Privici Policy - Lestyán Gasztro&Bár

PRIVACY POLICY

Introduction

Hegyalja Gasztro Kft. (registered office: 3909 Mád, Szabadság tér 23; tax ID: 32577633-2-05; company registration number: 32577633-2-05) (hereinafter: Service Provider, Data Controller) hereby submits to the following privacy notice.

REGARDING THE PROTECTION OF NATURAL PERSONS WITH RESPECT TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA, AND REPEALING DIRECTIVE 95/46/EC (GENERAL DATA PROTECTION REGULATION) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016), we provide the following information.

This privacy policy governs the processing of data on the following website: https://lestyan.com

The privacy policy is available at the following address: https://lestyan.com/adatvedelem

Amendments to this policy take effect upon publication at the above address.

The data controller and its contact information:

Name: Hegyalja Gasztro Kft.
Registered office: 3909 Mád, Szabadság tér 23.
Email: lestyanrestaurant@gmail.com
Phone: +36 30 599 9924

Translated with DeepL.com (free version)

Definitions

“personal data”: any information relating to an identified or identifiable natural person (“data subject”); “identifiable” means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

“controller”: the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, Union or Member State law may also determine the controller or specific criteria for designating the controller;

“processor”: a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller;

“recipient”: a natural or legal person, public authority, agency, or any other body to whom or which personal data is disclosed, whether or not that body is a third party. Public authorities that have access to personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

“consent of the data subject”: a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

“data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed.

Principles Governing the Processing of Personal Data

Personal data:

must be processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);

must be collected only for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; in accordance with Article 89(1), further processing for archiving in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the original purpose (“purpose limitation”);

the purposes of the data processing must be appropriate and relevant to the purposes of the data processing and must be limited to what is necessary (“data minimization”);

they must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes of the processing, are erased or rectified without delay (“accuracy”);

Personal data must be stored in a form that allows for the identification of data subjects only for as long as is necessary to achieve the purposes of the processing; personal data may be stored for a longer period only if the processing is carried out for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of data subjects (“limited storage”);

processing must be carried out in such a manner that appropriate technical or organizational measures ensure the adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage (“integrity and confidentiality”).

The data controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).

Data Processing

Data processing related to the operation of the website
The fact of data collection, the scope of the data processed, and the purpose of data processing:

Personal data
Purpose of data processing
To enable secure access to the user account.
First and last name
Required for contacting you, making a purchase, and issuing a valid invoice.
Email address
To maintain contact and more efficiently coordinate issues related to billing or shipping.
Billing name and address

To issue a valid invoice, as well as to create the contract, define its content, modify it, monitor its fulfillment, invoice the resulting fees, and enforce related claims.

Shipping name and address

To enable home delivery.

Date of purchase/registration

To perform technical operations.

IP address at the time of purchase/registration

To perform technical operations.

In the case of an email address, it is not necessary for it to contain personal data.

Data subjects: All data subjects who have registered or made a purchase on the webshop website.

Duration of data processing, deadline for data deletion: Immediately upon cancellation of registration. The data controller shall notify the data subject electronically of the deletion of any personal data provided by the data subject, in accordance with Article 19 of the GDPR. If the data subject’s request for erasure also extends to the email address provided by them, the data controller will also delete the email address following the notification. Except in the case of accounting documents, as accounting

Accounting documents that directly or indirectly support the accounting entries (including general ledger accounts, analytical records, and detailed records) must be retained in a legible form for at least 8 years, in a manner that allows them to be retrieved based on references in the accounting records.

Identity of potential data controllers authorized to access the data, and recipients of personal data: Personal data may be processed by the data controller’s sales and marketing staff, in compliance with the above principles.

Description of data subjects’ rights regarding data processing:

The data subject may request from the data controller access to personal data concerning him or her, the rectification, erasure, or restriction of processing of such data, and
may object to the processing of such personal data, as well as
the data subject has the right to data portability and to withdraw consent at any time.

The data subject may initiate access to personal data, their erasure, rectification, or restriction of processing, data portability, and objection to data processing in the following ways:
by mail at 1112 Budapest, Örség u. 13,
by email at info@heelgood.hu.

Legal basis for data processing:

Article 6(1)(b) of the GDPR,

Section 13/A(3) of Act CVIII of 2001 on Certain Issues Concerning Electronic Commerce Services and Information Society Services (hereinafter: Elker tv.)

The service provider may process personal data that is technically essential for the provision of the service. Where other conditions are identical, the service provider shall select and, in all cases, operate the means used in the provision of information society services in such a manner that personal data are processed only if this is absolutely necessary for the provision of the service and the fulfillment of other purposes specified in this Act; however, even in such cases, only to the extent and for the duration necessary.

In the case of issuing an invoice in accordance with accounting regulations, Article 6(1)(c).

In the case of the enforcement of claims arising from a contract, 5 years pursuant to Section 6:21 of Act V of 2013 on the Civil Code.

Section 6:22 [Statute of Limitations]

(1) Unless otherwise provided by this Act, claims shall be barred by the statute of limitations after five years.

(2) The statute of limitations begins to run when the claim becomes due.

(3) Any agreement to modify the statute of limitations must be in writing.

(4) Any agreement excluding the statute of limitations is void.

Please be advised that data processing is necessary for the performance of the contract. You are required to provide your personal data so that we can fulfill your order. Failure to provide this information will result in our inability to process your order.

Data processor used

Delivery

Activities performed by the data processor: Product delivery, transportation

Name and contact information of the data processor:

Fact of data processing, scope of data processed: Delivery name, delivery address, phone number, email address.

Scope of data subjects: All data subjects requesting home delivery.

Purpose of data processing: Home delivery of the ordered product.

Duration of data processing, deadline for data deletion: Until the home delivery is completed.

Legal basis for data processing: Article 6(1)(c).

Web hosting services

Activity performed by the data processor: Web hosting services

Name and contact information of the data processor:

Name: Tárhely.Eu Szolgáltató Kft.
Registered office: 1097 Budapest, Könyves Kálmán körút 12-14.
Phone number: +36 1 789-2-789
Company registration number: 01-09-909968
Tax ID: 14571332-2-42
Email: support@tarhely.eu

Fact of data processing, scope of processed data: All personal data provided by the data subject. Scope of data subjects: All data subjects using the website.

Purpose of data processing: To make the website available and ensure its proper operation.

Duration of data processing, deadline for data deletion: Data processing continues until the termination of the agreement between the data controller and the hosting provider, or until the data subject submits a deletion request to the hosting provider.

Legal basis for data processing: Article 6(1)(c) and (f), and Section 13/A(3) of Act CVIII of 2001 on certain issues concerning electronic commerce services and information society services.

Cookie Management

Cookies typical of online stores include so-called “cookies used for password-protected sessions,” “cookies necessary for shopping carts,” and “security cookies,” for which prior consent from data subjects is not required.

Fact of data processing, scope of processed data: Unique identifier, dates, times. Scope of data subjects: All data subjects visiting the website.

Purpose of data processing: Identification of users.

Duration of data processing, deadline for data deletion:

Cookie type

Legal basis for data processing

Data processing

Scope of data processed

Session cookies (session)

Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Elkertv.)

The period

until the end of the relevant

visitor session

connect.sid

Identity of potential data controllers entitled to access the data: The data controller does not process personal data through the use of cookies.

Description of data subjects’ rights regarding data processing: Data subjects have the option to delete cookies in their browser’s Tools/Settings menu, typically under the Privacy settings.

Legal basis for data processing: Consent from the data subject is not required if the sole purpose of using cookies is the transmission of communications via an electronic communications network, or if the service provider absolutely needs them to provide an information society service explicitly requested by the subscriber or user.

Use of Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies,” which are text files stored on your computer, to help analyze how users use the website.

The information generated by the cookies regarding your use of this website is usually transmitted to and stored on a Google server in the United States. By activating IP anonymization on this website, Google will shorten your IP address beforehand within member states of the European Union or in other states party to the Agreement on the European Economic Area.

The full IP address is only transmitted to a Google server in the U.S. and shortened there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate how the User has used the website, to compile reports for the website operator regarding website activity, and to provide other services related to website and internet usage.

Within the framework of Google Analytics, Google does not associate the IP address transmitted by the User’s browser with any other data held by Google. The User may prevent the storage of cookies by adjusting the settings in their browser; however, please note that in this case, not all features of this website may be fully available. You can also prevent Google from collecting and processing data related to your use of the website (including your IP address) via cookies by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter, Direct Marketing

Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities, the User may give prior and express consent for the Service Provider to contact them via the contact details provided at registration with advertising offers and other communications.

Furthermore, subject to the provisions of this notice, the Customer may consent to the Service Provider processing their personal data necessary for sending advertising offers.

The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving such offers free of charge, without restriction or justification. In this case, the Service Provider will delete all personal data necessary for sending advertising messages from its records and will not contact the User with further advertising offers. The User may unsubscribe from advertisements

The fact of data collection, the scope of the data processed, and the purpose of data processing:

Personal data

Purpose of data processing

Name, email address.

Identification, enabling subscription to the newsletter.

Date of subscription

Execution of a technical operation.

IP address at the time of subscription

Execution of a technical operation.

Scope of data subjects: All data subjects who subscribe to the newsletter.

Purpose of data processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to the data subject; providing information about current news, products, promotions, new features, etc.

Duration of data processing, deadline for data deletion: Data processing continues until the consent statement is withdrawn, i.e., until the data subject unsubscribes.

Identity of potential data controllers authorized to access the data, recipients of personal data: Personal data may be processed by the data controller’s sales and marketing staff, in compliance with the above principles.

Description of the data subject’s rights regarding data processing:

Data subjects may exercise their rights to access, delete, modify, or restrict the processing of their personal data, as well as their right to data portability and the right to object to data processing, in the following ways:
by mail to 3909 Mád, Szabadság tér 23.
by email to lestyanrestaurant@gmail.com.

The data subject may unsubscribe from the newsletter at any time, free of charge.

Legal basis for data processing: the data subject’s consent, Article 6(1)(a) and (f), and Section 6(5) of Act XLVIII of 2008 on the Fundamental Conditions and Certain Restrictions of Commercial Advertising Activities:

The advertiser, the advertising service provider, and the publisher of the advertisement shall maintain a record of the personal data of the persons who have provided a statement of consent to them, within the scope specified in the consent. The data recorded in this register—relating to the recipient of the advertisement—may only be processed in accordance with the terms of the consent statement until such consent is withdrawn, and may only be disclosed to third parties with the prior consent of the data subject.

Please be advised that

Data processing is based on your consent. You are required to provide your personal data if you wish to receive our newsletter. Failure to provide this data will result in our inability to send you the newsletter.

Customer Complaints

The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data

Purpose of data processing

First and last name

Identification, communication.

Email address

Billing name and address

Identification; handling quality complaints, questions, and issues related to ordered products.

Scope of data subjects: All data subjects who make purchases on the website, visit the website, or submit quality complaints or grievances.

Duration of data processing, deadline for data deletion: Copies of the record of the complaint, the transcript, and the response thereto must be retained for 5 years pursuant to Section 17/A(7) of Act CLV of 1997 on Consumer Protection.

Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller’s sales and marketing staff, in compliance with the above principles.

Description of data subjects’ rights regarding data processing:

Legal basis for data processing: Article 6(1)(c) and Section 17/A(7) of Act CLV of 1997 on Consumer Protection.

Please be advised that the provision of personal data is based on a contractual obligation.
The processing of personal data is a prerequisite for entering into the contract.
You are required to provide personal data so that we can process your complaint.
failure to provide such data will result in our inability to process the complaint you have submitted to us.

Social Media Platforms

Fact of data collection, scope of processed data: Your name registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., as well as your public profile picture.

Scope of data subjects: All data subjects who have registered on social media platforms such as Facebook/Google+/Twitter/Pinterest/YouTube/Instagram, etc., and have “liked” the website.

Purpose of data collection: Sharing, “liking,” or promoting specific content elements, products, promotions, or the website itself on social media platforms.

Duration of data processing, deadline for data deletion, identity of potential data controllers authorized to access the data, and description of data subjects’ rights regarding data processing: The data subject may obtain information about the source of the data, its processing, the method of transfer, and the legal basis on the relevant social media platform. Data processing takes place on social media platforms; therefore, the duration and method of data processing, as well as the options for deleting and modifying data, are governed by the terms of service of the respective social media platform.

Legal basis for data processing: the data subject’s voluntary consent to the processing of their personal data

Customer Relationships and Other Data Processing

If you have any questions or encounter any issues while using our services, you may contact the data controller via the methods listed on our website (phone, email, social media, etc.).

The Data Controller will delete the data received via email, messages, telephone, Facebook, etc., along with the name and email address of the interested party and any other personal data voluntarily provided, no later than two years after the data was provided.

We will provide information regarding data processing activities not listed in this notice at the time the data is collected.

In response to an exceptional request from a government authority, or in response to a request from another body authorized by law, the Service Provider is obligated to provide information, disclose or transfer data, and make documents available.

In such cases, the Service Provider shall disclose personal data to the requesting party—provided that the party has specified the exact purpose and scope of the data—only to the extent strictly necessary to fulfill the purpose of the request.

Rights of Data Subjects

Right of Access

You have the right to obtain confirmation from the data controller as to whether your personal data is being processed, and if such processing is taking place, you have the right to access your personal data and the information listed in the Regulation.

Right to rectification

You have the right to obtain from the data controller, upon request and without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.

The Right to Erasure

You have the right to request that the data controller erase your personal data without undue delay, and the data controller is obligated to erase your personal data without undue delay under certain conditions.

The right to be forgotten

If the data controller has made the personal data public and is required to erase it, it shall, taking into account available technology and the cost of implementation, take reasonable steps—including technical measures—to inform data controllers processing the data that you have requested the deletion of links to, or copies or replicas of, the personal data in question.

The Right to Restriction of Processing

You have the right to request that the data controller restrict the processing of your personal data if any of the following conditions are met:

You contest the accuracy of the personal data; in this case, the restriction applies for a period enabling the data controller to verify the accuracy of the personal data;
the processing is unlawful, and you oppose the erasure of the data and instead request the restriction of its use;
the data controller no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise, or defense of legal claims;
you have objected to the processing; in this case, the restriction applies for as long as it has not been determined whether the controller’s legitimate grounds override your legitimate grounds.

The Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to whom you have provided the personal data (…)

Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data by (…), including profiling based on those provisions.

Objection in the case of direct marketing

If the processing of personal data is carried out for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, insofar as it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data may no longer be processed for that purpose.

Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you.

The preceding paragraph does not apply if the decision:

is necessary for the conclusion or performance of a contract between you and the data controller;
is authorized by Union or Member State law to which the data controller is subject, which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.

Time limit for action

The data controller shall inform you of the measures taken in response to the above requests without undue delay, but in any event within 1 month of receipt of the request.

If necessary, this may be extended by 2 months. The data controller shall inform you of the extension of the deadline within 1 month of receiving the request, stating the reasons for the delay.

If the data controller does not take action in response to your request, it will inform you without delay, but no later than one month from the receipt of the request, of the reasons for the failure to act, as well as of your right to file a complaint with a supervisory authority and to seek judicial remedy.

Security of Data Processing

The data controller and the data processor shall take appropriate technical and organizational measures, taking into account the state of the art, the costs of implementation, as well as the nature, scope, context, and purposes of the processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk, including, where appropriate:

the pseudonymization and encryption of personal data;

ensuring the ongoing confidentiality, integrity, availability, and resilience of the systems and services used to process personal data;

the ability to restore access to personal data and the availability of the data in a timely manner in the event of a physical or technical incident;

a procedure for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures taken to ensure the security of processing.

Notifying the data subject of a data breach

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of the data breach without undue delay.

The information provided to the data subject must clearly and comprehensibly describe the nature of the data breach and include the name and contact details of the data protection officer or other contact person providing further information; it must describe the likely consequences of the data breach; the measures taken or planned by the data controller to address the data breach, including, where appropriate, measures to mitigate any adverse consequences resulting from the data breach, must be described.

The data subject need not be informed if any of the following conditions are met:

the controller has implemented appropriate technical and organizational security measures, and those measures were applied to the data affected by the personal data breach, in particular measures—such as encryption—that render the data unintelligible to any person who is not authorized to access it;
the controller has taken further measures following the data breach to ensure that the high risk to the rights and freedoms of data subjects is unlikely to materialize in the future;
providing the information would require a disproportionate effort. In such cases, data subjects must be informed through publicly disclosed information, or similar measures must be taken to ensure that data subjects are informed in an equally effective manner.

If the data controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after assessing whether the personal data breach is likely to result in a high risk, order that the data subject be notified.

Reporting a data breach to the authority

The data controller shall notify the competent supervisory authority of the data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the data breach, to the supervisory authority competent pursuant to Article 55, unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must also be provided.

How to File a Complaint

Complaints regarding any potential violations by the data controller may be filed with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing Address: 1530 Budapest, P.O. Box 5.

Phone: +36 -1-391-1400

Fax: +36-1-391-1410

Email: ugyfelszolgalat@naih.hu

Closing Remarks

In preparing this notice, we have taken into account the following legislation:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act CXII of 2011 – on the right to informational self-determination and freedom of information (hereinafter: Infotv.)
Act CVIII of 2001 – on certain issues concerning electronic commerce services and information society services (in particular Section 13/A)
Act XLVII of 2008 – on the Prohibition of Unfair Commercial Practices against Consumers;
Act XLVIII of 2008 – on the Fundamental Conditions and Certain Restrictions of Commercial Advertising Activities (in particular Section 6)
Act XC of 2005 on Freedom of Electronic Information
Act C of 2003 on Electronic Communications (specifically Section 155)
Opinion No. 16/2011 on the EASA/IAB Recommendation on Best Practices for Behavioral Online Advertising
Recommendation of the National Authority for Data Protection and Freedom of Information on data protection requirements for prior information
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

LESTYÁN GASZTRO&BAR

3526 Miskolc, Arany János tér 1.

NYITVATARTÁS:

Héftő-Csütörtök: 12:00-23:00
Péntek-szombat: 12:00-02:00
Vasárnap: ZÁRVA