General Data Protection Regulations

HomeGeneral Data Protection Regulations

Data Controller Identification: Data Controller Name: PlaNET Győr Kft.
Data Controller Registered Office: 9026 Győr, Körtöltés u. 11/A.

Data Controller Branch Office: 9500 Celldömölk, Árvalányhaj u. 5.
Data Controller Branch Office: 9500 Celldömölk, Ság hegy 4250 hrsz.

Data Controller Contact Details:
Email: info@deneshegybirtok.hu
Phone: +36 96 331 015
Website: www.deneshegybirtok.hu

Data Processor Identification: Data Processor Name: BARÁTH SZÁMVITELI Kft.
Data Processor Registered Office: 9023 Győr, Körkemence utca 8. 1st floor, 19.

Data Processor Name: Nethely Kft.
Registered Office: 1115 Budapest, Halmi utca 29. Hosting service provider.
Tax ID: 23358005-2-43
EU VAT ID: HU23358005
Bank Account: 11711003-20007085-00000000 (OTP Bank)
Phone: +36-1-800-1500
Email: info@nethely.hu
Website: www.nethely.hu

Purpose of this Privacy Statement: This privacy statement establishes the rules for the protection of personal data processing regarding natural persons connected with the Data Controller, and for ensuring the free movement of personal data. The Data Controller engages an external service provider under a bookkeeping services contract, acting as a Data Processor, to manage the personal data of natural persons in contractual or payment relationships with the Data Controller, for the fulfillment of the Data Controller’s tax and accounting obligations.

Objective of the Privacy Statement: PlaNET Győr Kft, as the operator of Dénes Hegybirtok (hereinafter referred to as the “Data Controller”), processes personal data related to its activities involving the sale and distribution of wine products, and the provision of hospitality services, solely for the purpose of fulfilling its service obligations (such as billing and communication). The Data Controller only processes personal data that is necessary and appropriate for the fulfillment of its objectives and ensures that such data is handled in compliance with the applicable data protection laws, including Regulation (EU) 2016/679 of the European Parliament and the Council.

Key Terms and Definitions:

  • GDPR (General Data Protection Regulation): The new EU Data Protection Regulation.
  • Data Controller: The natural or legal person, or any other entity, who determines the purposes and means of the processing of personal data, either alone or in conjunction with others. The Data Controller decides on the purpose of processing and takes decisions regarding the processing (including the use of tools), or delegates it to a Data Processor.
  • Data Processing: Any operation or set of operations performed on personal data, such as collection, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment, combination, blocking, deletion, and destruction.
  • Data Processor: A natural or legal person who processes personal data on behalf of the Data Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Data Subject: A natural person who can be identified, directly or indirectly, by the personal data.
  • Third Party: A person or entity other than the Data Subject, the Data Controller, the Data Processor, or persons who act under the direct authority of the Data Controller or Data Processor.
  • Consent of the Data Subject: A freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes, by which the Data Subject consents to the processing of their personal data.
  • Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Principles of Data Processing:

  • Personal data must be processed lawfully, fairly, and transparently.
  • Data collection must be for specified, legitimate purposes and not processed further in a way incompatible with those purposes.
  • Personal data should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  • Personal data should be accurate and kept up to date, with inaccurate data corrected or deleted without undue delay.
  • Personal data should be stored in a form that permits identification of the Data Subject only for as long as necessary for the purposes of processing.
  • Data processing must ensure appropriate technical or organizational measures to safeguard personal data, protecting against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • The principles must apply to all information relating to identified or identifiable natural persons.

The Data Controller cannot verify the legitimacy of the consent or the content of statements provided by the person with parental authority over minors under 16 years of age. Without such consent, the Data Controller will process the personal data of minors only if required by law or when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

Personal Data Processing: Personal data processing can only take place if the Data Subject provides clear affirmative action, such as a written (including electronic) or verbal statement, voluntarily, specifically, based on information, and unequivocally indicating their consent to the processing of their data. The processing of personal data must be conducted in a way that ensures its security and confidentiality, protecting it from unauthorized access, use, and misuse.

Legality of Data Processing: Personal data processing is lawful only if one of the following applies:

  • The Data Subject has given explicit consent to the processing of their personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract with the Data Subject, or pre-contractual steps taken at the Data Subject’s request;
  • The processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

Data Processing Activities:

  1. Order, Billing, Service Provision:
    • Legal Basis: Hungarian Information Act and the Accounting Act, based on the Data Subject’s voluntary consent.
    • Purpose and Duration: To process orders and provide services, issue invoices, and comply with accounting documentation retention requirements. Invoices must be retained for 8 years as per the Hungarian Accounting Act.
    • Data Processed: Name, email address, phone number, billing and shipping address.
  2. Newsletter Sending:
    • Legal Basis: Hungarian Information Act and the 2008 Act on Economic Advertising, based on the Data Subject’s voluntary consent.
    • Purpose and Duration: To inform the Data Subject about the latest offers and promotions. Processing lasts until the Data Subject withdraws consent.
    • Data Processed: Name, email address.
  3. Registration-related Data Processing:
    • Legal Basis: Hungarian Information Act and Civil Code, based on the Data Subject’s voluntary consent.
    • Purpose and Duration: To store registration data for more convenient service provision. Processing lasts until the Data Subject withdraws consent.
    • Data Processed: Name, email address, phone number, fax number, billing, and shipping address.
  4. Non-Registration-related Data Processing:
    • Legal Basis: Hungarian Information Act and Civil Code, based on the Data Subject’s voluntary consent.
    • Purpose and Duration: To fulfill the ordered service. Processing lasts until the Data Subject withdraws consent.
    • Data Processed: Name, email address, phone number, fax number, billing and shipping address.

Data Processing on the Data Controller’s Facebook Page: The Data Controller maintains a Facebook page to promote its products and services. Questions posted on the page are not considered complaints. The Data Controller does not process personal data posted by visitors. In case of illegal or offensive content, the Data Controller may exclude the Data Subject from the group or delete the comment without prior notice. The Data Controller is not responsible for illegal content posted by Facebook visitors or for any issues arising from Facebook’s operations.

 

Rights Related to Data Processing

Right to Information
Any individual can request information via the provided contact details regarding which personal data the Data Controller processes, the legal basis for processing, the purposes for which the data is processed, the source of the data, and the retention period. The Data Controller must provide a response to the request promptly, and no later than within 25 days, to the contact details provided.

Right to Rectification
Any individual can request the modification of their personal data via the provided contact details. The Data Controller must take action to rectify any inaccuracies promptly, and no later than within 25 days, and provide notification to the contact details provided.

Right to Erasure (Right to be Forgotten)
Any individual can request the deletion of their personal data via the provided contact details. The Data Controller must delete the data without undue delay, and no later than within 30 days, and notify the individual at the provided contact details.

Right to Restriction of Processing
An individual can request the restriction of the processing of their personal data via the provided contact details. The restriction will last as long as necessary to resolve the reason for the restriction. A restriction can be requested in the following cases:

  • The data subject disputes the accuracy, correctness, or completeness of the personal data until the doubt is clarified.
  • If the data should be erased, but it is reasonably assumed, based on the written statement or available information, that erasure would harm the data subject’s legitimate interests. In this case, processing will be restricted until the legitimate interest justifying the non-erasure is resolved.
  • If the data should be erased, but the data is necessary for legal investigations or procedures (e.g., criminal investigations) that require the retention of the data as evidence until the process is concluded or legally final.

Right to Object
Any individual can object to the processing of their data via the provided contact details. The Data Controller must examine the objection as soon as possible, but no later than 15 days from the submission, make a decision on its validity, and notify the individual at the provided contact details.

Enforcement of Rights Related to Data Processing
The National Authority for Data Protection and Freedom of Information
Postal Address: 1363 Budapest, P.O. Box 9.
Address: 1055 Budapest, Falk Miksa u. 9-11
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
URL: https://naih.hu
Official Portal
Short Name: NAIH
KR ID: 429616918

In case of violation of rights, the data subject can also seek legal remedy by taking the issue to court. The court will handle the matter on an expedited basis. The lawsuit can be filed at the court in the data subject’s place of residence or habitual residence.

Data Security
Data must be protected by appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental destruction or damage, and the unavailability caused by technical changes. In the case of electronically stored data, proper technical solutions must be implemented to ensure that the stored data is not directly identifiable or associated with the data subject. Data security must be designed and applied considering the current state of technological development. Among several possible data processing solutions, the one ensuring higher levels of protection of personal data should be selected unless it would result in disproportionate difficulty for the data controller.

Data Protection Incident
A data protection incident refers to a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data being processed. Without appropriate and timely action, a data protection incident may cause physical, material, or non-material damage to individuals, such as the loss of control over their personal data or the limitation of their rights, discrimination, identity theft, or abuse of identity. A data protection incident must be reported to the relevant supervisory authority without undue delay, and no later than within 72 hours, unless the incident can be demonstrated to likely pose no risk to the rights and freedoms of individuals. If the data protection incident is likely to result in a high risk to individuals’ rights and freedoms, the data subject must be informed promptly to take necessary precautions.

Az űrlap teteje

 

Az űrlap alja

Cookie Usage Information

The Data Controller uses cookies on the website. Cookies are files that store information in the web browser. They are helpful because they allow the website to recognize the user’s device and provide a more efficient, personalized user experience. Cookies do not contain personal data or information and cannot identify an individual user. Cookies often contain a unique identifier—a randomly generated number—that is stored on the user’s device. Cookies are generated by server-side service providers for better display and optimal functioning of the website. The owner of the website, the Data Controller, is only responsible for informing visitors about the cookie usage. Some cookies expire after the website is closed, while others are stored on the user’s device for a longer period.

Main Characteristics of Cookies Used on the Data Controller’s Website:

  1. Referer Cookies: These record the external page from which the visitor came to the website. Their lifetime lasts until the browser is closed.
  2. Mobile Version, Design Cookie: Detects the device used by the visitor and switches to the full version on mobile. Lifetime: 365 days.
  3. Cookie Acceptance Cookie: The visitor accepts the storage of cookies when clicking the accept button on the cookie banner that appears on the website. Lifetime: 365 days.

Cookies can generally be classified into two main types:

(i) Session Cookies: Temporary cookies that are placed on the user’s device for the duration of a session (e.g., online banking security authentication).

(ii) Persistent Cookies: These remain on the computer until deleted by the user (e.g., remembering the website language preference).

In the case of cookies that require the user’s consent, the information may be related to the website’s first visit, if the data processing associated with cookies starts upon visiting the page. It is not necessary for the entire cookie notice text to appear on the website, but it is sufficient to provide a link to the full notice. On the first visit to the Data Controller’s website, a cookie banner will appear. If the user clicks the “Accept” button or continues visiting the site, they accept the website’s cookie usage policy. The Data Controller’s website records and processes the following data about visitors and their browsing devices:

  • Visitor’s IP address
  • Browser type
  • Operating system features of the device used for browsing (e.g., set language)
  • Time of visit
  • Visited functions or services

Cookies alone cannot identify the user personally.

Types of Cookies Used on the Data Controller’s Website:

  1. Technically Necessary Session Cookies
    These cookies are essential for the website to function properly, allowing navigation between different sections of the website and enabling certain functions. Legal basis: Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce Services and certain issues related to Information Society Services.
    Retention period: Only for the current visit; the cookies are automatically deleted when the session ends or the browser is closed.
  2. Functional Cookies (User Experience Enhancing Cookies)
    These cookies improve the user experience by remembering decisions made by the user, such as language selection or the user’s password. They may be internal or external cookies. External cookies, or third-party cookies, are placed by services like Facebook or YouTube, which are linked to the website. The Data Controller is not responsible for the content of external websites.
    Legal basis: The visitor’s voluntary consent (Article 5(1)(a) of the Info Act).
    Retention period: 6 months.
  3. Analytical or Performance Cookies
    These cookies help the Data Controller differentiate between website visitors and collect data on how visitors behave on the site. These cookies do not collect personally identifiable information, and the data is stored in an aggregated and anonymous form.
    Examples of these cookies are:
  • Google AdWords Cookies: These cookies help in remarketing by adding the user’s cookie ID to the remarketing list when they visit the website. They also help customize ads based on user’s past searches, interactions with certain ads, and visits to advertisers’ websites.
  • Google Analytics Cookies: These cookies help the website owner (Data Controller) get insights into their visitors’ activities. These cookies collect data anonymously about how visitors interact with the website, and may help in showing more relevant ads on Google products (e.g., Google search).
    The primary cookie used by Google Analytics is the “__ga” cookie.

Cookie Management and Deletion
Cookies can be deleted or disabled through the browser settings. Browsers enable cookie placement by default, but this can be turned off, and existing cookies can be deleted. If the user disables cookies in their browser, some website features may not be fully functional.

For more information on deleting cookies, you can visit the following links:

Legal Basis for Data Processing:

  • EU Regulation 2016/679 (April 27, 2016): On the protection of natural persons regarding the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
  • Act CXII of 2011: On the right to informational self-determination and freedom of information.
  • Act CVIII of 2001: On certain issues related to electronic commerce services and information society services.
  • Civil Code
  • Act C of 2000: On accounting
  • Act XLVIII of 2008: On economic advertising activities