PRIVACY POLICY
1. Data Controller Information
Name of the Data Controller: Kalina Hordó Kft.
Company Registration Number: 05-09-026149
Registered Office: H-3909 Mád, Vasút út 1, Hungary
Representative: Marianna Bodnár
2. Principles of Data Processing
This privacy policy shall remain in effect from May 25, 2018, until withdrawn.
The definitions used in this document are consistent with those provided in Section 3 of the Hungarian Act CXII of 2011 on Informational Self-Determination and Freedom of Information.
Data subject: Any natural person who is identified or identifiable, directly or indirectly, based on personal data.
Personal data: Any data that can be linked to a data subject – particularly the data subject’s name, ID number, and one or more physical, physiological, mental, economic, cultural or social identity features – as well as conclusions drawn from such data that relate to the data subject.
Consent: A freely given and explicit indication of the data subject’s will, based on adequate information, by which they give their unambiguous agreement to the processing of their personal data, whether fully or in part.
Data controller: The natural or legal person or entity without legal personality that alone or jointly determines the purpose of data processing, makes and implements decisions on data processing (including the tools used), or has them implemented by a data processor.
Data processing: Any operation or set of operations performed on the data, regardless of the method used. This includes, but is not limited to, collecting, recording, organizing, storing, altering, using, retrieving, transmitting, disclosing, aligning, combining, blocking, deleting, and destroying data, as well as preventing further use, taking photographs, audio or video recordings, and recording physical traits suitable for identifying a person (e.g., fingerprints, palm prints, DNA samples, iris images).
Data transfer: Making data available to a specific third party.
Data processing operations: Technical tasks related to data processing, regardless of the method or tools used and the location, provided the task is performed on the data.
Data processor: A natural or legal person or organization without legal personality that processes data under a contract – including contracts under legal provisions – on behalf of the controller.
Data breach: Illegal handling or processing of personal data, including unauthorized access, alteration, transmission, disclosure, deletion, destruction, as well as accidental destruction or damage.
The Data Controller outlines its data protection principles, internal expectations, and standards it abides by. Its principles are in line with applicable data protection laws, particularly:
Act CXII of 2011 on Informational Self-Determination and Freedom of Information
Act V of 2013 – Civil Code
Act C of 2000 – Accounting Act
Act CVIII of 2001 – On Electronic Commerce and Certain Issues of Information Society Services
Act C of 2003 – On Electronic Communications
Act XLVIII of 2008 – On the Basic Requirements and Certain Restrictions of Commercial Advertising
Personal data may only be processed to exercise a right or fulfill an obligation. The personal data managed by the Company may not be used for private purposes. Data processing must always adhere to the principle of purpose limitation.
As a general rule, the legal basis of data processing is the data subject's consent or, in specific cases (e.g., personal data appearing on invoices), statutory authorization.
The Data Controller shall inform the data subject during data collection that the processing of data is governed by this policy. The policy is permanently accessible on the website.
Acceptance of this privacy policy (via checkbox) confirms understanding and serves as consent.
The Company processes personal data solely for specific purposes, based on consent or legal authorization, to the extent and for the time necessary to achieve the purpose. If the purpose of data processing ceases or data processing becomes unlawful, the data must be deleted.
Before collecting data, the Company always communicates the purpose and legal basis of data processing.
Employees involved in data processing and external processors engaged by the Company are required to treat personal data as business secrets and sign confidentiality declarations.
If an individual governed by this policy becomes aware that personal data managed by the Company is incorrect, incomplete, or outdated, they must correct it or initiate its correction with the responsible staff member.
The data protection obligations of data processors are defined in the contracts concluded with them.
During work, employees must ensure unauthorized persons cannot access personal data and that data is stored securely and is not accessible, alterable, or destructible by unauthorized parties.
The Data Controller's data protection operations are supervised by the managing director.
3. Scope, Publication, and Modification of the Policy
This policy governs the relationship between the Data Controller and data subjects regarding personal data processing. It applies to individuals who:
register on the Data Controller’s website;
send messages to the Data Controller through the website;
give personal consent in person;
give consent through a third party authorized by the Data Controller.
Data may be transferred to parties identified in this policy (recipients of data transfers), who are also bound by this policy.
4. Protection of Minors
The Company prioritizes the protection of minors. Under Section 6(3) of the Info Act, no consent from a legal representative is needed for valid declarations by minors aged 16 or over.
According to Civil Code Section 2:12:
(2) A minor with limited legal capacity may act without their legal representative:
a) when authorized by law to make certain personal declarations;
b) for minor contracts covering everyday needs;
c) to manage earnings from work;
d) to conclude contracts that benefit them exclusively;
e) to make customary gifts.
Thus, the Company may accept this privacy policy only from individuals aged 16 and above who are not legally incapacitated.
If under 16, consent from a legal guardian must be sent along with the registration intent to kalina@kadarsag.hu.
5. Rights of Data Subjects
Data subjects may request information about their data processing or request correction or deletion (unless processing is required by law) at kalina@kadarsag.hu.
5.1. Right to Information
Upon request, the Company provides information about the data it processes or is processed by its data processors, including sources, purpose, legal basis, duration, name and address of the processor, activities performed, and details of any data breaches, effects, and remedial measures.
The Company will respond in writing within 25 days (or 15 in case of objections) in a clear, understandable format.
This right includes information defined in Section 15(1) of the Info Act, unless restricted by law. Information is free unless otherwise provided in Section 15(5) of the Info Act.
The Company only denies a request for reasons defined in Section 9(1) or 19 of the Info Act and must provide justification under Section 16(2).
Inaccurate data shall be corrected if adequate data and official documents are available. In cases defined in Section 17(2), personal data must be deleted.
5.2. Right to Object
Data subjects may object to processing if:
processing is based solely on legal obligations or legitimate interests of the controller or third parties (except mandatory processing);
the data is used/transferred for direct marketing, opinion polling, or scientific research;
other cases defined by law.
The Company shall assess the objection within 25 days and inform the requester in writing. If justified, data processing shall cease, and data is blocked. All relevant parties must be notified.
If the data subject disagrees with the decision or misses the deadline, they may take the matter to court within 30 days under Section 22 of the Info Act.
5.3. Data Blocking
Data shall be blocked if requested or if deletion would harm the data subject’s interests. Blocked data may be processed only while the purpose that excluded deletion exists.
5.4. Deletion
Personal data shall be deleted if unlawful, requested by the subject, incomplete/incorrect, the purpose ends, the retention period expires, or ordered by court or NAIH.
Data shall be corrected, blocked, or deleted within 25 days, and affected parties shall be notified.
The Company shall compensate for damages or privacy violations caused by itself or its processors. The controller is exempt from liability if the damage was caused by force majeure or the claimant’s gross negligence.
Complaints may be submitted to:
National Authority for Data Protection and Freedom of Information (NAIH)Address: H-1024 Budapest, Szilágyi Erzsébet fasor 22/CWebsite: www.naih.hu
Alternatively, the subject may go to court. Cases fall under the jurisdiction of the regional court and can be filed in the subject’s place of residence.
6. Website Data Processing
Data Controller: Kalina Hordó Kft.Address: H-3909 Mád, Vasút út 1Representative: Marianna Bodnár
6.1. Website
The website uses software to analyze visitor data but does not handle personal data as defined by the Info Act. Automatically collected data includes IP address, time of visit, visited pages, and browser used.
Since IP addresses may be considered personal data, such data is protected accordingly.
The website notifies users of data collection via this policy.
Legal basis: Consent per Info Act 5(1)(a) and 6(6)
Purpose: Analyze browsing habits
Scope: IP address, time, pages visited, browser name
Retention: 1 year from collection
Format: Electronic
6.2. Contact Form
Visitors may send messages through the website by providing necessary data and accepting the policy via checkbox.
Purpose: Contact and messaging
Scope: Name, email, phone, address, gender, birth date
Legal basis: Consent per Info Act 5(1)(a)
Retention: Until company dissolution or deletion request
Format: Electronic
7. Data Processing in Company Operations
Controller: Kalina Hordó Kft.Address: H-3909 Mád, Vasút út 1Representative: Marianna Bodnár
Customer Management:
The Company keeps a suppression list under Act CXIX of 1995 on data for research and marketing. It checks the list before any promotional contact.
Registry No.: NAIH-135735/2017Purpose: Customer managementScope: Customer name, emailLegal basis: Consent per Info Act 5(1)(a)Retention: Until company dissolution or deletion requestFormat: Electronic
During work, employees must lock data storage or rooms when unattended.
To secure computer-stored data, the Company ensures:
Computers are owned or controlled by the Company
Access is password-protected and regularly updated
Server data access is limited to authorized staff
Virus protection is continuously updated
Network access by unauthorized users is blocked
Policy Modifications:
The Company may modify this policy. If it affects personal data, users are notified by email and consent may be required.
For questions not covered, the Info Act applies.
Cookies:
Most services don't require data. However, cookies may be placed with user consent. Cookies are stored on the user's device and can be managed via browser settings.
Cookies do not contain executable files or spyware.
Cookies allow device recognition and personalized browsing. Login and cart features rely on cookies. Analytical cookies help improve site structure and content.
Most cookies do not store personal data. If they do, data is stored securely and accessibly only with authorization.
Cookie Management:
Browsers allow cookie control. Blocking cookies may limit site functionality. Shared device users should delete stored data or use incognito mode. Regular antivirus and spyware scans are advised.
Always update your browser to avoid security vulnerabilities.