fivestarhorse.exchange

Data controller and legal background to data processing

In case of the data processing contained in this Data Protection and Cookie Notice, Five Star Horse Kft. (registered office: 1174 Budapest, Katlan utca 29., email address: info@fivestarhorse.auction) is the data controller ("Data Controller").

The Data Controller has designed its data processing in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR").

Data processing related to registration and user accounts

1.1. Purpose of the data processing: the purpose of registration is to create a user account through which the data subject can participate in the auction and use the services of the Data Controller.

1.2. Personal data processed: data processing includes name, email address, password, telephone number, country, postal code, city, address and preferred language.

1.3. Legal basis of the data processing: the legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR]. The data subject may withdraw his or her consent at any time by cancelling his or her registration.

1.4. Duration of the data processing: the Data Controller processes personal data until the withdrawal of the data subject's consent (deletion of his/her registration).

Data processing in relation to the conduct of the auction

2.1. Purpose of the data processing: to register the bid (offer) of the data subject, to determine the winner of the auction, to connect the data subject with the seller of the horse, to conclude a contract with the data subject, to issue an invoice and to process the payment of the purchase price of the horse purchased.

2.2. Personal data processed: the data processing covers the name, email address and billing data of the data subject. Where a written contract is concluded regarding sale between the Data Controller and the data subject, the processing includes the data subject's address, place and date of birth and the name of his/her mother.

2.3. Legal basis of the data processing: processing is necessary for the purposes of taking steps at the request of the data subject in order to conclude the contract or to perform the contract concluded [Article 6(1)(b) GDPR].

2.4. Duration of the data processing: the Data Controller shall keep the sales contracts until the general limitation period for civil law claims, in principle 5 years.

2.5. Transfer of the data: the Data Controller transfers the personal data of the data subject who wins the auction to the person or company that sells the horse to the data subject.

Data processing in relation to the fulfilment of an accounting obligation

3.1. Purpose of the data processing: to fulfil the Data Controller's legal obligation to keep accounting records supporting the accounting statements.

3.2. Personal data processed: the data processing covers the name, billing address, the name of the object of the sale and the amount of the purchase price of the data subject.

3.3. Legal basis of the data processing: the legal basis for processing is the fulfilment of a legal obligation [Article 6(1)(c) GDPR]. The accounting obligations of the Data Controller are based on Act C of 2000 on Accounting, while the obligation to issue invoices is based on the provisions of Act CXXVII of 2007 on Value Added Tax.

3.4. Duration of the data processing: the Data Controller stores personal data for 8 years.

Data processing related to the sending of a newsletter

4.1. Purpose of the data processing: to send information to the data subjects about auctions, the services of the Data Controller, events organised by the Data Controller and news concerning the Data Controller or related to its activities.

4.2. Personal data processed: data processing covers the name and e-mail address of the data subject.

4.3. Legal basis for processing: the legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR]. The data subject may withdraw his or her consent at any time.

4.4. Duration of the data processing: the Controller processes personal data until the withdrawal of the data subject's consent.

Data processing in relation to participation in an event organised by the Data Controller

5.1. Purpose of the data processing: to record the data subject's intention to participate in an event organised by the Data Controller (e.g. a professional discussion or presentation) and to contact the data subject in connection with the event.

5.2. Personal data processed: the Data Controller records the name, e-mail address and telephone number of the data subject in connection with the registration for an event.

5.3. Legal basis of the data processing: the legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR]. The data subject may withdraw his or her consent at any time.

5.4. Duration of the data processing: the Data Controller will delete the personal data after the event.

Data processing related to posts and videos published on the website, social networking sites

6.1. Purpose of the data processing: the Data Controller may report on auctions or other events organised by the Data Controller, or news concerning the Data Controller or related to its activities, in posts, articles, interviews, videos on its website or on its profile page on social networking sites (including in particular Facebook, Instagram, YouTube). The purpose of the processing is to raise the profile of the Data Controller and to promote its activities and services.

6.2. Personal data processed: the processing typically covers the following personal data:

the image of the person featured in the post, article, interview or video,
where the data subject has given a statement to the controller, the name of the data subject, in the case of video recording, the voice of the data subject,
personal data provided by the data subject in posts, articles, interviews or videos.

6.3. Legal basis of the data processing: the legal basis for processing is the legitimate interest of the Data Controller [Article 6(1)(f) GDPR]. The Data Controller has a legitimate interest in presenting auctions and events organised by the Data Controller and in providing information about news concerning the Data Controller or related to its activities. In this way, the Data Controller is able to attract the interest of as many people as possible to the auctions or events, through which more people can participate in the auctions or events. In addition, the Data Controller promotes the name and activities of the company and increases its visibility through posts and videos on its website and social networking sites, which also play an important role in attracting more people to the auctions and events.

6.4. Duration of the data processing: in view of the fact that the posts, articles, videos are essentially content falling within the scope of freedom of the press, the Data Controller will ensure their availability until the Data Controller ceases to exist without successor.

Data processing in relation to the handling of complaints

7.1. Purpose of the data processing: if the data subject sends a complaint to the Data Controller about the website, the auction or the performance of the sale, the Data Controller will investigate the complaint and inform the data subject of the outcome of the investigation.

7.2. Personal data processed: the processing typically covers the following personal data:

the name of the data subject,
the contact details provided by the data subject to which the Data Controller will forward the response (email address, address),
the content of the complaint and the personal data provided by the data subject,
where the data subject submits a photograph or other document with the complaint, the photograph or document and the personal data contained therein,
the response to the complaint.

7.3. Legal basis of the data processing: the legal basis for processing in connection with complaint handling is the fulfilment of a legal obligation [Article 6(1)(c) GDPR]. The obligation to investigate the complaint of the data subject is defined in Act CLV of 1997 on Consumer Protection.

7.4. Duration of the data processing: the Data Controller will keep the data subject's complaint and the response for 3 years.

Data processing related to contact making

8.1. Purpose of the data processing: if the data subject has any questions about the auction or the activities of the Data Controller, other than a complaint, the Data Controller will answer them.

8.2. Personal data processed: the name of the data subject, his/her contact details (email address, home address) and the personal data provided by him/her in the request sent to the Data Controller.

8.3. Legal basis of the data processing: the legal basis for processing is the data subject's consent [Article 6(1)(a) GDPR]. The data subject may withdraw his or her consent at any time.

8.4. Duration of the data processing: the Data Controller shall store the data subject's request and the response for 3 years.

Processing of contact person details of a legal person

9.1. Purpose of the data processing: in the case of a contract between the Data Controller and a legal person, the parties appoint a contact person, mutually providing the other party with the personal data necessary for the contact. The purpose of the processing is to ensure the proper performance of the contract and to enable the contact person to be contacted.

9.2. Personal data processed: the name, position, email address, telephone number of the contact person of the legal person, as well as additional personal data provided by the contact person of the legal person to the Data Controller.

9.3. Legal basis of the data processing: the legal basis for processing is the legitimate interest of the Controller [Article 6(1)(f) GDPR]. The legitimate interest of the Controller is to be able to contact the contractual partner through its contact person in order to conclude or perform a contract or other business relationship.

9.4. Duration of the data processing: the contact details of the contact person will be used until the legal person designates another contact person. Where the Data Controller enters into a contract between the legal person and the contact details are included in the contract, the contract is kept until the general limitation period for civil law claims, in principle 5 years.

Companies involved in data processing

The Data Controller uses the services of the following companies as data processors in the course of its data processing:

"ARÁNY-ADÓ 96" Accounting and Financial Consulting Limited Liability Company, which performs accounting tasks for the Data Controller in connection with invoicing.
RACKFOREST ZRT. (email: info@rackforest.hu), which provides hosting services to the Data Controller in connection with the website.
The Data Controller uses the service of Intuit Mailchimp (https://mailchimp.com/contact) for data management in connection with sending newsletters.
The Data Controller uses Twilio (privacy@twilio.com) to confirm the telephone number provided at registration.
If the Data Controller sends an SMS to the data subject, it uses the services of LINK Mobility Hungary Kft. (fekete@linkmobility.com).

Cookies used on the Data Controller's website

11.1. The Data Controller uses cookies on its website to collect statistical data related to the proper functioning of the website and the use of the website. The user can decide whether or not to accept cookies when opening the website. The Data Controller uses the following cookies on its website:

Cookie Name

Category

Function

Duration

_ga

statistical

Google sets this cookie to calculate visitor, session and campaign data and to track website usage for the website analytics report. The cookie stores information in an anonymised form and assigns a randomly generated number to recognise unique visitors.

1 year 1 months four days

_gid

statistical

Google sets this cookie to store information about how visitors use the website, while also generating an analytics report on website performance. The data collected includes the number of visitors, their source and, in an anonymised form, the pages they visit.

24 hours

_gat

statistical

Google sets this cookie to limit the query rate, thus limiting data collection on high-traffic websites.

1 minute

YSC

necessary

YouTube sets this cookie to track the viewing of videos embedded on YouTube pages.

until closure of the browser

VISITOR_

INFO1_LIVE

necessary

YouTube sets this cookie to measure bandwidth, determining whether the user is viewing the video through the new or old playback interface.

6 months

VISITOR_

PRIVACY_METADATA

necessary

YouTube sets and remembers users' choices about cookies.

6 months

lang

necessary

LinkedIn sets this cookie to remember the user's language preference.

none

11.2. Managing and deleting cookies. You can delete or disable "cookies" in the browser programs you use. Browsers allow cookies by default. You can disable this in the browser settings and delete existing ones. However, you can also set the browser to notify the user when a cookie is sent to the device.

It is important to stress, however, that if the visitor does not accept these cookies, the website or certain parts of it may not be displayed or may be displayed incorrectly, making it impossible to use the website or fill in forms.

The options are usually found in the "Options" or "Preferences" menu of the browser. Each web browser is different, so please use the "Help" menu of your browser to find the right settings, or use the links below to change your cookie settings:

Data security measures

The Data Controller shall ensure the security of personal data and shall take all measures to prevent unauthorised access, alteration, disclosure, transmission, making public, erasure or destruction, accidental destruction or damage and inaccessibility resulting from changes in the technology used. The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The Data Controller's employees and processors shall be bound by the obligation of confidentiality with regard to the personal data they process and have access to.

Rights relating to data processing and the rules governing the exercise of those rights

13.1. Right of access. The data subject may request information about the processing of his or her personal data. In this case, the Data Controller shall inform the data subject of the personal data processed, the purposes for which the data are processed, the legal basis and duration of the processing, the data processors, the rights and obligations concerning the processing and the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter referred to as "the Authority"). The data subject may request a copy of his/her personal data.

13.2. Right to rectification. The Controller shall, at the request of the Data Subject, correct the personal data provided by the Data Subject, provided that the Data Subject certifies which of his or her personal data is inaccurate, for what reason, and what is the correct personal data.

13.3. Right to deletion. The Controller shall delete the personal data at the request of the Data Subject if,

the Data Subject requests it,
the personal data are no longer necessary for the purposes for which they were collected,
the data subject objects to the processing,
the personal data have been unlawfully processed,
the personal data must be erased in order to comply with a legal obligation to which the controller is subject.

13.4. Right to restriction. The data subject may request the blocking of his or her personal data if,

he data subject contests the accuracy of the personal data, for as long as the Controller verifies the accuracy of the data
the processing is unlawful, but the data subject opposes the erasure of the personal data and requests instead the restriction of their use,
the Controller no longer needs the personal data but the data subject requests the blocking of the data for the establishment, exercise or defence of legal claims,
where the data subject objects to the processing in accordance with point 18.6 of this notice, for the period of time during which the Controller complies with the objection.

13.5. Right to data portability. In the case of processing based on consent or on the performance of a contract, the data subject may request to receive his or her personal data in a commonly known format, in electronic form or to transmit the data to another controller. The Controller shall ensure that, upon the data subject's explicit request, it transfers his or her personal data directly to another controller designated by the data subject.

13.6. Right to object. If the data subject objects in a request to the Controller to the processing of his or her personal data on the basis of a legitimate interest, the Controller shall cease processing in respect of the data subject.

13.7. Common rules on the exercising of rights. The Data Subject may exercise his or her rights through the e-mail address or postal address indicated in the introduction to this Notice. The exercise of rights is free of charge. The Data Controller shall consider the Data Subject's request within a maximum of one month and inform the Data Subject of the action taken. If the request is refused, the Data Controller shall inform the Data Subject within one month of receipt of the request of the reasons for the refusal and of the right to lodge a complaint with the Authority and to exercise his or her right of judicial remedy.

The Data Controller reserves the right, where it has reasonable doubts as to the identity of the person making the request, to request the provision of information necessary to confirm the identity of the Data Subject.

Legal remedies

14.1. Investigation of the data subject's notification by the Data Controller. The Data Controller asks data subjects to notify the Data Controller if they consider that the processing does not comply with data protection requirements before taking the matter to the Authority or initiating legal proceedings. The Data Controller undertakes to investigate the substance of the data subject's notification within one month and, if justified, to take the necessary corrective measures. The Data Controller shall inform the data subject of its position and, if the allegation was well founded, of the measures taken to.

14.2. Right to apply to the authorities. The data subject has the right to take action before the Authority. The Authority's official website (www.naih.hu) contains information on how the data subject can make a complaint to the Authority.

14.3. Right to apply to the courts. If the data subject considers that the Data Controller has infringed his or her right to the protection of personal data, he or she may also initiate legal proceedings and claim compensation for the damage caused to the data subject by the unlawful processing of his or her data or by the breach of data security, and in the case of personal injury, the payment of damages. In the event of legal action, the data subject may also bring the action before the courts in the place where he or she resides or is domiciled.