JPF World Kft, (address: 1016 Budapest, Orom utca 20/B, EU tax number: HU25053328, company registration number: 01-09-197016), hereinafter referred to as data controller, accepts to be bound by the contents of the following declaration.   The data subjects may ask for the detailed regulations of data processing at the registered office of the company and in an electronic form using the contact addresses of the company specified in the Regulations on data protection and security.

The declaration on data processing in connection with the commercial service of the Judit Polgar Webshop and the guidelines relating to its data processing can be continuously accessed at the webshop.polgarjudit.hu website.

The data controller processes the data recorded in connection with its services in accordance with Act CXII of 2011, with utmost care, and shall do everything in its power to guarantee their security. The basic principles of data processing are in line with the effective legislation, which the data controller considers to be binding upon itself and shall abide by it. 

I. The data controller:
Name of the company: JPF World Kft.
Registered office: 1016 Budapest, Orom utca 20/B
Mailing address: 1016 Budapest, Orom utca 20/B
Tax number: HU25053328
Company registration number: 01-09-197016
Electronic contact details (e-mail address): webshop@polgarjudit.hu
Telephone number: +36709053232

II. Definitions: 
1. Personal data: data relating to a given natural person (hereinafter referred to as the data subject) from which consequences relating to the data subject may be drawn. In the course of data processing, the personal data shall be treated as personal as long as the data subject remains identifiable through it.

2. The data subject's consent: any freely and expressly given specific and 
informed indication of the will of the data subject by which they clearly indicate their agreement to personal data relating to them being processed fully or to the extent of specific operations;

3. Objection by the data subject: declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed;

4. Data controller: a natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes of the processing of data; makes and executes decisions concerning data processing (including the means used) or has it executed by the data processor;

5. Data processing: any operation or the sum of operations performed on 
the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destroying the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

6. Data transfer: ensuring access to the data for a certain third party;

7. Disclosure: ensuring open access to the data for anyone; 

8. Data deletion: making data unrecognisable in a way that it can never again 
be restored;

9. Tagging data: marking data with a special ID tag to differentiate it;

10. Blocking of data: marking data with a special ID tag to restrict its further processing for good or for a certain period of time;

11. Data destruction: complete physical destruction of the data media containing the data;

12. Data process: performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;

13. Data processor: any natural or legal person or organisation without legal 
personality processing the data on the basis of a contract, including contracts concluded pursuant to legislative provisions;

14. Data source: a body undertaking public responsibility which generated the data of public interest that must be disclosed through electronic means, or during whose course of operation the data was generated;

15. Data disseminator: a body undertaking public responsibility which uploads the data to a website sent by the data source, if the data source itself has not published these data;

16. Data set: all data processed in a single file;

17. Third party: any natural or legal person or organisation without legal personality other than the data subject, the data controller or the data processor;

18. EEA Member State: any Member State of the European Union and any State which is party to the Agreement on the European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States which are parties to the Agreement on the European Economic Area, based on an international treaty concluded between the European Union and its Member States and a State which is not party to the Agreement on the European Economic Area;

19. Third country: any state that is not an EEA Member State;

20. Binding organizational rules: a set of internal data protection rules accepted by a data controller or a group of data controllers pursuing activities in several countries but among them in at least one EEA Member State and approved by the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority), which is binding for the data controller or the group of data controllers and in the case of data transfer to a third country ensures the protection of personal data through a unilateral commitment of the data controller or the group of data controllers;

21. Data protection incident: illegal processing or handling of personal data, especially wrongful access, modification, transfer, disclosure, deletion or destruction, accidental destruction and damage of the data.

III. Basic principles
1. Personal data may be processed only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The data processing shall suit the purpose of data processing at every stage, and the data shall be recorded and processed fairly and lawfully.

2. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable for achieving that purpose. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.

3. In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall be considered identifiable through the data if the data controller is in possession of the technical requirements which are necessary for such identification.

4. Personal data may be processed under the following circumstances:
1.a) if the data subject has given their consent to it, or 
2.b) when processing is necessary as decreed by law or by a local authority based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest (hereinafter referred to as “mandatory data processing”).

5. The personal data in question are accurate, complete and if necessary, are timely.

6. They are recorded and processed fairly and lawfully.

7. They are stored in such a way that allows identification of the data subject only for the purpose and duration of storage.

8. It is prohibited to use a general and uniform personal identifier which may be used without limitations.

9. Personal data can be forwarded or handed over by data controllers or data processors to data controllers performing data processing in third countries only with the explicit consent of the data subject, or in doing so, they act in accordance with the provisions of effective law.

10. The transfer of data to EEA Member States has to be viewed as if the forwarding of the data had taken place within the territory of Hungary.

IV. The purpose of data processing, the processed data and the legal basis of data processing
The data processing in connection with the service provided by the data controller is based on a voluntary consent (Act CVIII of 2001 13/A), the purpose of which is to ensure the service specified in the general terms and conditions of the service.

1. Processed data during the trial of the service: name and e-mail address. The above pieces of data are necessary for ensuring the possibility to try out the service.

2. Processed data in the case of a subscription: Name/name of the company, e-mail address, telephone number, bank account number, tax number, mailing and billing address and name of the contact person. It is necessary to provide the above data to fulfil the obligations for administration and registration in connection with the provided service.

3. Data to be provided in case of a purchase: name/company name, delivery/billing address, telephone number, tax number and e-mail address.

4. Purpose of processing of the customer's data: The service provider does not process the data specified in section 5.3, it shall only store them and ensure the opportunity to process them for the subscriber of the service. Personal data shall be recorded for the purpose of fulfilling the order and to be able to contact the customer.

Under the effective legislation, throughout the collecting of the data specified in sections 5.3 and 5.4, the service provider shall be regarded as a data processor, therefore it is the responsibility of the Subscriber to  provide information and to guarantee that the data subjects are informed in accordance with the law. Every individual, sole proprietorship or partnership which uses and subscribes to the startuzlet.hu webshop service shall be deemed a Subscriber. The subscription may be ordered after a free trial, via the administrative interface of the webshop. 

V. The term of data processing
1. The term of the processing of the data specified in sections 5.1 and 5.2 is 8 years.

2. The term of the processing of data mentioned in sections 5.3 and 5.4 is 3 months after the closure of the connection.

VI. Technical features of data storage:
1. The data controller shall choose and operate the electronic telecommunications equipment used throughout service provision in a way that: 
a) the processed data is accessible to those entitled to it (availability);
b) the authenticity and authentication of the processed data is ensured (the authenticity of data processing)
c) it can be proven that the data is unchanged (integrity of the data);
d) the data is protected against wrongful access (the confidentiality of the data)

2. The data controller shall store the data on their IT tools at their registered office and on the servers operated by Esolution Kft., and located at Doclerweb Kft.

The data controller shall not use any cloud storage services.

VII. Data security requirements:
1. The data controller shall take such technical and organizational measures in order to ensure the security of data processing and the protection of data, which ensure a protection level corresponding to the risks of data processing, and it shall also strive to establish its information security system in accordance with the provisions of Act L. of 2013.  

2. The data controller has planned and shall perform the processes in a way that throughout the application of legislation and other regulations pertaining to data processing, it shall ensure the protection of the data subjects' privacy.

3. When determining and taking measures to protect the security of the data, the data controller shall at all times take into consideration the current state of technological development. In case of multiple options, it shall choose the solution which guarantees the highest level of protection, unless the solution puts a disproportionate burden on the data controller.

VIII. Information provisions
1. In order to use the service, cookies must be allowed. If you do not wish to allow cookies, you can disable them in the settings of your browser. If cookies are disabled, certain parts of the service can only be used partly or not at all. Cookies are files sent by the server to the user's browser and stored by the user's computer. Personal data are not stored in cookies.

2. The service uses an external statistical tool recording and logging data on visits and the visitors' habits for the purpose of preparing reports. The service provider uses the Google Analytics system. Google's privacy policy can be accessed by clicking the following link: http://www.google.hu/intl/hu/policies/privacy/

3. The data controller utilises interest-based advertising (Google Adwords), whose data protection guidelines and setting options may be accessed here: http://www.google.com/settings/ads

4. The data controller shall preserve the electronic messages sent to it for a period of 8 years.

5. The data controller shall answer requests for deletion or modification of data within 8 days, using the same form of communication as the request.

IX. Procedure in the case of wrongful data processing
1. If, during the course of a criminal procedure, the court has ordered the data to be rendered temporarily inaccessible,  the data controller shall take measures in order to ensure the removal of the electronically disclosed illegal data within one working day upon receipt of the order, in a way that the data can later be restored.  

2. If, during the course of a criminal procedure, the court has ordered the data to be rendered inaccessible for good,  the data controller shall take measures in order to ensure the removal of the electronically disclosed illegal data within one working day upon receipt of the order served by a bailiff, in a way that the data cannot be restored.

3. Those obliged to render data inaccessible temporarily of for good are obliged to inform the users about the legal basis of the removal or inaccessibility of the content, at the same time indicating the name of the court and the number of the court decision.

4. If the court lifts the temporary inaccessibility of the data or obliges the service provider to restore the electronic data after the conclusion of the criminal procedure, the service provider shall restore the accessibility of the data within one day upon receipt of the court order.

5. If unlawful content was reported, the Service Provider has the right to immediately block the public interface of the Subscriber's webshop until the unlawful content is removed. In the case of such a report, the Service Provider shall comply with the provisions of Act CVIII. of 2001 on E-commerce and Certain Issues Regarding Information Society Services. 

X. Objection to processing personal data
1. The data subject shall have the right to object to the processing of their personal data:
a) if processing or transfer of the personal data is carried out solely for the purpose of fulfilling the data controller’s legal obligation or for enforcing the legitimate interests of the data controller, the recipient or a third party, unless processing is mandatory;
b) if the personal data is used or transferred for the purposes of direct marketing, public opinion polling or scientific research; or
c) in all other cases prescribed by law.

2. In the event of objection, the controller shall investigate the cause of objection within the shortest possible time within a 15 day period, adopt a decision as to its reasonability and shall notify the data subject in writing of its decision.

3. If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all data processing operations (including further data collection and transmission), block the data involved and notify all recipients to whom any of the personal data affected by the objection had previously been transferred and who are obligated to take steps for the right to objection to be enforced.

4. If the data subject disagrees with the decision taken by the data controller under Subsection (2), or if the controller fails to meet the deadline specified in Subsection (2), within 30 days of the delivery date of the decision or from the last day of the deadline,  the data subject shall have the right to turn to the courts as specified in section 22 of Act CXII. of 2011.

5. If data that are necessary for the enforcement of the data recipient’s rights are withheld due to the data subject’s objection, under section 22 of Act CXII. of 2011, in order to obtain the data, the data recipient shall have the right to turn to the courts against the data controller within 15 days from the date the decision is delivered under Subsection (3). The controller is authorised to also summon the data subject to court.

6. If the data controller fails to send notice as specified in Subsection (3), the data recipient shall have the right to request information from the controller concerning the circumstances of non-disclosure of the data, upon which the controller shall make available the information requested within 8 days of receipt of the data recipient’s request. Where information had been requested, the data recipient may bring an action against the controller within 15 days from the date of receipt of the information, or from the deadline prescribed. The controller is authorised to also summon the data subject to court.

7. The controller shall not delete the data of the data subject if processing has been prescribed by law. However, data may not be transferred to the data recipient if the controller 
agrees with the objection or if the court has found the objection justified.

XI. Judicial remedy
1. Data controllers shall be liable for any damage caused to others as a result of unlawful processing of the data subject's data or by any breach of data security requirements.

2. If, through an unlawful processing of the data subject's data or through the breach of data security requirements, the data controller infringes the personality rights of the data subject, the data subject may request a penalty from the data controller.

3. The data controller shall also be liable to the data subject for any damage caused by the data processor and the data controller is also obliged to pay to the data subject the penalty for the infringement of the data subject's personality rights caused by the data processor. The data controller may be exempted from liability and the payment of the penalty for the damages caused if it proves that the damage or the infringement of the data subject's personality rights was caused by reasons beyond its control.

4. No compensation or penalty shall be claimed, where the damage or the infringement of the data subject's personality rights was caused by intentional or serious negligent conduct on the part of the aggrieved party or the data subject.

National Authority for Data Protection and Freedom of Information
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Mailing address: 1530 Budapest, Pf.: 5.
Telephone number +36 (1) 391-1400
Internet: http://naih.hu/kapcsolat.html
E-mail: ugyfelszolgalat@naih.hu