Privacy notice
PRIVACY NOTICE
NORKA COFFEE KFT.
VALID:
FROM 10 JANUARY 2024
UNTIL WITHDRAWN
1. Data of the controller:
Company name: Norka Coffee Kft.
Registered seat: 1036 Budapest, Bécsi út 49.
VAT number: 32306037-2-41
Company registration number: 01-09-417188
Represented by: Dániel Neustadtl, Managing Director
Phone number: +36 30 279 7981
Email: hi@hinewbeans.com
2. Purpose of the Privacy Notice:
The controller abides by the content of this legal notice. The purpose of this Privacy Notice is to inform buyers, customers, and partners about the management of their personal data.
The controller processes personal data exclusively in accordance with the provisions of the applicable law and in strict compliance with the provisions of processing and privacy regulations, taking into account the principles of legality, fair procedure and transparency, purposefulness, data economy, accuracy, and limited right for storage.
The controller shall take all technical and organizational measures to process the personal data of its partners in a secure manner as required by Regulation (EU) 2016/679 of the European Parliament and of the Council.
The controller has adapted its day-to-day activities and has developed its rules, records, standard documents and information in line with the above.
The data protection guidelines arising in connection with the processing of the controller are continuously available at the controller’s registered offices and his website. The controller reserves the right to change this privacy notice at any time. Of course, the controller will notify his customers of any changes in good time.
The controller is committed to protecting the personal data of its customers and partners, and considers of utmost importance to respect the buyers’ right to self-determination of information. The controller treats personal data confidentially and takes all security, technical and organizational measures that guarantee data security. The controller describes its processing practices below.
3. Personal and material scope and validity of the Privacy Notice:
The personal scope of this Privacy Notice covers the controller, as well as the natural persons whose data are included in the processing covered by this Notice, as well as the persons whose rights or legitimate interests are affected by the processing.
The material scope of the Notice covers all processing arising in the course of the controller’s activities.
This Notice enters into force on the day of its approval and shall be valid indefinitely until further notice.
4. Main Definitions:
Personal data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
Special data: any data in special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction or destruction by any means.
Controller: any natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others.
Processor: any natural person or legal entity, public authority, agency or any other body that processes personal data on behalf of the controller.
Joint controllers: if the purposes and means of processing are determined jointly by two or more controllers, they are considered joint controllers.
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor has been granted authorization to process personal data.
Consent of the data subject: the voluntary, specific, informed and clear declaration of the data subject with which he indicates by means of the relevant declaration or an act clearly expressing confirmation that he gives his consent to the processing of personal data concerning him.
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
5. Lawful processing by the controller:
Personal data will be processed by the controller only in the following cases:
1. if the data subject has given his consent to the processing of his personal data for one or more specific purposes,
2. processing is necessary for the performance of a contract in which the data subject is one of the parties,
3. processing is necessary to fulfil a legal obligation of the controller,
4. processing is necessary to protect the vital interests of the data subject or another natural person,
5. processing is necessary to enforce the legitimate interests of the controller or a third party.
The controller examines the legality of processing in every phase of its activity, and only processes data for which it can prove its purpose and legal basis. Should a legal ground cease to exist, processing may only be resumed if the controller can demonstrate an adequate alternative legal basis.
As a general rule, the way of proving a legal basis is in writing, but even in the case of a legal basis established by implied conduct, it must be examined whether it can be clearly proved ex post. In case of doubt, for reasonableness and economy, written confirmation of the processing resulting from such implied conduct should be sought.
In the case of processing based on consent, the data subject gives his written consent to the processing of his personal data. The consent is not required to meet any specific format, but subsequent evidence requires written consent on paper or in electronic form.
When processing is based on the need to fulfil a legal obligation, that is independent of the consent of the data subject, as the processing is required by law.
Irrespective of the mandatory nature of the processing, the private individual concerned must be informed before the processing starts that the processing is mandatory and cannot be avoided, and must be provided with clear and detailed information on all relevant facts concerning the processing of his or her data before the processing starts.
According to the GDPR (General Data Protection Regulation), personal data may also be processed if the processing is necessary for the performance of a contract to which the individual concerned is a party or if the processing or collecting of data is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract. The controller may process personal data for the purpose of concluding, fulfilling, or terminating a contract when the legal basis is the performance of the contract.
6. Personal data processing by the controller:
The controller is engaged in coffee retail and wholesale activities, and also organizes and conducts workshops on coffee making. During the performance of these activities, it comes into contact with the personal data of natural persons. It carries out the following processing activities:
A. The controller accepts purchase orders via its website www.hinewbeans.com or by email. Buyers can be both private individuals and legal entities. In the case of a purchase order, the buyer’s name, address, email address, and phone number are processed by the controller. The purpose of processing is to fulfil the obligations assumed in the contract and maintain contact. The legal basis for the processing of personal data is the fulfilment of obligations assumed in a contract (Article 6 (1) b) of the General Data Protection Regulation). In the case of a legal entity, the contact person’s personal data will be processed on the basis of the data subject’s consent (Article 6 (1) a) of the General Data Protection Regulation).
The controller issues an invoice for the consideration of the products it distributes. The invoice contains the customer’s name, address, and possibly tax number. Issuing the invoice is the legal obligation of the controller. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data included in the invoice will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
B. The controller also conducts wholesale activities, is in contact with resellers, and its contractual partners can be both private individuals and legal entities. The establishment of a contractual relationship is preceded by a request for an offer, made either in person, by phone, via email message, or by the contact form on the website, or via the controller’s social media page. The party requesting an offer provides his name, telephone number and email address, to which the controller will send the relevant offer. The purpose of processing personal data is to send the offer and keep contact. The legal basis for processing personal data is the establishment of a contract (Article 6 (1) b) of the General Data Protection Regulation). If the offer is rejected, the personal data of the interested party will be erased immediately, but no later than within 30 days from the rejection of the offer. If the party requesting the offer does not send feedback regarding the offer, the controller will erase the personal data within 60 days of sending the offer. If the data subject accepts the offer, a contractual relationship is established between the parties. After that, the controller will acquire additional personal data of individuals (partners and contact persons). The purpose of processing personal data is to fulfil contractual obligations and maintain contact. The legal basis for processing is the fulfilment of contractual obligations (Article 6 (1) b) of the General Data Protection Regulation), and as for the contact person of a legal entity, the consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). The controller issues an invoice for the consideration of the services provided. The invoice contains the customer’s name, address, and possibly the tax number. Issuing the invoice is the legal obligation of the controller. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data included in the invoice will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
C. The controller also organizes and conducts workshops. Applications can be made in person, by sending an email, using the contact form on the website or via the community page. During the application, the controller requests the name, address, email address, and telephone number of the data subject. The purpose of processing is to complete the registration, ensure the possibility of contact with the data subject, and organize the workshop. The legal basis for the processing of personal data is the fulfilment of obligations assumed in a contract (Article 6 (1) b) of the General Data Protection Regulation). The controller issues an invoice to the customer for the amount of the participation fee. The invoice contains the customer’s name, address, and possibly the tax number. Issuing the invoice is the legal obligation of the controller. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data included in the invoice will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
D. In the performance of its tasks, the controller processes the email addresses and telephone numbers of its buyers, customers and partners, in order to fulfil its contractual obligations (Article 6 (1) b) of the General Data Protection Regulation) or on the basis of their individual consent (Article 6 (1) a) of the General Data Protection Regulation).
E. In the course of its work, the controller has a contractual relationship with subcontractors, suppliers and service providers, which also provides a basis for the processing of personal data. In this case, the legal basis for the processing of personal data is (for a natural person or a sole trader) the performance of a contractual obligation (Article 6 (1) b) of the General Data Protection Regulation), and for the contact person of a legal entity, the prior informed consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation).
F. The controller presents its activities, products and services on its website www.hinewbeans.com . During the operation of the website, cookies are used, which also collect personal data about visitors. The legal basis for processing is the consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation).
G. On the website, the visitor of the site has the possibility to contact the controller by means of a contact form. The name and email address of the interested person must be entered on the form. The purpose of handling personal data is to contact the website visitor and those interested in the products and services of the controller. If the product or service is not ordered after the contact, the personal data of the interested person will be erased immediately, but no later than within 30 days of the contact. The legal basis for the controller to process personal data is to conclude the contract (Article 6 (1) b) of the General Data Protection Regulation). By completing the form, the data subject declares that he or she has read and acknowledged the Controller’s Privacy Notice.
H. The website of the controller contains the opinions of some former customers about the services and products provided by the controller. The personal data and opinions of the reviewer will only be displayed on the website if he has given his written informed consent (Article 6 (1) a) of the General Data Protection Regulation). The controller processes the personal data until the consent of the data subject is withdrawn.
I. The controller presents its cooperating partner on its website. The personal data of the data subject will only be displayed on the website if he has given his prior informed consent in writing. The legal basis for processing is the consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation).
The controller processes the personal data until the consent of the data subject is withdrawn.
J. The controller also offers the possibility of subscribing to a newsletter by providing an email address. The purpose of processing personal data is to send newsletters, direct marketing messages and individual discounts to the data subject. When subscribing to the newsletter, the data subject declares that he has read the Controller’s Privacy Policy and whether or not he consents to the processing of his personal data for marketing purposes. The data subject shall have the rights described in the Privacy Notice and shall be able to exercise those rights in the manner and at the places described therein. Accordingly, the legal basis for the processing of personal data in the course of sending the newsletter is the prior informed consent of the subscriber (Article 6 (1) a) of the General Data Protection Regulation). If the data subject withdraws his consent, the controller will erase the recorded personal data from his system immediately and in any case no later than within 30 days after the withdrawal of consent.
K. The controller also operates a social media website, where personal data is also processed. The legal basis for processing is the consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation).
L. The controller occasionally organizes sweepstakes. In this case, the personal data of the participants and the winner will be processed. The controller does not store the data of the participants in any system after the draw; the winner’s data is processed in order to serve him the prize. The controller processes the personal data on the basis of the data subject’s consent (Article 6 (1) a) of the General Data Protection Regulation) and keeps them for the legal retention period.
M. In the course of complaint handling in relation to the activities of the controller, the purpose of processing is to enable the communication of the complaint, to identify the data subject and his complaint, to record the data required to be recorded by law, to investigate the complaint and to maintain contact in connection with its resolution.
In the event of a complaint, the administration of the complaint and the processing of personal data are mandatory under Act CLV of 1997 on Consumer Protection. Consequently, the legal basis for processing personal data is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation).
The controller keeps a processing record of the above-mentioned processing. The record also contains the deadlines determined for erasing personal data. The record forms an appendix to this Privacy Notice.
7. Processors associated with the controller:
Where the processing is carried out by another party on behalf of the controller, the controller may only use processors that offer adequate safeguards to ensure compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organizational measures to ensure the protection of the rights of data subjects.
The Controller hereby declares that in the course of its work, it will only deal with processors that have sufficient guarantees of compliance with the GDPR Regulation and of the implementation of appropriate technical and organizational measures to ensure the protection of the rights of data subjects. The relevant declarations of the processors are available.
By reading and acknowledging this Privacy Notice, the data subject accepts that the controller transfers his personal data to the processors and joint controllers listed below.
- The processor is an accounting firm employed by the controller:
- E.G.M. Adó-Kontír Kft.
- 1116 Budapest, Talpas utca 3. I. emelet
- info@adokontir.hu
- The processor is an accounting firm employed by the controller:
- Regarding the issuance of invoices, the controller’s partner is:
- KBOSS.hu Kft.
- 1031 Budapest, Záhony u. 7.
- info@szamlazz.hu
- Regarding the issuance of invoices, the controller’s partner is:
- In order to pay by bank card, the processors of the controller, who are also independent controllers, are as follows:
- Stripe Inc.
- 510 Townsend Street San Francisco, CA 94103 United States
- info@stripe.com
- In order to pay by bank card, the processors of the controller, who are also independent controllers, are as follows:
- PayPal (Europe) S.a.r.l. et Cie, S.C.A.
- 22-24 Boulevard Royal L-2449, Luxembourg
- PayPal (Europe) S.a.r.l. et Cie, S.C.A.
The legal basis for the processing of personal data is the fulfilment of the contract, and then the fulfilment of the retention obligation provided by law.
- A processor (and also an independent controller in the performance of its tasks) is the courier company employed by the controller:
- GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
- 2351 Alsónémedi, GLS Európa u. 2.
- info@gls-hungary.com
- A processor (and also an independent controller in the performance of its tasks) is the courier company employed by the controller:
- The company providing the hosting of the website of the controller is considered a processor:
- Squarespace Ireland Limited
- Squarespace House, Ship Street Great, Dublin 8, D08N12C
- The company providing the hosting of the website of the controller is considered a processor:
(Attention: Legal – Privacy)
- privacy@squarespace.com
- The server of the controller’s mail system is also a processor:
- Squarespace Ireland Limited
- Squarespace House, Ship Street Great, Dublin 8, D08N12C
- The server of the controller’s mail system is also a processor:
(Attention: Legal – Privacy)
- privacy@squarespace.com
- Google Ireland Limited
- Gordon House, Barrow Street, Dublin 4, Ireland
- Google Ireland Limited
- When storing data in a cloud-based online database, the service provider is considered a processor (Google Drive):
- Google Ireland Limited
- Gordon House, Barrow Street, Dublin 4, Ireland
- When storing data in a cloud-based online database, the service provider is considered a processor (Google Drive):
- Due to the use of the social media site, a processor and joint processor partner is:
- Meta Platforms Ireland Ltd.
- 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
- Due to the use of the social media site, a processor and joint processor partner is:
- The controller also forwards the personal data of its customers to the Hungarian National Tax and Customs Administration.
The contracted processors and controllers process the personal data of partners only upon the instructions given by the controller (except where otherwise required by law) and under an obligation of confidentiality.
8. Processing related to contracts concluded by the controller:
Customer contracts:
The controller accepts purchase orders via its website www.hinewbeans.com or by email. Buyers can be both private individuals and legal entities. In the case of a purchase order, the buyer’s name, address, email address, and phone number are processed by the controller. The purpose of processing is to fulfil the obligations assumed in the contract and maintain contact. The legal basis for the processing of personal data is the fulfilment of obligations assumed in a contract (Article 6 (1) b) of the General Data Protection Regulation). In the case of a legal entity, the contact person’s personal data will be processed on the basis of the data subject’s consent (Article 6 (1) a) of the General Data Protection Regulation).
The controller issues an invoice for the consideration of the products it distributes. The invoice contains the customer’s name, address, and possibly tax number. Issuing the invoice is the legal obligation of the controller. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data included in the invoice will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
The controller also conducts wholesale activities, is in contact with resellers, and its contractual partners can be both private individuals and legal entities. The establishment of a contractual relationship is preceded by a request for an offer, made either in person, by phone, via email message, or by the contact form on the website, or via the controller’s social media page. The party requesting an offer provides his name, telephone number and email address, to which the controller will send the relevant offer. The purpose of processing personal data is to send the offer and keep contact. The legal basis for processing personal data is the establishment of a contract (Article 6 (1) b) of the General Data Protection Regulation). If the offer is rejected, the personal data of the interested party will be erased immediately, but no later than within 30 days from the rejection of the offer. If the party requesting the offer does not send feedback regarding the offer, the controller will erase the personal data within 60 days of sending the offer. If the person concerned accepts the offer, a contractual relationship is established between the parties. After that, the controller will acquire additional personal data of individuals (partners and contact persons). The purpose of processing personal data is to fulfil contractual obligations and maintain contact. The legal basis for processing is the fulfilment of contractual obligations (Article 6 (1) b) of the General Data Protection Regulation), and as for the contact person of a legal entity, the consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). The controller issues an invoice for the consideration of the services provided. The invoice contains the customer’s name, address, and possibly the tax number. Issuing the invoice is the legal obligation of the controller. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data included in the invoice will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
The controller also organizes and conducts workshops. Applications can be made in person, by sending an email, using the contact form on the website or via the community page. During the application, the controller requests the name, address, email address, and telephone number of the data subject. The purpose of data management is to complete the registration, ensure the possibility of contact with the person concerned, and organize the workshop. The legal basis for the processing of personal data is the fulfilment of obligations assumed in a contract (Article 6 (1) b) of the General Data Protection Regulation). The controller issues an invoice to the customer for the amount of the participation fee. The invoice contains the customer’s name, address, and possibly the tax number. Issuing the invoice is the legal obligation of the controller. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data included in the invoice will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
Supplier contracts:
The controller also processes the contact information (name, email address, phone number) of its suppliers and is also in contact with service providers and subcontractors. In order to maintain contact with partners, personal data is processed in these cases as well (personal data of the contact person or the natural person or sole trader). The legal basis for the processing of personal data is the performance of a contractual obligation (Article 6 (1) b) of the General Data Protection Regulation) or the consent of the contact person (Article 6 (1) a) of the General Data Protection Regulation).
The controller fills out a consent statement with the contact persons of the companies, in which it informs them of their rights related to personal data and requests their consent to be able to process their data. In such cases, the legal basis for the processing of personal data is the informed written consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). If the contract with a partner has been terminated and the statutory obligation does not apply to the retention of data and documents, the telephone numbers and email addresses will be erased. The personal data included in the contract and in the invoice will be retained by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
9. Processing of invoices issued to customers and the personal data on them:
The controller issues invoices to its customers for the value of the services provided and products sold. The invoice contains the customer’s name, address, and possibly the tax number. The invoice is issued by the controller in order to fulfil the obligation stated by law. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data recorded this way will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
10. Processing of children’s data, special categories of personal data:
With regard to the participation in online sweepstakes, the subscription to the newsletter on the website and the consent to the operation of cookies, the data subject declares that he or she is at least 16 years of age. A person under the age of 16 may not participate in the online sweepstakes, subscribe to newsletters or consent to the collection of data from cookies used by the website, given that, pursuant to Article 8 (1) of the General Data Protection Regulation (GDPR), the validity of his/her consent to the processing of personal data requires the consent of his/her legal representative. The controller is unable to check the consenting person’s age and eligibility, so the data subject guarantees that the data provided is true.
Specific data brought or becoming to the knowledge of the controller shall not be recorded by the controller. If this type of data has entered any system without the knowledge of the controller, it will be erased from the system immediately after detection.
11. Processing of email addresses and telephone numbers:
In the course of its activity, the controller also becomes knowledgeable of the email address and telephone number of its buyers, customers, and partners. The data collected in this way are processed primarily for the purpose of fulfilling its contractual obligations (Article 6 (1) b) of the General Data Protection Regulation). If the contract with a partner has been terminated and the statutory obligation does not apply to the retention of data and documents, the telephone numbers and email addresses will be erased. In some cases, the controller will still have a legitimate interest in retaining the data, in which case it will ask for the data subject’s prior consent to retain the personal data (Article 6 (1) a) of the General Data Protection Regulation).
12. The Controller’s website:
The controller presents for interested parties its activities, the products it sells and services on its website www.hinewbeans.com .
The website of the controller uses cookies during its operation. The legal basis for processing the personal data obtained by them is the consent of the visitor (Article 6 (1) a) of the General Data Protection Regulation).
During its operation, the www.hinewbeans.com website uses the following cookies:
- crumb
- duration: until the end of the browsing session
- type: absolutely necessary
- CART
- duration: 2 weeks
- type: absolutely necessary
- Locked
- duration: until the end of the browsing session
- type: other
- hasCart
- duration: 2 weeks
- type: absolutely necessary
- ss_cvr
- duration: 13 months
- type: statistical – SquareSpace
- ss_cvt
- duration: 40 minutes
- type: statistical – SquareSpace
- test
- type: other
Cookies:
The role of cookies:
- to collect information about visitors and their devices;
- to remember the individual settings of the visitors, which will (may) be used; – to facilitate the use of the website; to provide a quality user experience.
In order to provide customized service, a small data package (a cookie) is placed on the customer’s computer and read it back during subsequent visits. If the browser returns a previously saved cookie, the service provider managing the cookie has the opportunity to connect the user’s current visit with previous ones, but only with regard to its own content.
Strictly necessary session cookies:
The purpose of these cookies is to enable visitors to fully and smoothly browse the website and use its functions and the services available there. The validity period of this type of cookie lasts until the end of the session (browsing), and when the browser is closed, these cookies are automatically deleted from the computer or other device used for browsing.
The data subject’s choice regarding the cookies:
Web browser cookies:
In the browser settings, the data subject can accept or reject new cookies and delete existing cookies. He can also set his browser to notify him every time new cookies are placed on his computer or other device. More information about the handling of cookies can be found in the “Help” function of the browser.
If the visitor decides to turn off some or all cookies, he will not be able to use all the functions of the website.
On the website of the controller, by accepting the use of cookies, the data subject declares that he or she has reached the age of 16 years. A person under the age of 16 may not make a declaration of acceptance or rejection of cookies used by the website, given that, pursuant to Article 8 (1) of the General Data Protection Regulation (GDPR), the validity of his/her declaration of consent to processing requires the consent of his/her legal representative. The controller is unable to check the consenting person’s age and eligibility, so the data subject guarantees that the data provided is true.
Processing of personal data during shopping on the website:
The controller also accepts orders via its www.hinewbeans.com website. Buyers can be both private individuals and legal entities. In the case of a purchase order, the buyer’s name, address, email address, and phone number are processed by the controller. The purpose of processing is to fulfil the obligations assumed in the contract and maintain contact. The legal basis for the processing of personal data is the fulfilment of obligations assumed in a contract (Article 6 (1) b) of the General Data Protection Regulation). In the case of a legal entity, the contact person’s personal data will be processed on the basis of the data subject’s consent (Article 6 (1) a) of the General Data Protection Regulation). The controller issues an invoice for the consideration of the products it distributes. The invoice contains the customer’s name, address, and possibly tax number. Issuing the invoice is the legal obligation of the controller. The legal basis for the processing of the personal data included in the invoice is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation). The personal data included in the invoice will be stored by the controller for 8 years in compliance with the retention obligation set out in article 169 of the Accounting Act.
Processing of personal data when using the contact form:
On the website, the visitor of the site has the possibility to contact the controller by means of a contact form. The name and email address of the interested person must be entered on the form. The purpose of handling personal data is to contact the website visitor and those interested in the products and services of the controller. If the product or service is not ordered after the contact, the personal data of the interested person will be erased immediately, but no later than within 30 days of the contact. The legal basis for the controller to process personal data is to conclude the contract (Article 6 (1) b) of the General Data Protection Regulation). By completing the form, the data subject declares that he or she has read and acknowledged the Controller’s Privacy Notice.
Processing of personal data when presenting opinions:
The website of the controller contains the opinions of some former customers about the services and products provided by the controller. The personal data and opinions of the reviewer will only be displayed on the website if he has given his written informed consent (Article 6 (1) a) of the General Data Protection Regulation). The controller processes the personal data until the consent of the data subject is withdrawn.
Processing of personal data when presenting a cooperating partner:
The controller presents its cooperating partner on its website. The personal data of the data subject will only be displayed on the website if he has given his prior informed consent in writing. The legal basis for processing is the consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). The controller processes the personal data until the consent of the data subject is withdrawn.
13. Newsletter subscription:
The controller offers the possibility to subscribe to a newsletter. When subscribing to the newsletter, the data subject declares that he has read the Controller’s Privacy Policy and whether or not he consents to the processing of his personal data for marketing purposes (sending newsletters). The data subject shall have the rights described in the Privacy Notice and shall be able to exercise those rights in the manner and at the places described therein. Accordingly, the legal basis for the processing of personal data in the course of sending the newsletter is the prior informed consent in writing of the subscriber (Article 6 (1) a) of the General Data Protection Regulation).
The purpose of data management related to the sending of newsletters is to provide the addressee with full general or personalized information about the novelties, latest news and discounts offered by the controller, in accordance with the relevant legislation in force. Signing up for a newsletter and/or DM mail is based on voluntary consent, and the controller gives the data subject the opportunity to withdraw their consent and unsubscribe from the newsletter at any time.
On the website of the controller, by subscribing to the newsletter, the data subject declares that he or she is at least 16 years of age. A person under the age of 16 may not subscribe to a newsletter, given that, pursuant to Article 8 (1) of the General Data Protection Regulation (GDPR), the validity of his/her declaration of consent to processing requires the consent of his/her legal representative. The controller is unable to check the consenting person’s age and eligibility, so the data subject guarantees that the data provided is true.
14. Social media page of the controller:
The controller also operates a Facebook page, where personal data is also processed. The controller also promotes its activities and presents its products and services on its Facebook page.
https://www.facebook.com/people/Hi–New–Beans/61550852322900/
The controller also provides comprehensive personal support via Facebook. When a question is received via Facebook, it tries to answer it as soon as possible. The information obtained on the Facebook page is used exclusively to answer question, not for further advertising purposes.
The purpose of using the Facebook page is advertising on the social media interface, and providing information. Facebook can also use the data for its own purposes, including profiling the data subject and targeting him with advertisements.
In order to be able to contact the controller via Facebook, you must log in. For this purpose, Facebook also requests, stores and processes personal data. The controller has no influence on the type, scope and processing of this data, and does not receive personal data from the Facebook operator. You can find more information about this on the Facebook page.
The personal data of followers on the Facebook page is handled by the controller in accordance with their consent (Article 6 (1) point a) of the General Data Protection Regulation), and the consent is considered granted when the person in question likes or follows the page, posts or comments on them.
15. Sweepstakes:
The controller occasionally organizes sweepstakes. In this case, the personal data of the participants and the winner will be processed. The controller does not store the data of the participants in any system after the draw, while the winner’s data is processed in order to serve him the prize. The controller processes the personal data on the basis of the data subject’s consent (Article 6 (1) a) of the General Data Protection Regulation) and keeps them for the legal retention period.
With regard to the participation in online sweepstakes, the data subject declares that he or she is at least 16 years of age. A person under the age of 16 may not take part in sweepstakes, given that, pursuant to Article 8 (1) of the General Data Protection Regulation (GDPR), the validity of his/her declaration of consent to processing requires the consent of his/her legal representative. The controller is unable to check the consenting person’s age and eligibility, so the data subject guarantees that the data provided is true.
16. Processing of personal data during the use of cloud-based applications:
The controller primarily uses cloud-based services to store, share and back up documents. The common feature of such services is that they are not provided by the user’s computer but by a remote server or server centre that can be located anywhere in the world. Online hosting also provides such a service. The great advantage of cloud applications is that they provide highly secure, flexibly expandable IT storage and processing capacity that is essentially independent of geographic location.
In these cases, the cloud service provider can be considered a processor who processes personal data for the benefit of the controller. Cloud service providers are obliged to treat personal data confidentially and may only perform processing on the instructions of the controller.
The controller selects its cloud service partners with the utmost care, takes all measures that are generally expected to ensure that the contract with them is in the interests of the data security of its customers, their processing principles are transparent to the controller and data security is regularly monitored.
Cloud-based storage areas are password protected, and only the controller can access the data stored there.
The partners of the controller expressly consent to the data transmission required for the use of cloud-based applications by accepting this Privacy Notice. The legal basis for processing is the consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation).
17. Complaint handling related to the activities of the controller:
In the course of complaint handling in relation to the activities of the controller, the purpose of processing is to enable the communication of the complaint, to identify the data subject and his complaint, to record the data required to be recorded by law, to investigate the complaint and to maintain contact in connection with its resolution.
In the event of a complaint, the administration of the complaint and the processing of personal data are mandatory under Act CLV of 1997 on Consumer Protection. Consequently, the legal basis for processing personal data is the fulfilment of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation).
The controller will keep a record of the complaint and a copy of the response for 3 years, and will process the personal data on that basis for the same period.
18. Security in processing:
The controller undertakes to ensure the security of the data, to take technical and organizational measures and to maintain procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorized use or unauthorized alteration. The controller also undertakes to call on all third parties to whom it forwards or transfers the data to comply with the requirement of data security.
The controller ensures that no unauthorized person can access, disclose, transmit, modify, or erase the processed data. The processed data can only be seen by the controller and the processor(s) used by it, and will not be passed on to third parties who are not authorized to see the data.
The controller pays particular attention to the security of the personal data of its buyers and customers. It acts in full compliance with the legal provisions and requires this from all its partners. The protection of personal data includes both physical data protection (storing documents in a lockable room) and IT protection (use of password protection).
The controller stores the personal data provided by the data subject primarily on the servers equipped with the usual protection systems of the processor(s) specified in this Privacy Notice, partly on its own IT devices, and in the case of hard copy data carriers, properly locked at its headquarters.
Data subjects acknowledge and accept that, in case of providing their personal data, data protection cannot be fully guaranteed on the Internet and in a computer system. In the event an unauthorized access or disclosure of data occurs despite the controller’s efforts, it is necessary to proceed as described in this Notice.
19. Rights of the data subjects:
- Transparent information:
This Privacy Notice also serves the purpose of providing clear, concise, transparent and understandable information about the processing activities applied by the controller.
- Right to access:
The data subject has the right to receive feedback from the controller as to whether his personal data is being processed, and if such processing is underway, he is entitled to access the personal data and the following information:
- purpose of processing,
- categories of personal data concerned,
- recipients to whom the personal data were disclosed,
- the planned period of retention of personal data.
You can request information about the above data from the controller at the following email address:
Norka Coffee Kft. 1036 Budapest, Bécsi út 49.
Email: hi@hinewbeans.com
The controller hereby informs that it will respond to your inquiry within 30 days. Information requests sent by post will be answered by post, and requests sent by email will be answered by email.
– Right to rectification:
The data subject has the right to have inaccurate personal data rectified by the controller upon request.
You can request information about the above data from the controller at the following email address:
Norka Coffee Kft. 1036 Budapest, Bécsi út 49.
E-mail: hi@hinewbeans.com
The controller hereby informs that it will respond to your inquiry within 30 days. Information requests sent by post will be answered by post, and requests sent by email will be answered by email.
– Right to erasure:
The data subject has the right to have the personal data erased by the controller upon request. Based on this request, the controller is obliged to erase the personal data if one of the following reasons exists:
- the personal data are no longer needed for the purpose for which they were collected,
- the data subject withdraws their previously given consent and there is no other legal basis for processing,
- the data subject objects to processing and there is no overriding legal reason for processing,
- personal data were handled unlawfully,
- it is necessary to erase the data to fulfil a legal obligation prescribed by EU or member state law.
You can request information about the above data from the controller at the following email address:
Norka Coffee Kft. 1036 Budapest, Bécsi út 49.
E-mail: hi@hinewbeans.com
The controller hereby informs that it will respond to your inquiry within 30 days. Information requests sent by post will be answered by post, and requests sent by email will be answered by email.
– Right to restrict processing:
The data subject has the right to request that the controller limit processing, primarily if:
- he disputes the accuracy of the data,
- considers the processing unlawful, but for some reason does not requests the erasing of the data.
You can request information about the above data from the controller at the following email address:
Norka Coffee Kft. 1036 Budapest, Bécsi út 49.
E-mail: hi@hinewbeans.com
The controller hereby informs that it will respond to your inquiry within 30 days. Information requests sent by post will be answered by post, and requests sent by email will be answered by email.
– Right to data portability:
The data subject has the right to receive his/her personal data in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another controller.
You can request information about the above data from the controller at the following email address:
Norka Coffee Kft. 1036 Budapest, Bécsi út 49.
E-mail: hi@hinewbeans.com
The controller hereby informs that it will respond to your inquiry within 30 days. Information requests sent by post will be answered by post, and requests sent by email will be answered by email.
– Right to object:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of his or her personal data, as provided for in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.
You can request information about the above data from the controller at the following email address:
Norka Coffee Kft. 1036 Budapest, Bécsi út 49.
E-mail: hi@hinewbeans.com
The controller hereby informs that it will respond to your inquiry within 30 days. Information requests sent by post will be answered by post, and requests sent by email will be answered by email.
– The right of the data subject in case of automated decision-making:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her. Automated decisionmaking is any procedure or methodology where technical automatic processes evaluate the personal characteristics of the data subject and which has a legal effect on him or significantly affects him. The controller does not use any IT automatic technology suitable for profiling that has a significant impact on the rights of the data subject.
Information of the above data may be requested from the controller writing to the address or email address below:
Norka Coffee Kft. 1036 Budapest, Bécsi út 49.
Email: hi@hinewbeans.com
The controller informs you that a reply to your inquiry will be sent within 30 days. Information requests sent by post will be answered by post, and requests sent by email will be answered by email.
The controller undertakes to inform all recipients of the requests sent to it in connection with the above rights, to whom it has disclosed personal data, unless this proves to be impossible. The controller also undertakes to notify the data subject (applicant) of the decision regarding the handling of the above requests within 30 days at the latest.
20. Personal data breach:
A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored or processed in another way.
In the event of a personal data breach, the breach must be of a serious threat level, i.e.
the breach must be of a degree that entails:
- the destruction,
- loss,
- alteration,
- unauthorized disclosure, or
- unauthorized access to personal data.
It is considered a personal data breach if any of the above occurs, but this does not precludes several points from happening at the same time. This includes also damages caused by negligence, not only intentional, malicious conducts. The breach therefore occurs when it is caused by an accident or an unlawful act.
Examples of personal data breach include:
- illegal transmission of personal data in a document, on a portable device, data carrier or IT system (e.g. by mail),
- unauthorized access to an IT system or application processing personal data,
- damage or loss in part or in full of a database containing personal data,
- part or all of an IT system rendered unusable by a virus or other malicious software, etc.
A personal data breach may cause physical, pecuniary or non-pecuniary damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, or identity theft, if not addressed in an appropriate and timely manner, or misuse of identity, financial loss, unauthorized impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantages suffered by the natural persons concerned.
In the event of a possible personal data breach (except if the personal data breach is likely to pose no risk to the rights and freedoms of natural persons), the controller shall immediately notify the Hungarian National Authority for Data Protection and Freedom of Information. As soon as the controller becomes aware of the breach, it must report it without undue delay and, if possible, no later than 72 hours after it became aware of the personal data breach. If the notification cannot be made within 72 hours, the reason for the delay must be indicated, and the required information must be provided in detail without further undue delay.
To report a personal data breach, the Hungarian National Authority for Data Protection and Freedom of Information operates a dedicated system on its website, through which notifications can be made electronically.
The controller keeps record of personal data breaches, indicating the facts related to the personal data breach, its effects, and the measures taken to remedy it. The controller must keep records of the data related to the breaches, including the reasons, the events and the scope of the personal data involved. The record should also include the effects and consequences of the breaches and the measures taken to remedy them, and the conclusions of the controller (for example, why the controller thinks the breach is not reportable, or if the breach was reported late, the reason for the delay).
It is not necessary to notify the supervisory authority of a breach that probably does not pose a risk to the rights and freedoms of natural persons.
If the personal data breach is likely to involve a high risk for the rights and freedoms of the controller’s buyers, customers and partners, it will immediately inform the relevant partner. In the information given to the data subject, the nature of the personal data breach must be clearly and comprehensibly described, and the most important information and measures must be communicated.
The data subject does not need to be informed as above if any of the following conditions are met:
- the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the personal data breach, in particular those measures that make the data unintelligible to persons not authorized to access personal data;
- after the personal data breach, the controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future;
- providing information would require a disproportionate effort. In such cases, the data subjects must be informed through public information, or a similar measure must be taken that ensures similarly effective information to the data subjects.
21. Information about the relevant legislation:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, GDPR);
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Information Act);
- Act V of 2013 on the Civil Code; Act C of 2000 on accounting (Accounting Act); Act CLV of 1997 on consumer protection.
22. Right to go to court:
In the event of a violation of his rights, the data subject may apply to the court against the controller. The court acts out of order in the case.
23. Official procedure in data protection cases:
A complaint may be filed to the Hungarian National Authority for Data Protection and Freedom of Information:
Name: | Hungarian National Authority for Data Protection and Freedom of Information |
Registered seat: | 1055 Budapest, Falk Miksa u. 9-11. |
Mailing address: | 1363 Budapest, Pf. 9. |
Phone: | 0613911400 |
Fax: | 0613911410 |
Email: | ugyfelszolgalat@naih.hu |
Website: |
- Other provisions:
The controller provides information on any processing not listed in this information when the data is collected. In such cases, the provisions of the applicable legislation must govern.
The controller hereby informs its buyers and customers that the court, the prosecutor, the investigating authority, the administrative authority, the Hungarian National Authority for Data Protection and Freedom of Information, the Hungarian National Bank, or other bodies authorized by law may contact the controller to provide information, data, or documents. If the authority has indicated the exact purpose and the scope of the data, the controller will only release personal data to the authorities to the extent that is absolutely necessary to achieve the purpose of the request.
The website of the Data Protection Authority contains additional information about the data protection rights referred to in this Privacy Notice.
Budapest, 10 January 2024
Dániel Neustadtl,
Managing Director
APPENDIX NUMBER 1
No. | Processed personal data | Purpose of processing | Legal basis for processing | Deadline for erasing personal data |
1. | Personal data provided during shopping in the online store (name, address, email address, phone number). | For fulfilling contractual obligations and maintaining contact. | Performance of a contractual obligation (Article 6 (1) b) of the General Data Protection Regulation) and then of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), pursuant to Article 169 of Act C of 2000. | Within 30 days of the expiration of the statutory retention time (8 years). |
2. | Personal data of the contact person of the legal entity (name, email address, telephone number) provided during the purchase in the online store. | For fulfilling contractual obligations and maintaining contact. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | If the consent is withdrawn, immediately, and in any case no later than within 30 days. Within 30 days after the completion of the contract, unless the law provides for a retention obligation in relation to the contract (within 30 days after the completion of the obligation). |
3. | In the case of a request for offer, the personal data of the natural person or sole trader (name, email address, phone number). | In order to make offers and maintain contact. | Creation of the contract (Article 6 (1) b) of the General Data Protection Regulation). | If the offer is rejected, the personal data of the data subject will be erased immediately, but no later than within 30 days from the rejection of the offer. If the party requesting the offer does not send feedback regarding the offer, within 60 days of sending the offer. |
4. | Personal data of the contact person of the legal entity (name, email address, telephone number) provided during a request for offer. | In order to make offers and maintain contact. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | If the consent is withdrawn, immediately, and in any case no later than within 30 days. If the offer is rejected, without delay and at the latest within 30 days of the rejection of the offer. If the person requesting the offer does not send a reply to the offer, within 60 days of the date of sending the offer. |
5. | Personal data acquired during the contractual relationship in the case of a natural person or sole trader (name, address, email address, telephone number). | For fulfilling the contract and maintaining contact. | Performance of a contractual obligation (Article 6 (1) b) of the General Data Protection Regulation) and then of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), pursuant to Article 169 of Act C of 2000. | Within 30 days of the expiry of the regulatory retention time (8 years). |
6. | Contact person’s personal data (name, email address, phone number) obtained during a contractual relationship with a legal entity. | For fulfilling the contract and maintaining contact. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | If the consent is withdrawn, immediately, and in any case no later than within 30 days. Within 30 days after the termination of the contract, unless the law provides for a retention obligation in relation to the contract (within 30 days after the expiry of the obligation). |
7. | Personal data provided when registering for the for workshops (name, | To complete the registration, ensure the possibility of contact with the | Performance of a contractual obligation (Article 6 (1) b) of the General | Within 30 days of the expiry of the regulatory retention time (8 years). |
address, email address, phone number). | person concerned, and organize the workshop. | Data Protection Regulation) and then of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), pursuant to Article 169 of Act C of 2000. | ||
8. | Personal data included in the invoice issued to buyers or customers (natural persons or sole traders). | Fulfilling the obligation written in legislation, in order to issue the invoice. | Performance of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), pursuant to Article 169 of Act C of 2000. | Within 30 days of the expiry of the regulatory retention time (8 years). |
9. | Processing related to incoming emails (senders’ email addresses) and telephone numbers. | In order to fulfil a contractual obligation or on the basis of consent. | Performance of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), or consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | Within 30 days after the fulfilment of the contractual obligation, or immediately after withdrawal of consent, but no later than 30 days. |
10. | Personal data of suppliers, service providers, subcontractors (in the case of natural persons or sole traders). | For fulfilling the contract and maintaining contact. | Performance of a contractual obligation (Article 6 (1) b) of the General Data Protection Regulation) and then of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), pursuant to Article 169 of Act C of 2000. | Within 30 days of the expiry of the regulatory retention time (8 years). |
11. | Personal data of contact persons of suppliers and subcontractors. | For fulfilling the contract and maintaining contact. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | If the consent is withdrawn, immediately, and in any case no later than within 30 days. Within 30 days after the termination of the contractual relationship, unless the law provides for a retention obligation in relation to the contract (within 30 days after the expiry of the obligation). |
12. | Personal data recorded during data collection of cookies managed by the website. | To increase the user experience, to improve the website, for statistical purposes. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | If the consent is withdrawn, immediately, and in any case no later than within 30 days. |
13. | Personal data provided when using the contact form on the website (name, email address). | In order to establish contact. | For the creation of the contract (Article 6 (1) b) of the General Data Protection Regulation). | Immediately after contact, but no later than 30 days after contact, unless a contractual relationship is established. |
14. | Personal data presented during the publication of opinions (e.g. name). | To promote the activity and services. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | Immediately after withdrawal of consent, and in any case within 30 days. |
15. | Personal data published on the website during the presentation of the cooperating partner (e.g.: name, image). | For the purpose of presenting the cooperating partner. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | Immediately after withdrawal of consent, and in any case within 30 days. |
16. | Personal data (email address) provided when subscribing to the newsletter. | In order to send a newsletter. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation). | Immediately after withdrawal of consent, and in any case within 30 days. |
17. | Personal data becoming to the knowledge of the | To promote products, services and activities. | Consent of the data subject (Article 6 (1) a) of the General | Immediately after withdrawal of consent, and in any case within 30 days. |
controller during the use of the social media site. | Data Protection Regulation). | |||
18. | Processing of personal data of participants and winners of the sweepstakes. | To conduct the sweepstakes and conduct the draw, select and notify the winner, and deliver the prize. | Consent of the data subject (Article 6 (1) a) of the General Data Protection Regulation), and then Performance of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), pursuant to Article 169 of Act C of 2000. | Taking into account the statutory retention time (8 years), within 30 days after the end of the obligation. |
19. | Personal data disclosed during complaint handling. | In order to identify and handle the complaint. | Performance of a legal obligation (Article 6 (1) c) of the General Data Protection Regulation), pursuant to Act CLV of 1997. | Within 30 days of the expiration of the statutory retention time (3 years). |