.
- The principle of accountability
Absolute principle, which our Company respects. Our Company, as a controller, is responsible for its compliance with the data processing principles determined previously, and is able to prove its compliance from the planning of data processing to the end of data processing. We can prove this compliance at any phase of the workflow of data processing.
11. IX. Regulations concerning data processing
Our data processing principles correspond with the regulations and provisions concerning data processing and data protection effective in Hungary and in the European Union, including, but not limited to the following regulations:
• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
• Act CXII of 2011 – on informational self-determination and freedom of information (Privacy Act)
• Act CVIII of 2001 – on certain issues of electronic commerce services and information society services (Electronic Commerce Services Act)
• Act V of 2013 – on the Civil Code (Civil Code)
• Act CLV of 1997 – on consumer protection (Consumer Protection Act)
• Act XLVIII of 2008 – on essential conditions of and certain limitations to business advertising activity (Act on Business Advertising Activity)
• Act XIX of 1998 – on criminal proceedings (Criminal Proceedings Act)
• Act C of 2000 – on accounting (Accounting Act)
• Act C of 2003 – on electronic communications (Electronic Communications Act)
12. X. Other provisions
In this Notice, Controller presented the data processing processes that are characteristic for contact and the use of service on the website and by utilizing the mobile application. Controller processes data in addition to these for establishing employment relationships, employment, establishing partnerships, and for the purpose of other customer relationships.
If you are our employee or applying for an open position, or would like to get to know all of the data processing activities of our company for another reason, please contact us by using the contact details provided in chapter I.
Concerning data processing not determined in the Notice, our Company provides information during the individual data processing before recording any personal data.
Based on regulatory authorization, other bodies may approach Controller for the purpose of providing information, sharing and forwarding data or making documents available. In this case Controller – if the body requesting data indicates the exact purpose and the scope of data – releases only the amount of personal data that is absolutely necessary in order to reach the aim of the request.
Date of last update of Notice: 2021.05.06.