Privacy policy

PRIVACY STATEMENT ON THE PROCESSING OF PERSONAL DATA

Legal basis for processing:

The data controller of the website hu.lovely-professional.com is LOVELY EU OÜ.

The processing of personal data is governed by the Act on the Right of Informational Self-Determination and Freedom of Information (2011. évi CXII. Tv. Article 5 (1) a) of the Freedom of Information and Freedom of Use Act of 2011. It is also lawful to process data subject to the consent of the data subject pursuant to Article 6(1)(a) of Regulation 2016/679 of the European Parliament and of the Council (GDPR).

Taking into account the fact that the personal data was collected with the consent of the user, pursuant to Article 6 (5) of the GDPR, the controller may process the collected data for the purpose of complying with a legal obligation to which the data subject is subject, unless otherwise provided by law, or for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and after the withdrawal of the data subject’s consent.

Data processed

The data controller processes the following data provided – consent is given by using the website, by registering or by voluntarily providing the data in question for each processing.

1)        Our server log files store information that your browser sends to us. This information includes:

– browser type/version,

– operating system used,

– referrer URL (URL of the previously visited page),

– host name (IP address) of the accessing computer,

– the exact time of the server

These data are not stored in a personalised way. We do not add this data to other data sources. Your IP address will be deleted from hu.lovely-professional.com immediately after the end of each visit. The User may enforce his/her rights before a court of law pursuant to Info.tv. and the Civil Code (Act V of 2013) or may contact the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; http://www.naih.hu/).

2)        COOKIES: cookies are small text files that are saved by your computer and browser. Cookies allow our systems and your browser to control the frequency with which, for example, special promotions are advertised. Cookies thus allow us to tailor our Internet offerings to your needs.

On hu.lovely-professional.com, we collect anonymous data in several places using so-called “persistent cookies” for marketing and optimization purposes. This data helps us to identify the specific needs of individual customer groups. The data is not used to personally identify the online shop visitor. You can, of course, opt-out of this use of your data for the purpose of optimising our offer at any time by contacting us at any of the contact details below.

The “Help” function in the menu bar of most browsers will explain to you how to tell your browser not to allow cookies, how to accept new cookies, how to instruct your browser to set a new cookie or how to turn off other cookies. However, we recommend that you leave your cookies turned on in their entirety, as this is the only way to tailor our advertising offerings to your needs.

The cookies used on hu.lovely-professional.com do not cause any damage to your computer and do not contain any viruses.

3)        Measuring codes: information about our customers is very important to us and helps us to continuously improve our website. For this reason, we use Google Analytics metrics on our pages. This allows us to see which pages our customers are visiting and what they are doing. These items help us to get to know our customers better and to make site navigation at hu.lovely-professional.com more enjoyable.

Purpose of data processing

Contact us via the “callback” and “become a partner” forms.

We will also use your data for our own marketing purposes, subject to your specific consent. We will only send advertising or promotional (newsletter) emails to the email addresses you provided during registration with your explicit consent, in cases and in a manner that complies with legal requirements.

You can object to the use of your data at any time by sending a short written message to any of the contact details below.

The data will be primarily accessible to the staff of LOVELY EU OÜ, but will not be disclosed or transferred to third parties.

The transfer of personal data may only take place in the cases provided for by law or with your explicit consent.

Duration of processing

The processing of personal data provided when filling in the recall order and affiliate forms starts from the moment the form is sent. In the case of non-essential data, processing continues from the time the data is provided until the request for erasure is submitted. Personal data may be deleted by the Service Provider at any time.

User data stored in the server log of hu.lovely-professional.com will be kept for up to 185 days – however, during this period you may request the deletion of your data at any time, which will be guaranteed by a data deletion declaration.

The above provisions are without prejudice to the fulfilment of legal obligations (e.g. accounting legislation) to retain data, or to the processing of data on the basis of additional consent given during registration on the website or otherwise.

Data security

The Data Controller will take all necessary steps to ensure the security of personal data provided by users, both during network communication and during storage and retention.

When transmitting data, we provide you with the so-called SSL (Secure Socket Layer) security procedure with 256-bit encryption. This technology guarantees the highest level of security, which is why banks, for example, use it for their online banking services. You can recognise encrypted data transmission by the fact that a locked key or padlock symbol appears on the screen. The connection is encrypted with High-Grade-Encryption (AES-256 256 bit) and the key exchange is done with RSA 1024 bit algorithm.

The data processed will not be transferred to third countries or international organisations.

Possibility of unilaterally amending the privacy statement

The data controller reserves the right to unilaterally modify this privacy statement, with prior notice to users. Once the amendment has entered into force, the user accepts the amended privacy statement in force by his/her own free will. The amendment shall not affect the data protection obligations provided for by law.

User rights and their enforcement

The data subject may request the controller to a) inform him/her about the processing of his/her personal data, b) rectify or restrict the processing of his/her personal data, and c) erase or block his/her personal data, except for mandatory processing.

At the request of the data subject, the controller shall provide information on whether or not his or her personal data are being processed and, if so, on the data processed by the controller or by a processor to whom the controller or the processor has delegated the processing, the source of the data, the purposes of the processing and the categories of personal data concerned, the envisaged duration of storage, the name and address of the data processor and his or her activities in relation to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy it and, in the case of a transfer of personal data of the data subject, the legal basis and the recipient of the transfer. The controller shall provide the data subject with a copy of the personal data which are the subject of the processing, for which service the controller may charge a reasonable fee based on administrative costs. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

The controller shall keep a register for the purpose of monitoring the measures taken in relation to the personal data breach and informing the data subject, which shall include the scope of the personal data concerned, the number and categories of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the legislation providing for the processing.

A data controller subject to the Electronic Communications Act may also fulfil the obligation set out in the above paragraph by keeping a register of personal data breaches as provided for in the Electronic Communications Act.

The data controller shall provide the information in writing in an intelligible form within the shortest possible time from the submission of the request, but not later than one month. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The extension shall be notified by the controller to the user within one month of receipt of the request, stating the reasons for the delay. The information shall be provided free of charge if the person requesting the information has not yet submitted a request for information to the controller in the current year for the same set of data. In other cases, a fee may be charged. The amount of the fee may be fixed in a contract between the parties. Any compensation already paid shall be refunded if the data have been processed unlawfully or if the request for information has led to a correction. The data controller may refuse to provide the data subject with information only in the cases provided for in Article 9(1) and Article 19 of the Act.

In the event of refusal to provide information, the controller shall inform the data subject in writing of the provision of this Act on the basis of which the refusal to provide information was made. In the event that the controller does not act on the data subject’s request, the controller shall inform the user within a maximum of one month, stating the reasons for the failure to act. In the event of refusal to provide information or failure to act, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority).

The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her by the controller. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration. The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay and the controller shall be obliged to erase personal data relating to him or her without undue delay where one of the following grounds applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent to the processing of personal data in accordance with Article 6. (b) the data subject has withdrawn his or her consent to the processing pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing; (c) the data subject has withdrawn his or her consent pursuant to Article 21. (d) the personal data have been unlawfully processed; (e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject; (f) the personal data have been collected in connection with the provision of information society services referred to in Article 8(1) of the GDPR. Where the controller has disclosed the personal data and is required to erase it pursuant to the above paragraph, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.

The above shall not apply where the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for compliance with an obligation under Union or Member State law to which the controller is subject to fulfil an obligation to process personal data or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for the exercise of a task carried out in the exercise of official authority vested in the controller by virtue of Article 9 of the GDPR; d) for the exercise of the right to inform the data subject about the processing of personal data; e) for the exercise of the rights referred to in Article 9 of the GDPR. (d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1), where the right of erasure would be likely to render impossible or seriously impair such processing; or (e) for the establishment, exercise or defence of legal claims. The data subject shall have the right to obtain, at his or her request, restriction of processing by the controller where one of the following conditions is met: (a) the data subject contests the accuracy of the personal data, in which case the restriction shall be for the period of time necessary to allow the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use; (c) the controller no longer needs the personal data for the purposes of the processing but the data subject requests the restriction for the establishment, exercise or defence of legal claims; or (d) the data subject has been informed of the processing for the purposes of Article 21 of the GDPR. (d) the data subject has objected to the processing pursuant to Article 21(1) of the GDPR; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject. Where processing is subject to a restriction as referred to above, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State. The controller shall inform in advance the data subject at whose request the processing has been restricted on the basis of the above of the lifting of the restriction.

Rectification, restriction and erasure must be notified to the data subject and to all recipients to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of those recipients at his or her request.

In the context of the present processing, the data subject shall have the right to obtain the personal data relating to him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance by the controller, since the processing is based on consent; and the processing is automated. In exercising the right to data portability, the data subject has the right to request, where technically feasible, the direct transfer of personal data between controllers. This right must not adversely affect the rights and freedoms of others.

In the context of the present processing, the data subject should not be entitled to be excluded from the scope of a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, given that the processing is based on the data subject’s explicit consent. However, the controller must take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. The information provided to the data subject shall clearly and prominently describe the nature of the personal data breach and shall include at least the information and measures referred to in Article 33(3)(b), (c) and (d) of the GDPR. The data subject need not be informed if any of the following conditions are met: (a) the controller has implemented appropriate technical and organisational protection measures and those measures have been applied in relation to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data; (b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise; (c) the provision of information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by means of a similar measure which ensures that the data subjects are informed in an equally effective manner.

Where the controller does not comply with a data subject’s request for rectification, blocking or erasure, it shall, within 30 days of receipt of the request, provide in writing the factual and legal reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.

The above rights of the data subject may be restricted by law in the interests of the external and internal security of the State, such as defence, national security, the prevention or prosecution of criminal offences, the security of law enforcement, the economic or financial interests of the State or of a local authority, the important economic or financial interests of the European Union, the prevention and detection of disciplinary or ethical offences in connection with the exercise of the profession, infringements of labour law or of the protection of the rights of others, including in all cases control and supervision, and the protection of the rights of the data subject or of others.

The data subject may object to the processing of his or her personal data (a) where the processing or transfer of the personal data is necessary for the fulfilment of a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by the controller, the recipient or a third party, except in cases of mandatory processing; (b) where the personal data is used or transferred for direct marketing, public opinion polling or scientific research; and (c) in other cases provided for by law.

The controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether the objection is justified and inform the applicant in writing of its decision.

If the controller establishes that the data subject’s objection is justified, the controller shall terminate the processing, including further collection and further transmission, and block the data, and notify the objection and the action taken on the basis of the objection to all those to whom the personal data concerned by the objection have been previously disclosed and who are obliged to take measures to enforce the right to object.

If the data subject disagrees with the decision of the controller or if the controller fails to comply with the time limit, the data subject may, within 30 days of the notification of the decision or the last day of the time limit, have recourse to the courts.

If the data subject does not receive the data necessary to exercise his or her rights because he or she objects, he or she may, within 15 days of the notification, take legal action against the controller in order to obtain the data. The controller may also take the data subject to court.

If the controller fails to give the notification, the data subject may request the controller to provide information on the circumstances surrounding the failure to disclose the data, which the controller shall provide within 8 days of the service of the data subject’s request. In the event of a request for clarification, the data subject may bring an action against the controller before a court within 15 days of the date on which the clarification was provided, but no later than the time limit for the provision of clarification. The controller may also bring legal proceedings against the data subject.

The controller may not erase the data subject’s data if the processing is required by law. However, the data may not be transferred to the data recipient if the controller has consented to the objection or the court has ruled that the objection is justified.

The data subject may take the controller to court if his or her rights are infringed. The court shall rule on the case out of turn.

It is for the controller to prove that the processing complies with the law. It is for the recipient to prove the lawfulness of the transfer to him.

The county court, in the capital city the Metropolitan Court (hereinafter together referred to as the county court) has jurisdiction to hear the case. The action may also be brought, at the option of the person concerned, before the county court of the place of residence or domicile of the person concerned.

A person who does not otherwise have legal capacity may also be a party to the proceedings. The Authority may intervene in the proceedings in order to ensure that the person concerned is successful.

If the court grants the application, the controller shall be ordered to provide the information, rectify, block or erase the data, annul the decision taken by automated processing, take account of the data subject’s right to object or disclose the data requested by the data subject.

If the court rejects the data subject’s request, the controller shall erase the personal data of the data subject within 3 days of the notification of the judgment. The controller must also delete the data if the data subject does not apply to the court within the time limit.

The data controller:

LOVELY EU OÜ.

The website hu.lovely-professional.com is operated by LOVELY EU OÜ.

Company name: LOVELY EU OÜ.

Address: Estonia, Ida-Viru maakond, Jõhvi vald, Jõhvi linn, Jaama tn 26, 41532

IBAN: EE731010220286617223

SWIFT: EEUHEE2X

Phone number: +372 58158908

E-mail: info@lovely-lash.pro

Become a partner