PRIVACY POLICY

Effective from 25th October 2024

on the Controller’s data processing activities on its websites (www.blshop.hu; https://kronika.hu/; https://www.hungarianconservative.com/; http://www.hungarianreview.com/).

Datas of Controller  (hereinafter referred to as „Controller”)
Name:	BL Nonprofit Korlátolt Felelősségű Társaság
Seat:	HU-1067 Budapest, 24 of Eötvös street Floor 1 door 16
Registry No.:	01-09-947934
Tax No.:	22990600-2-42
Represented by:	dr. Gergő Kereki CEO
E-mail:	blpress@blpress.hu
Phone:	0036 70 627 9086

• Governing law about data controlling

• Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “Regulation” or “GDPR”), and
• Act CXII of 2011 on Freedom of Information (hereinafter referred to as: “Infotv.”). 

• The purpose of this Policy

• This Policy applies to the processing of personal data provided by natural persons (hereinafter referred to as the “User“) using the website www.blshop.hu (hereinafter referred to as the “Website“).
• The purpose of this Policy is to comply with the law on data processing and to provide users of the website with as much information as possible.
• Failure by the Controller to provide, or failure to provide, the personal data recorded by the Controller in this Policy does not create a contract between the Controller and the User. The transfer of personal data is based on a contract with the Controller.

• Definitions:

• “Data subject” is a natural person who is or can be identified on the basis of any information.
• “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
• “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.
• “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
• “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

• Legal basis for processing

The processing of personal data is lawful only if and to the extent that

• Article 6(a) of the Regulation: the data subject (user) has given his or her consent to the processing of his or her personal data for one or more specific purposes.
• Article 6(b) of the Regulation: processing is necessary for the performance of a contract to which the data subject (user) is party or in order to take steps at the request of the data subject (user) prior to entering into the contract.
• Article 6(c) of the Regulation: processing is necessary for compliance with a legal obligation to which the Controller is subject.

Where the legal basis for the processing is the user’s consent, the user shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing based on the consent prior to its withdrawal.

• User activities giving rise to data processing

(A) Using the website (with or without registration)
Data subject	The User
The scope of the data processed	IP address, the exact time of visiting the website
The purpose of the processing	providing online content, ensuring the use of the website, ensuring the smooth operation of the site, making the services provided on the website available, providing statistics
The legal basis of processing	Article 6 a) of the Regulation – consent of the user (which can be withdrawn in the user’s browser)
Recipient (to whom the data will be communicated)	Controller and Google Inc. (Privacy Policy: https://policies.google.com/privacy?hl=hu)
Duration of data storage	Until consent is withdrawn

 

(B) Subscription/purchase via the website
Data subject	the subscribing user
The scope of the data processed	Full name, billing address, delivery address, email address, telephone number (name and delivery address of recipient for gift purchases)
The purpose of the processing	Conclusion of the contract for the sale of the product selected by the user and ordered on the website, performance of related tasks (e.g. delivery), performance of legal obligations related to the sale of the product (e.g. invoicing).
The legal basis of processing	Article 6(b) of the Regulation – conclusion and performance of contracts
Recipient (to whom the data will be communicated)	Controller and these Processors: Payment service provider: Stripe Inc. (Privacy Policy: https://stripe.com/en-hu/privacy); Package delivery:  GLS Hungary Kft. (Privacy Policy: https://gls-group.com/HU/hu/adatkezelesi-tajekoztato/); Magyar Posta Zrt. (Privacy Policy: https://www.posta.hu/adatkezelesi_tajekoztato); Post2ME Kft. (Privacy Policy: https://www.post2me-fulfillment.eu/resources/post2me_Adatkezel%C3%A9si%20Szab%C3%A1lyzat_2021.pdf ); Billing: BMD Rendszerház Kft. (Privacy Policy: https://www.bmd.com/hu/siteservice/adatvedelem.html); Hosting provider: Netdoor Kft. (https://serverkraft.hu/download/adatvedelmi-szabalyzat/)
Duration of data storage	Records will be kept for 30 days from the date of termination of the subscription, or 30 days in the case of a single purchase, and for 8 years.

 

(C) Complaint handling
Data subject	the complaining user or third party
The scope of the data processed	name, e-mail address (contact address for complaints by post)
The purpose of the processing	complaint handling, identification of the user or third party concerned, contact, handling of the complaint in accordance with the law, verification of compliance with the law
The legal basis of processing	Article 6(c) of the Regulation – compliance with a legal obligation
Recipient (to whom the data will be communicated)	Controller
Duration of data storage	3 years from the date the case was closed

Users are reminded that some of their activities under this point may give rise to processing for more than one purpose, which is in compliance with the Regulation, as the user gives specific consent for the different purposes of processing.

• User’s data protection rights

The user can ask the Controller to do this:

1. information on the purposes and categories of personal data processed, on the conservation period, on your rights, on your right to lodge a complaint and on the source of the data,
2. the rectification and erasure of your personal data
3. the restriction of processing to a specified scope
4. to be informed if personal data are modified or transferred to a third party
5. the blocking of personal data
6. the exercise of the right to data portability
7. prohibition or restriction of the use of profiling and automated data processing
8. to object to the processing of his/her personal data.

The Controller does not engage in profiling, automated decision-making or processing of personal data for purposes of public interest or in the exercise of official authority.

Right to information: the Controller shall provide the data subject, upon request, with information concerning the data processed by the Controller or by a processor appointed by or on behalf of the Controller, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing and, in the event of a transfer of personal data of the data subject, the legal basis and the recipients of the transfer.

The Controller shall respond to a request for information in writing and in an intelligible form within the shortest possible time from the date of the request and in any event within 30 days. The information shall be provided free of charge if the person requesting the information has not already made a request to the Controller for the same set of data in the current year. In other cases, the Controller may charge a fee:

• the data subject repeatedly requests information/action with essentially unchanged content
• the request is manifestly unfounded
• the request is excessive.

Right to rectification: If the personal data is inaccurate and the accurate personal data is available to the Controller, the Controller shall correct the personal data.

Right to data portability: The data subject has the right to obtain the personal data relating to him or her which he or she has provided to the Controller in a machine-readable format and to have that data transmitted to another Controller without hindrance from the Controller to whom he or she has provided the personal data.

Right to erasure: Personal data must be erased if

1. its processing is unlawful
2. at the request of the data subject
3. it is incomplete or inaccurate, a situation which cannot be lawfully remedied, provided that unless erasure is excluded by law
4. the purpose of the processing has ceased to exist or its retention is unlawful or in breach of the law; or the time limit laid down by law has expired; or
5. it has been ordered by a court or supervisory authority.

Right to block data: Instead of erasure, the Controller shall block personal data if the data subject so requests or if the information available to the Controller indicates that erasure would undermine the data subject’s legitimate interests. The blocked personal data may be processed only for as long as the purpose of the processing which precluded the erasure of the personal data is fulfilled.

Right to restrict processing: at the request of the data subject, the Controller shall restrict processing if the data subject contests the accuracy of his or her personal data, if the processing is unlawful but the data subject opposes its erasure, if the Controller no longer needs the personal data but the data subject needs it for the establishment, exercise or defence of legal claims.

Rectification, blocking, referencing and erasure must be notified to the data subject and to all those to whom the data have previously been disclosed for processing. Notification may be omitted if it does not undermine the data subject’s legitimate interests having regard to the purposes of the processing. If the Controller does not comply with the data subject’s request for rectification, blocking or erasure, he shall, within 25 days of receipt of the request, provide in writing the factual and legal reasons for refusing to rectify, block or erase the data. In the event of a refusal of a request for rectification, erasure or blocking, the Controller shall inform the data subject of the possibility of judicial remedy and of recourse to a supervisory authority.

• Legal remedies

If the data subject is in doubt as to the lawfulness of the processing of his or her personal data, it is recommended that the data subject first contact the Controller using one of the Controller’s contact details in order to resolve the complaint promptly and amicably.

The Controller shall, as soon as possible and in any event not later than 25 days after the submission of the request by the data subject, examine the request, decide whether it is justified and inform the applicant in writing of its decision.

If the Controller finds that the data subject’s objection is justified, the Controller shall terminate the processing, including any further collection and transmission, and block the data and notify the objection and the measures taken on the basis of the objection to all those to whom the personal data concerned by the objection were previously disclosed and who are obliged to take measures to enforce the right of objection.

If the data subject does not agree with the decision taken by the Controller, if the Controller does not comply with the above time limit, or if the data subject considers that the Controller or a processor appointed or instructed by the Controller or the Controller has infringed the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union, the data subject may, at his or her choice, bring the matter before a supervisory authority or a court. It is for the Controller to prove that the processing complies with the law. It is for the recipient to prove the lawfulness of the transfer.

The court (Törvényszék) has jurisdiction to hear the case. The action may also be brought, at the option of the person concerned, before the court of the place of residence or domicile of the person concerned. A person who does not otherwise have legal capacity may be a party to the proceedings. The National Authority for Data Protection and Freedom of Information may intervene in the proceedings to ensure that the data subject is successful.

If the Controller causes damage to another person by unlawfully processing the data subject’s data or by breaching data security requirements, the Controller must compensate for the damage. If the Controller violates the data subject’s right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the Controller. The Controller shall be liable to the data subject for the damage caused by the processor, and the Controller shall also be liable to the data subject for the damage caused to the data subject by the processor. The Controller shall be exempted from liability for the damage caused and from the obligation to pay compensation if he proves that the damage or the violation of the data subject’s personality rights was caused by an unavoidable cause outside the scope of the processing. No compensation shall be due and no damages shall be payable if the damage or the violation of the personality rights of the data subject was caused by the intentional or grossly negligent conduct of the data subject.

• Data breaches

The data protection incident shall be notified by the Controller to the supervisory authority without undue delay and at the latest within 72 hours of the data protection incident coming to the attention of the Controller, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall notify the data subject of the personal data breach without undue delay. The information shall clearly and conspicuously state the contact details of the Controller or its contact person, the nature of the personal data breach, the likely consequences of the personal data breach, the measures taken or envisaged to remedy the personal data breach and the measures to mitigate any adverse legal consequences.

The Controller must keep a record of all data protection incidents for the purposes of possible audits and informing the data subject. The records must include the amount of personal data involved, the number and type of data subjects affected by the personal data breach, the date, circumstances, effects and measures taken to remedy the personal data breach, as well as other information required by law.

• Final provisions

This policy is effective from the date of its publication and the Controller reserves the right to amend it from time to time.