Privacy Policy

Privacy Policy


I. Introduction

The aim of this Prospectus is to provide the principles of protecting and processing data applied by Rita Cseppentő small-scale entrepreneur (6767 Ópusztaszer Pusztaszeri Major 102, PID# 912905TA) and Zsombor Cseppentő internet parcel retailer (6767 Ópusztaszer Pusztaszeri Major 106, PID# 648735HE), which they as data controllers, recognise as binding on themselves.

In formulating the provisions of the Prospectus, the organisation took special account of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act CXII of 2011 on the right to informational self-determination and on the freedom of information (“Info Act”), Act V of 2013 on the Civil Code (“Ptk.”) and Act XLVIII of 2018 on the basic conditions and certain limitations of commercial advertising (“Grtv.”)

The scope of the present Prospectus on processing data shall be applied to the data processing activities related to the websites under the domain of (hereinafter: “Website”). The Prospectus on data processing shall be valid until withdrawal.


II. Interpretative provisions

Data subject: a natural person being identified or – directly or indirectly – identifiable based on any defined personal information.

Personal data: data being connectable to the data subject – especially the name, identifier or one or more physical, physiologic, mental, economic, cultural, or social factors specific to the data subject – and the result which derives from the data and is connectable to the data subject.

Sensitive data: the data relating to racial origin, national and ethnic origin, political opinion, party position, religious or other worldview, trade union membership, health situation, pathological passion, sexual life, and criminal personal data.

Consent: the freely given, specific indication of the data subject’s wishes, which is based on adequate information, by which he signifies agreement to – the comprehensive or limited, for certain operations – processing of personal data relating to him.

Objection: the indication of the data subject, by which he disputes the processing of his personal data, and he requests the termination of processing personal data and requests the deletion of the processed data.

Dataset: is all data processed in a single registry.

Controller: is the natural or legal person, or organisation having no legal personality, which, alone or jointly with others, determines the purposes of data processing, makes decisions concerning data processing (including the means used) and implements such decisions or has them implemented by a processor.

Processing: any operation or set of operations that is performed on data, regardless of the procedure applied; in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking, erasing and destroying the data, as well as preventing their further use; taking photos and making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples and iris scans).

Data transfer: providing access to the data for a designated third party.

Disclosure: making the data accessible to anyone.

Data erasure: making the data unrecognisable in such a way that its restoration is no longer possible.

Data blocking: making the transmission, disclosure, modification, alteration, destruction, erasure, interconnection, or coordination and use of data impossible definitively or for a limited period of time.

Data destruction: the complete physical destruction of the data or the data-storage medium that contains the data.

Technical processing: performing technical tasks related to data management operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data.

Processor: a natural or legal person, or an organisation not having legal personality which processes personal data based on a contract, included the contracts conducted based on a provision of law.

Data source: the organ performing public duties, which generated the data of public interest that is to be published through electronic means, or during the operations of which such data was generated.

Data publisher: the organ performing public duties which, if the data source itself does not publish the data, uploads the data sent to it by the data source to a website.

Third party: a natural or legal person, or an organisation having no legal personality, other than the data subject, controller, or the processor.

Personal data breach: unlawful processing or technical processing of personal data, in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction and damage.


III. Name of the controllers

III.1. For the purposes of this Data Protection and Data Security Policy, Data Controllers are:

Name (Controller1): Rita Cseppentő
Seat (Controller1): 6767 Ópusztaszer Pusztaszeri Major 102.
Tax no. (Controller1):

Name(Controller2):  Zsombor Cseppentő
Seat(Controller2):  6767 Ópusztaszer Pusztaszeri Major 106.
Tax no. (Controller2):

Phone no.: +36-30-638-8318
Represented by: Rita Cseppentő, Zsombor Cseppentő

The Controllers operate the Website, which introduces the services provided and the products distributed by the Controllers.

III.2. Processors
For the engagement of the processor, the prior consent of the data subject is not necessary, but his information is required. Based on this, we provide the following information:

Data processing activities related to web hosting services:
Name of the processor: C-Host Kft.
Seat of the processor: 1115 Budapest, Halmi utca 29.
Phone no. of the processor: +36 (1) 445-2040
E-mail address of the processor:

Processing of all personal data provided by the data subject on the website for the website to function properly.

Duration of data management, deadline for deleting data: It lasts until the termination of the agreement between the Service Provider and the Hosting Provider, or until the cancellation request of the data subject to the Hosting Provider.

Data processing activities related to e-mail:
Name of the Processor: Google, Mountain View, California, United States
Seat of the Processor: Ireland, Dublin, Barrow Street 4
E-mail address of the Processor: –

The Controllers use the Processor’s Google Mail service under a contract with the Processor, which helps the Controller to carry out electronic mailing.


IV. Guaranteeing the lawfulness of the data processing

If the Controllers wish to perform data processing based on consent, the consent of the data subject for the processing of personal data shall be requested on the data request form. The Controllers primarily record the data directly from the data subject. The Controllers are not responsible for the authenticity and accuracy of the data provided by the data subject.

Consent shall also be deemed to have been given if the data subject has ticked the appropriate box when viewing the Controllers’ website, has made technical adjustments when using information society services, or any statement or action that clearly indicates in the context of the data subject’s consent to the intended processing of his or her personal data.

The consent shall cover all data processing activities carried out for the same purpose or purposes.

In the case of data processing based on a legal obligation, the scope of the data that can be processed, the purpose of the data processing, the duration of data storage, the recipients are regulated by the provisions of the underlying legislation. Data processing based on the fulfilment of a legal obligation is independent from the data subject’s consent, as the data processing is defined by law. The data subject shall be clearly and in detail informed of all facts relating to the processing of his or her data before the processing begins. The information shall also cover the data subject’s rights and the possibilities of remedies. In case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions.

The interests of the Controllers may provide a legal basis for data processing, provided that the interests, fundamental rights, and freedoms of the data subject do not take precedence. The reasonable expectations of the data subject based on his or her relationship with the Controllers concerned shall be considered, so the processing of personal data for contact or even direct business purposes may be based on a legitimate interest.

The Controllers are obliged to ensure the exercise of the rights of the data subject during all data processing.

The place of data processing: Paper documents are kept in all cases by Rita Cseppentő and Zsombor Cseppentő.


V.The Range of processed data

The Processor processes the following data of the data subject:

  1. Data necessary for ordering: name, phone number, email, billing address, shipping address, VAT number. Providing these data is mandatory in case of ordering any products, the contract cannot be conducted in absence of these data. The purpose of data processing: Taking orders, delivering the ordered goods, issuance of an invoice in accordance with the law and fulfilment of the obligation to keep accounting documents. Based on Section 169 paragraphs (1)-(2) of the Sztv., companies must keep accounting records directly and indirectly in support of their accounts.
  2. Contact information: name, email. The provision of data is used to establish contact between the data controllers and the data subject. If the data subject does not provide any of his or her contact details, the data controllers will not be able to contact him or her and will not be able to provide the service.

Purpose of data processing: contacting, keeping in touch, communicating information, requesting information.


VI. Processing the data of the visitors on the website of the company – on the application of cookies

  1. The Controllers apply cookies on certain areas of the Website. Visitors to the website shall be informed that the website uses cookies and, with the exception of technically essential session cookies, consent must be sought.
  2. A cookie is a piece of data that a website you visit places in a browser on a visitor’s device. Cookies are therefore stored on the user’s computer. Cookies are widely used for the efficient operation of websites or the provision of web services and functions. Cookies may be “temporary” or “permanent”. The temporary cookie is stored by the browser only until the end of the current session, the temporary cookie is automatically deleted when the browser is closed. The persistent cookie is not deleted by the browser at the end of the given session, but is stored until a certain time, provided that the user does not delete it before the specified time expires.

Since individuals can be associated with online IDs, such as IP addresses and cookie IDs, provided by the devices, applications, devices, and protocols they use, this data, in combination with other information, is suitable and can be used to create a profile of natural persons and to identify that person.

Cookies are also suitable for remembering the settings, so the user does not have to re-record them when entering a new page, they remember previously entered data, so they do not need to be re-typed, analyse the use of the website in order to ensure that, as a result of the improvements made using the information thus obtained, it works as far as possible in accordance with the user’s expectations, the user can easily find the information they are looking for, and they monitor the effectiveness of our ads.

If the Data Controller displays various contents on the Website using external web services, this may result in the storage of some cookies that are not controlled by the Data Controller, so it has no influence on what data these websites or external domains collect. These cookies are described in the regulations for the given service. The user can set their web browser to accept all cookies, reject them all, or notify the user when a cookie arrives on their machine. The setting options are usually found in the “Options” or “Settings” menu of the browser. Detailed information at in English will also help with settings in different browsers.

Main features of cookies applied by the website:

A. Cookies necessary for the operation of the website: These cookies are essential for the usage of the website and allow you to use the basic functions of the website. The lifespan of these type of cookies differs: wp_woocommerce_session_* and yith_ywraq_session_* cookies are persistent cookies with a lifespan of 48 hours, other cookies of this category are limited to the duration of the session only.

  • Borlabs Cookies – these are placed by the Borlabs Cookies module. These cookies are used to manage cookies on our website in accordance with the GDPR.
    Names of cookies: borlabsCookie, borlabsCookieUnblockContent
  • WooCommerce cookies – these are placed by the WooCommerce module. These cookies are needed by the WooCommerce module to enable online shop functionalities on the website.
    Names of cookies: wc_cart_hash_*, wc_cart_hash_*, wc_fragments_*, wp_woocommerce_session_*
  • Cookies placed by the YITH request a quote module. These cookies are needed to send your order inquiry
    Names of cookies: yith_ywraq_session_*, yith_ywraq_hash, yith_ywraq_items_in_raq
  • PHPSESSID – this cookie is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie.


B. Preferences cookies – these cookies allow a website to remember choices you have made in the past.

  • Cookie placed by the YITH WooCommerce Wishlist module. This cookie remembers which products you have placed on your wishlist. This is a persistent cookie with a lifespan of 48 hours.
    Name of cookie: yith_wcwl_session_*


Accepting the usage of cookies and permitting them is not mandatory. Visitors to the website can reset their browser settings to reject all or to indicate when a cookie is being sent. It is important to note that it can occur that some website features or services may not work properly without cookies.


VII. the rights of the data subject

The rights and possibilities of remedy of the data subject are determined and informed to the data subjects based upon Act CXII of 2011 and Regulation (EU) 2016/679 as follows. The Data Controller draws the attention of the data subjects to the fact that the data subject may exercise his or her rights by sending a request to the e-mail address or through other contact details of the Data Controller.

The Data Controllers shall provide the data subject with all information and any information relating to the processing of personal data in a concise, transparent, comprehensible, and easily accessible form, in a clear and comprehensible manner. Information shall be given in a written or other form. The Data Controllers shall facilitate the exercise of the data subject’s rights. The Data Controllers shall, without undue delay, but in any case, within one month of receipt of the request, inform the data subject of the action taken on his or her request to exercise his or her rights. This period may be extended by a further two months under the conditions laid down in the Regulation. If the Data Controllers do not act on the data subject’s request, they shall inform the data subject of the reason for the non-action without delay, but no later than within one month from the receipt of the request. Detailed rules may be found in Article 12 of the Regulation.

1. Right to information (“right to access”)
Based on Act CXII of 2011 and Article 15 of Regulation (EU) 2016/679, the Data Controllers shall provide information on the request of the data subject about every fact relating to the processing of the data subject’s personal data, in particular:

  • data processing is based on his or her consent or is required by law,
  • the aim of data processing and its legal basis,
  • the person entitled to process or control personal data,
  • the interval of data processing, and
  • who can get to know the data.


2. Right to rectification: The data subject may request that the Data Controllers rectify inaccurate personal data concerning him or her, to have incomplete personal data completed. Article 16 of the Regulation contains these rules.

3. Right to erasure (“right to be forgotten”). The data subject may withdraw his or her consent to the processing of his or her personal data, he or she may request the erasure of the data. The Data Controllers shall only have the right to deny this request if the processing is based on law. If the provisions of point VIII.5. are met, the Data Controllers are obliged to erase the personal data concerning the data subject without undue delay.

4. Right to restriction of processing: Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The data subject shall have the right the right to restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject

b) the processing is unlawful

c) the controllers no longer needs the personal data for the purposes of the processing

d) the data subject has objected to processing

5. Objection

The data subject shall have the right to object to processing his or her personal data, including profiling, if

a) the processing (transmission) of personal data is necessary only for the enforcement of the right or legitimate interest of the Data Controllers or the data recipient, unless the data processing has been ordered by law;

b) the use or transfer of personal data is for the purpose of direct business acquisition, public opinion polling or scientific research;

c) the exercise of the right to object is otherwise permitted by an act.

With the simultaneous suspension of data processing, the Data Controllers shall examine the objection as soon as possible, but not later than within 15 days from the submission of the request and shall inform the applicant in writing of the result.

If the applicant’s objection is justified, the Data Controllers shall terminate the data processing, including further data collection and data transfer, and block the data, and notify all persons to whom the personal data concerned by the objection have previously been transmitted and who are obliged to take action in order to enforce the right to object to notify the objection and the measures taken on the basis thereof.


6. Informing the data subject about a personal data breach
If the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controllers shall inform the personal data breach without undue delay. This information shall clearly and intelligibly describe the nature of the personal data breach and shall include at least the following:


  • the name and contact details of the contact person providing the information
  • the likely consequences of personal data breach
  • measures taken or planned to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences arising from the personal data breach.


The data subject need not be informed if the controller has implemented adequate technical protection, has taken further action following the personal data breach to ensure that the high risk to the data subject’s rights is no longer likely to materialise, and information would require a disproportionate effort. Article 34 of the Resolution prescribes further provisions.

7. Remedy
If the data subject considers that his or her rights have been infringed during the processing or processing of the data, he or she may lodge a complaint:

National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone no.: +36 (1) 391-1400
Fax: +36 (1) 391-1410

These rules are prescribed in Article 77 of the Regulation.

All data subjects shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments or the outcome of the complaint lodged. Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the authority is situated. These rules are prescribed in Article 78 of the Regulation.

If the data subject does not agree with the decision of the Data Controllers, or the Data Controllers fail to comply with the referred deadline, he or she is entitled to apply to a court within 30 days of its notification. The court shall hear such cases as a matter of priority. The Data Controllers are obliged to prove that the data processing complies with the provisions of the law. These rules are prescribed in Article 79 of the Regulation.