DATA PROCESSING NOTICE

Data Protection Notice

Nonplusz Fashion Kft. (hereinafter referred to as: Data Controller ), as the operator of the website available under the domain name www.nonplusz.hu (hereinafter referred to as: Website ), hereby publishes information regarding data processing carried out within the framework of the services available on the Website.

Users visiting the Website (hereinafter referred to as: User ) accept all the terms and conditions set out in this Data Protection Notice (hereinafter referred to as: Notice ), therefore we ask that you read this Notice carefully before using the Website.

1. Data of the Data Controller

The data controller is Nonplusz Fashion Kft.
 Headquarters: 1124 Budapest, Meredek Street 29. 3rd floor, room 14.
Company registration number: 01-09-183863
Tax number: 24816720-2-43
 Represented by: Managing Director Sarolta Kiss
 Email address: info@nonplusz.hu

2. Scope of processed data

During registration

In order for the User to be able to use the services of the Website, in particular to be able to shop in the online store, the User has the opportunity to register on the Website. To do this, the following personal data must be provided:

  • full name*;
  • email address*;
  • password*.

User account

After registration, the system creates the User's User Account, which contains the following data:

  • the User's data provided during Registration,
  • the User's data related to previous purchases.

When using the User Account, the User has the opportunity to track their orders, provide the data necessary for the purchase, and modify the data provided.

When shopping in the online store

If the User selects a product on the Website, he/she has the opportunity to provide his/her data on the purchasing interface in order for the Data Controller to fulfill his/her order. During the purchase, the following personal data must be provided: (data marked with * are mandatory):

  • full name*;
  • shipping address (country, city, street, house number, postal code)*;
  • email address*;
  • billing address (if different from billing address)*;
  • phone number*;
  • comment;
  • coupon code;
  • payment method*.

The Data Controller declares that in the case of payment by bank card, it does not process, collect, store any card data necessary for the payment transaction, and does not have access to this data in any way. The Data Controller declares that it is not responsible for the legality of the processing of transaction data and bank card data by OTP Mobil Kft. (1093 Budapest, Közraktár utca 30-32.; ugyfelszolgalat@simple.hu ; +36 1/20/30/70 3-666-611; hereinafter: Service Provider ), which provides the possibility of paying by bank card. The User can obtain information regarding the Service Provider's data processing on the Service Provider's website or other contact details. OTP Mobile Kft.'s data processing policy can be accessed at the following link: http://simplepay.hu/vasarlo-aff .


Newsletter

When shopping in the web store, the User has the opportunity to subscribe to the Data Controller's newsletter, during which the Data Controller uses the following personal data:

  • full name*;
  • email address*.

During complaint handling

  • in case of a written complaint:
    • name;
    • mailing address or email address;
    • subject and content of the complaint.
  • In the case of a verbal complaint or a verbal complaint made over the phone, if the complaint could not be resolved immediately, the Data Controller will record a report containing the following data:
    • name;
    • address;
    • place, time, method, subject and content of the complaint;
    • unique complaint identification number.

Only persons over the age of 18 are entitled to provide data on the Website.

3. Purpose and duration of data processing

The data controller uses the data for the following purposes:

  • During Registration on the Website and use of the Website (ordering): The purpose of data management is to provide the services of the Website. The purpose of data management is to provide the services of the Website and the web store available on the Website, such as registering and fulfilling the contract concluded for the purpose of purchase, delivering the purchased products, and maintaining contact with Users in connection with the purchase.
  • In case of creating a User Account: management, modification, deletion of data and purchases stored in the User Account, use of the data to facilitate ordering on the Website.
  • In case of subscribing to the newsletter: sending an electronic newsletter or advertising message about offers, services, promotions and promotions related to the Data Controller and its activities to the e-mail address provided by the User (hereinafter collectively referred to as: Newsletter).
  • In case of complaint handling : The purpose of data management is to handle complaints received by the Data Controller verbally, by telephone, in writing and via electronic mail, and to document the identity of the User, the exact time of the complaint and the content of the complaint, as well as the Data Controller's information regarding the complaint, for the purpose of retrieval.

4. Duration of data processing

The Data Controller processes personal data for the duration of the purpose of data processing, such as in the case of Registration or sending a Newsletter, until the User requests the deletion of their data or withdraws their consent to the processing of their personal data.

In the event of a purchase in the web store available on the Website, the Data Controller will process the necessary data for 5 (five) years following the purchase in order to enforce the claims and rights arising from the contract concluded between the User and the Data Controller pursuant to Section 6:22 of Act V of 2013 on the Civil Code, and in order to fulfill the retention obligation applicable to the data controller pursuant to Section 169 of Act C on Accounting (hereinafter: Accounting Act), the Data Controller will retain the User's name and address on the accounting document for 8 years, exclusively for the purpose of fulfilling the accounting obligation.

In the event of complaint handling, pursuant to Section 17/B of Act CLV of 1997 on Consumer Protection, the Data Controller is obliged to keep the minutes of the oral complaint, the written complaint and the response thereto for 5 (five) years.

Personal data will be deleted immediately upon the termination of the purpose of data processing or at the request of the User, except for data that the Data Controller is required to retain for the period specified in the law ordering mandatory data processing based on a legal obligation.

5. Legal basis for processing personal data

During Registration and Newsletter subscription, Users consent to the Data Controller processing their personal data as described in this Notice. The processing of personal data is based on the User's voluntary consent given in accordance with this notice.

With regard to personal data processed during ordering and purchasing on the Website, the legal basis for data processing is the performance of the contract concluded between the User and the Data Controller, and the enforcement of the rights and obligations arising from the contract, pursuant to Article 6(1)(e) of the GDPR. The legal basis for data processing related to accounting documents is the statutory provision ordering mandatory data processing, i.e. Section 169 of the Accounting Act.

In the case of complaint handling, the legal basis for data processing is Section 17/B of Act CLV of 1997 on Consumer Protection.

Users may only provide their own personal data on the Website. If they do not provide their own personal data, the data provider is obliged to obtain the consent of the data subject.

6. Scope of persons entitled to access personal data, data processing

The Data Controller and the Data Processors used by it are entitled to access personal data in accordance with applicable laws.

The data is processed by the following data processor acting on behalf of the Data Controller:

  • Shopify International Limited

registered office: 2nd Floor 1-2 Victoria Buildings Haddington Road Dublin 4, D04 XN32, Ireland

Purpose of data processing: Operation of web store software

The Data Controller reserves the right to involve additional data processors in data management in the future, of which it will inform Users by amending this Notice.

In the absence of express legal provisions, the Data Controller will only provide personal identification data to third parties with the express consent of the User.

7. User rights

Access to personal data

At the request of the User, the Data Controller will provide information on whether the Data Controller is processing his/her personal data and, if so, will provide access to the personal data and inform him/her of the following information:

  • the purpose(s) of the data processing;
  • the types of personal data subject to data processing;
  • In the event of the transfer of the User's personal data, the legal basis and recipient(s) of the data transfer;
  • the planned duration of data processing;
  • the User's rights in relation to the rectification, erasure and restriction of processing of personal data, as well as his/her objection to the processing of personal data;
  • the possibility of contacting the Authority;
  • source of data;
  • relevant information related to profiling;
  • the name, address and activities related to data processing of data processors.

The Data Controller shall provide the User with a copy of the personal data subject to the processing free of charge. For additional copies requested by the User, the Data Controller may charge a reasonable fee based on administrative costs. If the User has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise.

The Data Controller is obliged to provide the information in a clear and understandable form, at the request of the User, without undue delay, but no later than one month from the date of submission of the request. The User may submit his request for access to the contact details specified in point 1.

Correction of processed data

The User may request the Data Controller (at the contact details specified in point 1) to correct inaccurate personal data or to complete incomplete data, taking into account the purpose of the data processing. The Data Controller shall carry out the correction without undue delay.

Deletion of processed data (right to be forgotten), blocking

The User may request that the Data Controller delete the personal data concerning him or her without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the User withdraws his/her consent and there is no other legal basis for the data processing;

c) the User objects to the processing of his/her personal data;

d) the processing of personal data has been unlawful;

(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;

f) the collection of personal data based on consent took place in connection with the offering of information society services to children.

If the Data Controller has made the personal data public (made it available to a third party) and is obliged to delete it based on the above, it must take reasonable steps, taking into account available technology and the costs of implementation, to inform the data controllers processing the personal data concerned that the User has requested them to delete links to the personal data in question or copies or duplicates of these personal data.

Personal data does not need to be deleted if data processing is necessary:

  • for the purpose of exercising the right to freedom of expression and information;
  • for compliance with an obligation to process personal data under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • on the basis of public interest in the field of public health;
  • for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where the right to erasure would likely render impossible or seriously jeopardise such processing; or
  • to assert, enforce or defend legal claims.

Restriction of data processing

The User has the right to request that the Data Controller restrict data processing instead of correcting or deleting personal data if one of the following applies:

  • the User disputes the accuracy of the personal data, in which case the restriction applies for a period of time that allows the data controller to verify the accuracy of the personal data;
  • the data processing is unlawful and the User opposes the deletion of the data and instead requests the restriction of its use;
  • the Data Controller no longer needs the personal data for the purposes of data processing, but the User requires them for the establishment, exercise or defense of legal claims; or
  • the User has objected to the data processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the data controller override the legitimate grounds of the data subject.

If data processing is subject to restrictions, such personal data may only be processed, with the exception of storage, with the User's consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.

The Data Controller shall inform the User, at whose request data processing has been restricted, in advance of the lifting of the restriction on data processing.

Notification obligation related to the rectification or erasure of personal data or the restriction of data processing

The Data Controller shall inform all recipients to whom the personal data have been disclosed of the rectification, erasure or restriction of processing of the personal data, unless this proves impossible or involves a disproportionate effort. The Data Controller shall inform the User of these recipients upon request.

Right to object

The User may object to the processing of his/her personal data if the data processing

  • necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
  • necessary for the purposes of the legitimate interests of the Data Controller or a third party;
  • based on profiling.

In the event of the User's objection, the Data Controller may no longer process the personal data, unless it proves that the data processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the User, or which are related to the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes or related profiling, the User has the right to object at any time to the processing of personal data concerning him or her for this purpose. If the User objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.

Data Controller's action in connection with the User's request

The Data Controller shall inform the User without undue delay, but no later than one month from the receipt of the request, of the measures taken in response to the request for access, rectification, erasure, restriction, objection and data portability. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the User of the extension of the deadline within one month from the receipt of the request, indicating the reasons for the delay. If the User submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise.

If the Data Controller does not take action following the User's request, it shall inform the User without delay, but no later than one month from the receipt of the request, of the reasons for the failure to take action, and of the fact that the User may file a complaint with a supervisory authority and exercise his/her right to judicial remedy.

Upon request by the User, the information, communication and the action taken on the basis of the request shall be provided free of charge. If the User's request is manifestly unfounded or, in particular due to its repetitive nature, excessive, the Data Controller may charge a reasonable fee, taking into account the administrative costs involved in providing the requested information or communication or in taking the requested action, or may refuse to take action on the request. The Data Controller shall bear the burden of proving that the request is manifestly unfounded or excessive.

8. Data security

The Data Controller undertakes to ensure the security of the data, to take technical and organizational measures and to establish procedural rules that ensure that the data recorded, stored and processed are protected and to prevent their destruction, unauthorized use and unauthorized modification. It also undertakes to call on all third parties to whom the data is transmitted or transferred based on the consent of the Users to comply with the data security requirements.

The Data Controller ensures that no unauthorized person can access, disclose, transmit, modify or delete the data being processed. The data being processed may only be accessed by the Data Controller, its employees or the Data Processor used by it, and the Data Controller will not pass it on to a third party who is not authorized to access the data.

The Data Controller will do everything in its power to ensure that the data is not accidentally damaged or destroyed. The Data Controller requires the above commitment from its employees involved in data processing activities.

The User acknowledges and accepts that in the event of providing his/her personal data on the Website – despite the fact that the Data Controller has modern security tools to prevent unauthorized access to or exploration of the data – the protection of the data cannot be fully guaranteed on the Internet. In the event of unauthorized access or discovery of the data despite our efforts, the Data Controller is not liable for such data acquisition or unauthorized access or for any damage incurred by the User as a result of these reasons. In addition, the User may also provide his/her personal data to third parties, who may use it for an illegal purpose or in a manner.

9. Handling and reporting data protection incidents

A data protection incident is any event that results in the unlawful handling or processing of personal data, in particular unauthorized or accidental access, alteration, disclosure, deletion, loss or destruction, as well as accidental destruction and damage, in relation to personal data managed, transmitted, stored or processed by the Data Controller.

The controller shall notify the personal data breach to the NAIH without undue delay, but no later than 72 hours after having become aware of the personal data breach, unless the controller can demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, the reason for the delay must be stated, and the required information may be provided in detail without further undue delay. The notification to the NAIH shall contain at least the following information:

  • the nature of the data breach, the number and category of data subjects and personal data;
  • Name and contact details of the data controller;
  • the likely consequences of the data breach;
  • the measures taken or planned to handle, prevent, and remedy the data protection incident.

The Data Controller shall inform the data subjects about the data breach via the Data Controller's website within 72 hours of the detection of the data breach. The information shall contain at least the data specified in this section.

The Data Controller keeps a record of data protection incidents for the purpose of monitoring the measures related to the data protection incident and informing the data subjects. The record contains the following data:

  • the scope of the personal data concerned;
  • the scope and number of those affected;
  • the date of the data breach;
  • the circumstances and effects of the data protection incident;
  • measures taken to address the data protection incident.

The Data Controller retains the data in the register for 5 years from the date of detection of the data protection incident.

10. Legal remedies

The Data Controller will do everything possible to ensure that personal data is processed in accordance with the law, however, if the User feels that this has not been complied with, he/she has the opportunity to write to the contact details indicated in point 1.

If the User feels that his/her right to the protection of personal data has been violated, he/she may seek legal redress from the competent authorities in accordance with the applicable laws.

11. Other provisions

This Notice is governed by Hungarian law, in particular the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information, and Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Budapest, 2025.01.01.

Nonplusz Fashion Ltd.

Data controller