EN

Data protection information

1. Introduction

1.1. Purpose of this privacy notice

The purpose of this Privacy Notice (hereinafter referred to as “Notice”) is to describe in a transparent and detailed manner how we process personal data in the course of Rovitex Homedeco Ltd’s (hereinafter referred to as “Data Controller”) activities, and to provide information on data subjects’ rights and how to exercise them.

1.2. Legal compliance (GDPR, Act CXII of 2011)

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR): sets out the uniform EU rules on the protection of personal data.
  • 2011.act CXII of 2011 (Infotv.): the law on the right to informational self-determination and freedom of information, which is the basis of Hungarian data protection legislation.

This Information Notice aims to comply with the requirements of the above legislation.

2. Data controller’s data

2.1. Name and contact details of the controller

  • Rovitex Homedeco Kft.
  • Registered office .
  • Company registration number: 02-09-064304
  • Tax number: 11369163-2-02
  • Representative: Romeisz Norbert
  • E-mail: rovitex@rovitex.com
  • Telephone number: +36 72 547 100

2.2. Contact details of the privacy notice

This Privacy Notice is available in electronic form at www.rovitex.com/rolunk/dokumentumok/ or in printed form on request at our office.

3. Definitions

3.1

  • Personal data: any information relating to an identified or identifiable natural person (“data subject”).
  • Controller: the natural or legal person who determines the purposes and means of the processing of personal data.
  • Processor: a natural or legal person who processes personal data on behalf of the Controller.
  • Consent: a voluntary and explicit expression of the data subject’s wishes by which he or she gives his or her consent to the processing of personal data relating to him or her.
  • Data subject: any identified or identifiable natural person to whom the personal data relate.

3.2. Definition of a data protection incident

A personal data breach is any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

4. Principles of data management

4.1. Legal basis and principles

  • Lawfulness, fairness and transparency.
  • Purpose limitation: only for predefined purposes, to the extent necessary to achieve the purpose.
  • Data minimisation: we only collect and process personal data that is necessary for the purpose for which it is collected and processed.
  • Accuracy: we will ensure that the personal data we process is accurate and kept up to date where necessary.
  • Westore personal data only for the time necessary to fulfil the purpose.
  • Integrity and Confidentiality: we use appropriate technical and organisational measures to protect personal data.

4.2. Accuracy and security of data

  • Both the Data Controller and the data subject are responsible for the regular updating of the data; the latter is obliged to notify any changes to his/her personal data.
  • The Data Controller shall make every effort to ensure the accuracy of the data recorded and shall take appropriate security measures to protect them against unauthorised access.

5. Purposes and legal grounds for processing

5.1. Registration on the website

  • Purpose: To create a user account and provide related services.
  • Legal basis
    • Consent (Article 6(1)(a) GDPR) in case the registration is voluntary and requested by the data subject.
    • Contract performance (Article 6(1)(b) GDPR) where registration is a prerequisite for the provision of the service.
  • Name, e-mail address, password (encrypted), date of registration, IP address.

5.2

  • Purpose: To process orders, fulfil the contract, invoicing and delivery.
  • Legal basis: performance of the contract (Article 6(1)(b) GDPR).
  • Data processed: name, delivery and billing address, contact details (phone number, e-mail), order details.

5.3

  • Purpose: To comply with current accounting legislation (e.g. Act C of 2000).
  • Legal basis: to comply with the legal obligation (Article 6(1)(c) GDPR).
  • Scope of data processed: name/company name, address, tax number (in case of legal person), other data necessary for invoicing.

5.4

  • Purpose: Marketing communication, information about new products, promotions.
  • Legal basis: consent (Article 6(1)(a) GDPR).
  • Data processed: name, e-mail address.
  • Note: You can unsubscribe from the newsletter at any time by clicking on the link at the bottom of the newsletter or by contacting the Data Controller directly.

5.5

  • Purpose: To ensure the proper functioning of the website, to improve the user experience, to analyse visitor data, for marketing purposes.
  • Legal basis
    • Consent (Article 6(1)(a) GDPR) – for all cookies that are not essential for the functioning of the website.
    • Legitimate interest or performance of a contract (Art. 6(1)(f) or (b) GDPR) – for technical cookies that are essential for the functioning of the website.
  • See the section of this Notice entitled “Use of cookies” (point 11).

5.6

  • Purpose: To keep in touch, share information (Facebook, Instagram, etc.).
  • Legal basis: voluntary choice, consent (Article 6(1)(a) GDPR).
  • Note: For the social platforms’ own data processing practices, please consult the respective platform’s privacy notice.

6. Scope of data processed

6.1. Types of personal data

  • Identifying data: name, username, password (encrypted).
  • Contact details: e-mail address, telephone number, address.
  • Technical data: IP address, browser type, cookies, login time.
  • Billing information: billing name, address, tax number (for companies).

6.2

  • Electronic form on secure servers, password protected and other security measures.
  • On paper (if any) at the head office or premises, in a locked place.
  • Storage period: until legal obligations and the purpose of the processing are fulfilled or consent is withdrawn. After that, the data will be deleted or anonymised.

7. Rights of data subjects

7.1. Right to information

The data subject has the right to be informed of the purposes for which, the legal basis on which, the source from which, the period for which and the persons who have access to his or her personal data.

7.2. Right to rectification

If the data subject believes that the personal data he or she has processed are inaccurate or incomplete, he or she may request that they be corrected or completed.

7.3. Right to erasure (“right to be forgotten”)

The data subject may request the erasure of his or her personal data if the data are no longer necessary for their original purpose or if the data subject withdraws his or her consent and there is no other legal basis for the processing.

7.4. Right to data portability

The data subject has the right to receive the data provided by him or her in a commonly used, machine-readable format or to request the transfer of such data to another controller.

7.5. Right to object

  • The data subject may object at any time to the processing of his or her personal data where the legal basis for the processing is the legitimate interest of the controller.
  • The data subject has a specific right to object to the processing of personal data for direct marketing purposes.

8. Data security

8.1. Protection of electronic data

  • Multi-level authorisation system.
  • Regular backups.
  • Virus protection and firewall use.

8.2. Technical and organisational measures

  • Use of a closed office network and secure Wi-Fi.
  • Paper-based documents stored in a locked cabinet.
  • Regular data protection training for employees and data processors.

9. Management of data protection incidents

9.1. Notification of incident to authorities (72-hour rule)

In the event of a data breach, the Data Controller shall notify the National Authority for Data Protection and Freedom of Information (NAIH) without undue delay and, where possible, no later than 72 hours, unless it is unlikely to pose a risk to the rights and freedoms of data subjects.

9.2. Informing data subjects in case of high risk

If the incident is likely to result in a high risk to the rights and freedoms of data subjects, the Data Controller shall also inform the data subjects without delay, explaining the substance of the incident and the measures taken.

10. Data processors and third parties

10.1

  • Rackforest Kft.
  • Address: 1132 Budapest, Victor Hugo utca 11. 5th floor B05001.
  • Tax number: 14671858241
  • Company registration number: 01 09 914549
  • Website: https://rackforest.com/
    Phone number: +36 1 211 0044
  • Data processing activities: web server operation, technical maintenance. Processing of personal data only on the basis of instructions from the Data Controller.

10.2. Accounting and other partners

The Controller may use accountants, courier services, marketing agencies and other partners to process personal data.

  • Accountant:
  • NEXOL Digital Ügyviteli Kft.
    nEX Digital Digital Digital Services Ltd.
    E-mail: iroda@nexoldigital.hu
    Bank.
    Bankszámla: 11731025-21456420-00000000
    Tax number: 13565183-2-02
    Community Tax Number: HU13565183
    Phone: +36-72/820-246
  • Courier services:
  • UPS Hungary Kft.
    Airport City Logistic Park – Building G
    2220 Vecsés, Lőrinci utca 154
    Hungary
  • GLS General Logistics Systems Hungary Kft.
    HU – Alsónémedi 2351
    GLS Európa u. 2.
    Tax number/VAT number: 12369410-2-44/HU 12369410

With these partners (data processors), the Data Controller always concludes a written contract in accordance with the requirements of the GDPR. The contracts stipulate that the partners may process the data only on the basis of the instructions of the Data Controller, for the stated purpose and for the required period.

11. Use of cookies

11.1. Purpose and types of cookies

  • Session cookies: essential for the functioning of the website, they are deleted when the browser is closed.
  • Functional cookies: they are used for the convenience of the user, for example to remember login details or the language selected.
  • Analytical cookies (e.g. Google Analytics): they are used for statistical purposes, to help us understand user behaviour and improve the functioning of the website.
  • Marketing cookies: to help display relevant ads and measure the effectiveness of ads.

11.2. Managing user preferences

  • Users can control the handling of cookies in their browser settings, allowing them to disable or delete them.
  • When cookie settings are changed, some features of the website may not function properly.
  • On your first visit to the website, you will be given the opportunity to enable or disable non-essential cookies (e.g. marketing cookies) via a pop-up window.

12. Data protection officer

12.1. Terms of appointment and responsibilities

Pursuant to Article 37 of the GDPR, the Data Controller is obliged to appoint a Data Protection Officer (DPO) where its main activity is:

  • involves processing operations which, by their nature or size, require systematic and systematic monitoring, or
  • is based on the processing of highly sensitive data.

The tasks of the official shall include:

  • continuous monitoring of compliance with the GDPR,
  • providing advice to the Data Controller and employees,
  • liaising with the supervisory authority (NAIH) and data subjects.

12.2. Legal status and contact details

The Data Protection Officer reports directly to senior management and cannot be instructed in the performance of his/her official duties.

If the Data Controller is not required to appoint a DPO but nevertheless appoints an officer, it will inform the data subjects accordingly in this Notice.

13. Data subjects’ means of redress

13.1. File a complaint with the National Authority for Data Protection and Freedom of Information (NAIH)

If a data subject believes that the processing of his or her personal data violates applicable laws, he or she may lodge a complaint with the National Authority for Data Protection and Freedom of Information:

  • 1055 Budapest, Falk Miksa utca 9-11.
  • Phone: +36 (1) 391-1400
  • E-mail: ugyfelszolgalat@naih.hu

13.10.10. 10.1.2005, at the following address: 10.10

In case of violation of the rights of the data subject, he/she may have recourse to the courts. You may also bring the action in the court of the place of your residence or domicile, at your choice.

14. Laws on which the processing is based

14.1 GDPR (EU Regulation 2016/679)

Regulation (EU) 2016/679 of the European Parliament and of the Council (EU), which aims to protect natural persons with regard to the processing of personal data and to ensure the free flow of data within the EU.

14.2 Act CXII of 2011 on the Right to Informational Self-Determination

The Hungarian Data Protection Act, which regulates the principles and limits of the processing of personal data in Hungary.

14.3. Other relevant Hungarian legislation

  • 2000. act C of 2011 on Accounting.
  • 2013. act V of 2007 on the Civil Code (Civil Code).
  • 2008. act XLVIII of 2007 on the Basic Conditions of Economic Advertising.

15. Final provisions

15.1. Scope of the privacy statement and possibilities for amending it

  • This Privacy Notice is effective from 1 April 2025 .
  • The Data Controller is entitled to unilaterally amend the Prospectus, in particular to take account of changes in legislation, the introduction of new processing activities or recommendations of the supervisory authority.
  • Amendments will be published on the website and, once they enter into force, data subjects will accept the new rules for their continued use of the Services.

Pécs, April 1, 2025 1 day

Rovitex Homedeco Ltd.

Romeisz Norbert