Privacy Policy

The data management information can be downloaded from the following link: Data Management Information

I. The purpose of the data management information

This data management information sheet was created for the clothing retail and mail order online retail activities of FDRS Kft. (hereinafter referred to as "Data Controller") at www.chilidresses.hu  regulates the data management of its website. The Data Controller is committed to protecting the personal data of its customers, partners and employees. Therefore , personal data is handled confidentially . The Data Controller takes all security, technical and organizational measures that guarantee the security of the data, and these measures are reviewed from time to time.

The purpose of this information is to explain the data management principles of the Data Controller, to present the expectations that the organization formulates and adheres to itself as a data controller.

The personal data of the Customers will be processed exclusively for the purposes specified in this information sheet, in accordance with the principles of fair and legal data management, to the extent and for the necessary time.

The data controller and its contact details:

• Company name: FDRS Kft.
• Headquarters: 6000 Kecskemét, Kosztolányi Dezső utca 4.
• Tax number: 13208772-2-03
• Company registration number: 03-09-111328
• E-mail: info@chilidresses.hu
• Phone: +36 20 242 9502

Contact details of the data protection officer:

• Name: Dóra Fodor
• E-mail: info@chilidresses.hu
• Phone: +36 20 242 9502
• Contact: 6000 Kecskemét, Kosztolányi Dezső utca 4.

Duties of the data protection officer:

• Informing the Data Controller and employees performing data management, and providing them with professional advice regarding obligations under the GDPR and other data protection regulations
• Verification of compliance with the regulation and the Internal Data Protection Regulations established here
• Cooperation with supervisory authorities
• Contact with the supervisory authorities and the Data Subjects.

Legislation applied in data management:

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL On the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Regulation 95/46/EC (General Data Protection Regulation) (April 2016) 27.)
• year CXII. Act - on the right to self-determination of information and freedom of information (hereinafter: Infotv.)
• year CVIII Act - on certain issues of electronic commercial services and services related to the information society (mainly § 13/A)
• year XLVII law - on the prohibition of unfair commercial practices towards consumers;
• year XLVIII Act - on the basic conditions and certain limitations of economic advertising (especially § 6.a)
• XC of the year Act on Electronic Freedom of Information
• Act C of 2008 on electronic communications (specifically § 155.a)
• 16/2011. s. Opinion on the EASA/IAB Recommendation on Best Practices for Behavioral Online Advertising
• The recommendation of the National Data Protection and Freedom of Information Authority on the data protection requirements of prior information

We provide information on data management not listed in this information when the data is processed.

II. Concept definitions

• " personal data ": any information relating to an identified or identifiable natural person ("data subject"); a natural person who can be identified directly or indirectly, in particular by an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
• " data management ": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying;
• " data controller ": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;
• " data processor ": the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;
• " recipient ": the natural or legal person, public authority, agency or any other body to whom or to which the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the management of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of data management;
• " consent of the data subject ": the voluntary, specific and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of personal data concerning him;
• " data protection incident ": a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled.

III. Basic principles for handling personal data

1) Legality, fair procedure and transparency

In handling the data, the Data Controller acts fairly and legally, and in all stages of the data management in accordance with the purpose of the data management.

2) Purposefulness

Personal data is collected exclusively for specific, clear and legal purposes.

3) Data saving

The processed data are appropriate and relevant for the purposes of data management and are limited to what is necessary.

4) Accuracy

During data management, the Data Controller strives to ensure the accuracy, completeness and up-to-dateness of the data and takes all measures to immediately delete or correct inaccurate personal data for the purposes of data management.

5) Limited storage capacity

The Data Controller processes personal data only to the extent and for the time necessary to achieve the purpose, and further ensures that the identification of the data subject is not possible.

6) Integrity and confidentiality

Adequate security of handled personal data must be ensured by applying appropriate technical or organizational measures. This also includes protection against unauthorized or illegal processing, accidental loss, destruction or damage of data.

ARC. Data management

In order to make a purchase in the online store, as well as to enter into and fulfill the contract related to it, several cases of data management may be implemented, as explained below. If the webshop is only visited, without a purchase, the data processing listed here only applies to data processing for marketing purposes. Certain data processing, for example, data processing related to complaint handling and warranty administration, is only carried out if the data subject exercises one of his rights (according to the provisions of Chapter VII).

1. Administration for the direct contact option (contact box on the website)

The Data Controller maintains a contact option on its website for the purpose of direct inquiry by the Data Subjects. Interested persons can enter their messages in a text box, together with their e-mail address. The Data Subject can send his message to the Data Controller after consenting to data management. The message sent in this way will be sent to the e-mail account of the Data Controller.

Type of personal data	Purpose of data management	Legal basis
Surname, first name, email address	Enabling direct customer inquiry via website	Stakeholder consent

Scope of stakeholders: Persons using the contact option on the website.

Duration of data management: Data management can be terminated by withdrawing the data subject's consent.

Recipient categories: Employees performing administration related to the website.

2. Registration on the website

By entering the data during registration, the Data Controller can provide a more convenient service by following the status of the orders placed, or by making it unnecessary for the data subject to enter their data when making new purchases. Registration is not a condition for concluding a contract and online shopping.

Type of personal data	Purpose of data management	Legal basis
Last name, first name, email address, home address, delivery address, telephone number, password, date of registration, IP address related to registration	Provision of customer/interested registration option	Stakeholder consent

Stakeholders: Persons registered in the webshop.

Duration of data management: Data management can be terminated by withdrawing the data subject's consent.

Recipient categories: Employees performing sales and marketing activities and IT tasks related to the website.

3. Data management related to the operation of the online store (order submission, processing).

The basic activity of the Data Controller is online clothing retail. Pursuant to this, those involved in the purchase process are required to provide their personal data, which is essential for placing the order. In possession of this data, the Data Controller can ensure the sale of its products to customers and fulfill the contract between the two parties.

Type of personal data	Purpose of data management	Legal basis
Surname and first name, E-mail address, telephone number, Billing name and address, Shipping name and address, date of purchase, IP address related to the purchase	Fulfillment of the contract related to the purchase	Fulfillment of contract

Stakeholders: People who shop in the webshop.

Duration of data management: The data of the data subjects must be kept for 5 years according to the civil law statute of limitations.

Recipient categories: The Data Controller's employee processing the order.

Claimed Data Processor:

• Activities performed: Webshop service provider
• Name and contact information:
  • Name: Shopify Inc.
  • Company registration number: -
  • Tax number: -
  • Headquarters: 151 O'Connor Street, Ground Floor, Ottawa, ON K2P 2L8, Canada
  • Contact: https://www.shopify.com/contact
  • Website: https://www.shopify.com/
• Scope of data transferred to the data processor: Customer data provided during online shopping
• The scope of those affected: People who shop in the online store
• Purpose of data processing: Operation of the webshop
• Duration of data processing: According to the provisions of the individual data management processes
• Legal basis for data processing: Contractual obligation

4. Data transfer activity: Online payment

During the purchase process, customers must enter their bank card details in order to enter their payment details and complete the online payment through the payment gateway integrated into the shopping process of the webshop and belonging to OTP Mobil Kft. In this process, www.chilidresses.hu does not have access to the customers' financial data, so it is not part of it as a Data Controller. The data is received directly by OTP Mobil Kft., which is the recipient of the data transfer activity.

Claimed Data Manager (Recipient of Data Transfer):

• Activity performed: Online payment
• Name and contact information:
  • Name: OTP Mobil Kft.
  • Company registration number: 01-09-174466
  • Tax number: 24386106-2-43
  • Headquarters: 1143 Budapest, Hungária krt. 17-19.
  • Phone: +36 1 366 6611
  • E-mail: ugyfelszolgalat@simple.hu
  • Website: https://www.simplepay.hu/
• Scope of data forwarded to the data controller: name of the bank issuing the bank card, bank card number, name written on the card, expiry date, CVC code
• Stakeholders: Customers who choose to pay on the website
• Purpose of data management: Online payment processing, transaction confirmation and fraud monitoring for the protection of users
• Duration of data management: Online payment processing
• Legal basis for data management: Article 6, paragraph 1, point b) of the GDPR. Data processing is necessary for online payment at the request of the data subject.

5. Issuance of an invoice related to a purchase

The data management process takes place in order to issue an invoice in accordance with the legislation and to fulfill the obligation to preserve accounting documents. The Sztv. Pursuant to § 169, paragraphs (1)-(2), economic companies must keep the accounting documents directly and indirectly supporting the accounting.

Type of personal data	Purpose of data management	Legal basis
Surname and first name, E-mail address, phone number, Billing name and address, date of purchase	Issuance of the invoice related to the purchase	Legal obligation

Stakeholders: People who shop in the webshop.

Duration of data management: CXXVII of 2007 on general sales tax. On the basis of Section 159 (1), the issuance of the invoice is mandatory and it must be kept for 8 years on the basis of Section 169 (2) of Act C of 2000 on accounting [Data processing according to Article 6 (1) point c) of the Regulation].

Recipient categories: The Data Controller's employee processing the order.

6. Home delivery of purchased products

The data management process takes place in order to deliver the ordered products to your home, by using a Data Processor.

Type of personal data	Purpose of data management	Legal basis
Surname and first name, E-mail address, phone number, Billing name and address, date of purchase	Issuance of the invoice related to the purchase	Fulfillment of contract

Stakeholders: People who shop in the webshop.

Duration of data management: The data manager manages the data until the delivery of the ordered goods

Recipient categories: Employees of the Data Controller processing the order, employees of the data processor performing home delivery.

Claimed Data Processor:

• Activities performed: Product delivery, transport
• Name and contact information:
  • Name: Foxpost Zrt.
  • Company registration number: 10-10-020309
  • Tax number: 25034644-2-10
  • Headquarters: 3200 Gyöngyös, Batsányi János utca 9.
  • Postal address: 1097 Budapest, Táblás utca 36-38
  • Phone: +36 1 999 0369
  • E-mail: info@foxpost.hu
  • Website: http://www.foxpost.hu/
• Scope of data transferred to the data processor: Shipping name, Shipping address, telephone number, e-mail address
• Stakeholders: Customers requesting home delivery
• Purpose of data processing: Delivery of the ordered product to your home
• Duration of data processing: Conducting home delivery
• Legal basis for data processing: Contractual obligation

7. Management of cookies

Cookies specific to online stores are the so-called "cookie used for a password-protected session", "cookies required for the shopping cart" and "security cookies", the use of which does not require prior consent from the data subjects. More detailed information about the cookies used by the Data Controller can be found at https://chilidresses.hu/pages/cookie-szabalyzat .

Type of personal data	Purpose of data management	Legal basis
Session cookie	Identification of the user	Consent of the person concerned (Act CVIII of 2001 on certain issues of electronic commercial services and information society services (Elkertv.) Section 13/A. (3))

Stakeholders: All stakeholders visiting the website.

Duration of data management: The period until the end of the relevant visitor session.

Recipient categories: The Data Controller does not manage personal data using cookies.

8. Consumer protection complaint handling

In order to comply with the law, the Data Controller provides consumer protection complaint handling for those concerned, which can be done via the email address info@chilidresses.hu . Accordingly, within 30 days after the notification of the written complaint, the Data Controller is obliged to respond in writing and take action on the subject of the complaint.

Type of personal data	Purpose of data management	Legal basis
Surname and first name, E-mail address, Telephone number, Billing name and address	Administration, contact and identification of reported consumer complaints	Legal obligation

Stakeholders: All stakeholders who purchase on the webshop and complain about quality.

Duration of data management: Copies of the minutes, transcripts and the response to the objection taken in the CLV of 1997 on consumer protection. Act 17/A. Pursuant to § (7), it is necessary to keep it for 5 years.

Recipient categories: Personal data can be handled by the data controller's sales and marketing staff, respecting the above principles.

9. Use of Google Adwords conversion tracking

• The data controller uses the online advertising program called "Google AdWords", and also uses Google's conversion tracking service within its framework. Google conversion tracking is an analytics service of Google Inc. (1600 Amphitheater Parkway, Mountain View, CA 94043, USA; "Google").
• When a User accesses a website through a Google ad, a cookie required for conversion tracking is placed on their computer. The validity of these cookies is limited and they do not contain any personal data, so the User cannot be identified by them.
• When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User has clicked on the ad.
• Each Google AdWords customer receives a different cookie, so they cannot be tracked through the websites of AdWords customers.
• The information - obtained with the help of conversion tracking cookies - serves the purpose of creating conversion statistics for customers who choose AdWords conversion tracking. In this way, clients are informed about the number of users who click on their ad and are redirected to a page with a conversion tracking tag. However, they do not get access to information that could identify any user.
• If you do not wish to participate in conversion tracking, you can decline this by disabling the installation of cookies in your browser. After that, you will not be included in the conversion tracking statistics.
• Further information and Google's privacy statement are available at: google.de/policies/privacy/

10. Application of Google Analytics

• chilidresses.hu uses the Google Analytics application, which is a web analysis service of Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are saved on your computer, thus facilitating the analysis of the use of the website visited by the User.
• The information created by cookies related to the website used by the User is usually sent to and stored on one of Google's servers in the USA. By activating IP anonymization on the website, Google shortens the User's IP address beforehand within the member states of the European Union or in other states that are parties to the Agreement on the European Economic Area.
• The full IP address is transmitted to a Google server in the USA and shortened there only in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User used the website, to prepare reports related to website activity for the website operator, and to provide additional services related to website and Internet use.
• Within the framework of Google Analytics, the IP address transmitted by the User's browser is not combined with other Google data. The User can prevent the storage of cookies by setting their browser accordingly, but please note that in this case, not all functions of this website may be fully usable. You can also prevent Google from collecting and processing the User's website usage data (including IP address) through cookies by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=en

11. Provision of newsletter service

The Data Controller provides a newsletter service as follows:

XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity. Pursuant to § 6 of the Act, the User may give prior and express consent to contact the Service Provider with its advertising offers and other mailings at the contact details provided during registration.

In addition, the Customer may, bearing in mind the provisions of this information, consent to the Service Provider managing his personal data necessary for sending advertising offers.

The Service Provider does not send unsolicited advertising messages, and the User can unsubscribe from the sending of offers free of charge without limitation or justification. In this case, the Service Provider deletes all personal data necessary for sending advertising messages from its records and does not contact the User with further advertising offers. Users can unsubscribe from advertisements by clicking on the link in the message.

Type of personal data	Purpose of data management	Legal basis
Last name, first name, email address, date of registration, IP address used when registering	Identification, enabling subscription to the newsletter	Stakeholder consent

Stakeholders: Persons using the newsletter subscription option on the website.

Duration of data management: Data management can be terminated by withdrawing the data subject's consent.

Recipient categories: Employees performing administration related to the website.

12. Data collection related to social networking sites

The Data Controller may use Facebook / Google+ / Twitter / Pinterest / Youtube / Instagram and other social media platforms in order to collect a group of followers on that platform. Potential stakeholders are the persons who "Like" or "Follow" the website on the given social interface, using their public social profile.

Type of personal data	Purpose of data management	Legal basis
Name, profile picture registered on a social site	Sharing or promoting certain content elements, products, promotions or the website itself on social media sites	Stakeholder consent

Stakeholders: People who follow the webshop on social media

Duration of data management: The data subject can find out about the source of the data, its management, the method of transfer and its legal basis on the given social media page. Data management takes place on social networking sites, so the duration and method of data management, as well as the options for deleting and modifying data, are governed by the regulations of the respective social networking site.

Recipient categories: Employees performing sales and marketing activities related to the website.

V. Rights of data subjects

The data subjects can exercise their rights towards the Data Controller via the contact details below or by contacting the data protection officer directly:

FDRS Kft., 6000 Kecskemét, Kosztolányi Dezső utca 4.

1. Information

Everyone has the right to request information about the data we manage , in particular their source, the purpose, legal basis, duration of data processing, the name and address of the data processor and its activities related to data processing, the circumstances and effects of any data protection incident that may have occurred and the measures taken to prevent it, and in the case of data transmission its legal basis and addressee. Information can be requested at the provided contact details of the Data Controller or directly by contacting the data protection officer.

2. Access

You are entitled to receive feedback from the Data Controller as to whether your personal data is being processed , and if such data is being processed, you are entitled to access your personal data and the information listed in the regulation.

3. Correction

If the personal data does not correspond to reality, it can be requested to be corrected at the contact details of the Data Controller. If true personal data is available, the personal data will be corrected without undue delay.

4. Cancellation

You have the right to have the Data Controller delete your personal data without undue delay at your request, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

• the processing of the data is illegal;
• The person concerned requests the deletion of his personal data, except in cases of mandatory data management;
• the data is incomplete or incorrect and this condition cannot be legally remedied, provided that deletion is not precluded by law;
• the purpose of data management has ceased or the deadline for storing the data has expired, unless the data carrier must be placed in archival custody;
• the deletion was ordered by a court or the Authority

5. Lockout

Instead of deletion, the Data Controller will block the personal data if you request it or if, based on the available information, it can be assumed that the deletion would harm your legitimate interests. The personal data locked in this way can only be processed as long as the data management purpose that precluded the deletion of the personal data exists.

6. Limitation

You have the right to have the data controller restrict data processing at your request if one of the following conditions is met:

• You dispute the accuracy of the personal data, in which case the limitation applies to the period that allows the controller to check the accuracy of the personal data;
• the data processing is unlawful and you object to the deletion of the data and instead request the restriction of its use;
• the data controller no longer needs the personal data for the purpose of data management, but you require them to submit, enforce or defend legal claims;
• You have objected to data processing; in this case, the limitation applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over your legitimate reasons.

7. Data portability

You have the right to receive the personal data about you that you have provided to a data controller in a segmented, widely used, machine-readable format , and you have the right to transfer this data to another data controller without hindrance from the data controller whose made the personal data available to you.

8. Protest

You can object to the processing of your personal data and request the termination of data processing or the deletion of processed data by submitting a written request to the Data Controller.

9. Automated decision-making in individual cases, including profiling

You have the right not to be subject to the scope of a decision based solely on automated data management, including profiling, which would have legal effects on you or would similarly significantly affect you.

The previous paragraph does not apply if the decision:

• It is necessary to conclude or fulfill the contract between you and the data controller;
• is made possible by EU or Member State law applicable to the data controller, which also establishes appropriate measures for the protection of your rights and freedoms, as well as your legitimate interests; obsession
• It is based on your express consent.

Action deadline

The data controller will inform you of the measures taken following the above requests without undue delay, but in any case within 1 month from the receipt of the request.

If necessary, this can be extended by 2 months . The data controller will inform you of the extension of the deadline, indicating the reasons for the delay , within 1 month of receiving the request.

If the data controller does not take measures following your request, it will inform you without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action , as well as the fact that you can file a complaint with a supervisory authority and exercise your right to judicial redress.

VI. Data security

We inform our Customers that the Data Controller takes care of the security of personal data and takes the technical and organizational measures and establishes the procedural rules necessary to implement the GDPR regulation and other data and privacy protection rules.

We handle personal data with the utmost care, strictly confidentially, only to the extent necessary to use the services, in the case of consent, in accordance with the provisions of the given person. We also ensure that the processed personal data:

• be protected against unauthorized access (data confidentiality)
• be accessible to those authorized to do so (availability)
• its authenticity and authentication must be ensured (authenticity of data management)
• its immutability can be verified (data integrity)

Another data security measure is that access to the admin interface of the online store is protected with a username and password.

1. Data protection incident register

In order to monitor the measures related to the data protection incident and to inform the Customers, we keep a register, which includes the scope of personal data concerned, the scope and number of those affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the legislation prescribing data management specified other data.

2. Informing those concerned about the data protection incident

If the data protection incident likely involves a high risk for the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay.

In the information provided to the data subject, the nature of the data protection incident must be clearly and comprehensibly described, and the name and contact details of the data protection officer or other contact person providing additional information must be provided; the likely consequences of the data protection incident must be described; the measures taken or planned by the data controller to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

The data subject does not need to be informed if any of the following conditions are met:

• the data controller has implemented appropriate technical and organizational protection measures , and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the use of encryption - that make the personal data unintelligible to persons not authorized to access the personal data data;
• after the data protection incident, the data controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future ;
• providing information would require a disproportionate effort . In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.

If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to involve a high risk, may order the data subject to be informed.

3. Informing the authority about the data protection incident

The data controller shall report the data protection incident to the competent supervisory authority pursuant to Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to the rights of natural persons and freedoms. If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.

4. Review in case of mandatory data management

If the duration of mandatory data management or the periodic review of its necessity is not determined by law, local government decree or a mandatory legal act of the European Union, the data controller shall review at least every three years from the start of data management that the personal data managed by him or by a data processor acting on his behalf or at his direction whether its management is necessary for the realization of the purpose of data management.

The data manager documents the circumstances and results of this review, keeps this documentation for ten years after the review has been completed and makes it available to the Authority at the request of the National Data Protection and Freedom of Information Authority (hereinafter: the Authority).

VII. Remedies

Legal remedies and complaints can be made at the National Data Protection and Freedom of Information Authority .

• Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
• Delivery address: 1350 Budapest, Pf.: 5.
• Phone: +3613911400
• Fax: +3613911400
• E-mail: ugyfelszolgalat@naih.hu
• Website: http://www.naih.hu

Date and effective date of this data management information: January 19, 2021.

Previous Data Management Information versions:

• v1