© 2022 Multinvent Kft. – VŠETKY PRÁVA VYHRADENÉ
The goal of our Privacy Notice is to provide all necessary information about processing the personal data of natural persons and representatives of legal entities (hereinafter: Users) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and assist Users in exercising their rights under Section 4. Our services are available at www.flatloop.sk and its associated websites.
The legal basis of our information obligation is Article 12 of Regulation 2016/679 of the European Parliament and Council (hereinafter: GDPR), Section 16 of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Privacy Act), and Section 4 of Act CVIII of 2001 on e-commerce and certain issues regarding information society services (hereinafter: E-commerce Act).
This Notice was made in consideration of the GDPR, Privacy Act and other regulations applicable to individual data processing activities. The applicable regulations are enclosed in Annex 10.1, the definition of key terms is enclosed in Annex 10.2, and data subjects’ rights are defined in detail in Annex 10.3.
This Notice was created and is applied in the spirit of the findings in the recommendation of the National Authority for Data Protection and Freedom of Information (NAIH) on the privacy requirements of prior information, Article 5 of the GDPR, particularly Article 5(2) on accountability.
The personal data protection practices of the European Union are also observed, accordingly the guidelines of Working Party 29 of the European Commission are also adopted in our processing practices.
Our activities are governed by Hungarian law, however, in the case of cross-border sales, the law at the customer’s jurisdiction shall apply to consumer protection and warranty matters.
This section details the key conditions of procession required by the GDPR and other relevant regulations from controllers.
You can contact us via our contacts on the website. Also, by communicating with our business partners, we process the personal data of their contact persons. The details of these processing are described hereunder.
| personal data | purpose of processing | legal basis of processing |
| name | identification of the User, or the contact person of our business partner | the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]; in the case of contact person of our business partner processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR] |
| phone number | contacting and communication with the User, or the contact person of our business partner | the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]; in the case of contact person of our business partner processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR] |
| e-mail address | contacting and communication with the User, or the contact person of our business partner | the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]; in the case of contact person of our business partner processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR] |
If you contact us, we process your personal data for the purpose in Section 3.2.1. based on your freely given consent implied by way of contacting us by phone or email (article 6 (1) a) of GDPR).
Where we use Users’ data for purposes other than they were collected, we inform the Users thereof in advance and obtain their prior consent, and give an opportunity to object to processing (cf. Section 9.1.).
If you, as the representative of our business partners provide your personal data to communicate with us, the legal basis of processing personal data is our legitimate interest and our business partners (Article 6 (1) f) of GDPR). It is each Party’s legitimate interest to maintain effective business communication during the use of the Website and the communication between partners, and to be able to inform each other’s representatives about all key circumstances concerning our contract. Since it is the part of your scope of duty as the representative of our business partner, in our view, processing your name and contact data does not restrict disproportionately your privacy and freedom of self-determination. The contact persons of our business partners may object to such processing.
If you contact us through our website, we process your personal data until the withdrawal of your consent. You have the right to withdraw your consent at any time via email. The withdrawal of consent does not affect the legal basis of processing based on consent before its withdrawal.
In relation to the processing of the personal data of our business partners’ contact persons, we process their personal data until the personal data are no longer necessary in relation to the purposes for which they were collected or as long as it is permitted by the relevant legal provisions (5 years after the performance or the termination of the contract pursuant to the Hungarian Civil Code, or 8 years after invoicing, in accordance with the Hungarian Accounting Act).
Electronic.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing concerning communicating with our business partners, we, as data controllers, while performing the contracts concluded with our business partners, both at the time of the determination of the means for processing, and at the time of the processing itself, implement appropriate technical and organizational measures, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR.
You can order any of our products shown in our website. The details of such processing are described hereunder.
| personal data | purpose of processing | legal basis of processing |
| name (first name, surname, title) | identification of the User or a business partner’s representative | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR]; if the customer is a legal person then processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR] |
| address (post code, city, street and number) | identification of the place of transportation | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR] |
| phone number | connecting the purchaser or its representative and giving information about the services | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR]; if the customer is a legal person then processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR] |
| e-mail address | connecting the purchaser or its representative and giving information about the services | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR]; if the customer is a legal person then processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR] |
| a unique coupon code that can be linked to the User | identification of the customer in order to take advantage of the individual discount we provide | processing is necessary for the purposes of the legitimate interests pursued by the controller [article 6 (1) f) of GDPR] |
Performance of contract where the parties are the Controller and the User (Article 6 (1) b) of GDPR).
If the buyer is a legal entity and its representative provides his or her personal data for these purposes, the legal basis of processing – with regard to the relevant authority practice – is our legitimate interest and the purchaser company (Article 6 (1) f) of GDPR). It is each party’s legitimate interest to maintain effective business communication during order, and inform each other’s representatives about any relevant conditions pertaining to the contract between us. Since it is part of the representative’s scope of duty or contractual obligation to facilitate communication between the parties and provide his or her personal data, the processing of the mentioned personal data does not restrict disproportionately the privacy and freedom of self-determination of the buyer’s contact person.
All the personal data you give us when you order the available products are processed for the performance of the contract concluded between you and us (Article 6 b) of GDPR). It is our legitimate interest for processing unique coupons to incentivise purchases of Users who can uniquely be identified based on their coupon code (Article 6 (1) f) of GDPR).
Eight (8) years after the invoice under the contract is issued (Section 169(1) of the Accounting Act having regard to Section 166(6) of the Accounting Act).
Personal data not required for fulfilling accounting obligations – having regard to Section 6:22(1) of Act V of 2013 on the civil code (Civil Code) – are stored for 5 years after fulfilling the order.
Electronic.
Since we cannot fulfil orders without your personal data, supplying your personal data is a requirement for the conclusion of a contract.
After fulfilling orders we – with regard to Act C of 2000 on accounting (hereinafter: Accounting Act) – issue an invoice. The details of the associated processing are described hereunder.
| personal data | purpose of processing | legal basis of processing |
| name | proof of the fulfilment of orders for accounting | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. C. of 2000. on accounting 166. § (1)-(3) |
| address (post code, city, street and number) / also registered office for sole traders | proof of the fulfilment of orders for accounting | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), Act No. C. of 2000. on accounting 166. § (1)-(3) |
| tax number for sole traders | proof of the fulfilment of orders for accounting | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), Act No. C. of 2000. on accounting 166. § (1)-(3) |
Processing is necessary for compliance with a legal obligation; with regard to Article 6 (1) c) of GDPR, Section 5(1) b) of the Privacy Act and Section 166(1)-(3) of the Accounting Act.
8 years after accounting based on Section 166(6) of the Accounting Act and Section 169(1) of the Accounting Act.
Electronic.
The document issued electronically – in accordance with the provisions of the regulation on the rules of digital archiving – is preserved in such a way that the applied method ensures the immediate production and continuous readability of all data of the document, and excludes the possibility of subsequent modification.
Since we cannot issue invoices without the personal data specified in this section, supplying your personal data is compliance with law.
Users can contact us by email and phone with questions and complaints. The details of the associated processing is described below.
| personal data | purpose of processing | legal basis of processing |
| name | identification of the User | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. CLV. of 1997. on consumer protection |
| e-mail address | communication with the User and providing information | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. CLV. of 1997. on consumer protection |
| phone number | communication with the User and providing information | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. CLV. of 1997. on consumer protection |
We process the personal data we collect from you to comply with legal obligations (with regard to Article 6 (1) c) and (2) of GDPR, based on Section 5(1) b) of the Privacy Act and Act CLV of 199. on consumer protection (CPA)
5 years after the receipt of a complaint based on Section 17/A(7) of the Consumer Protection Act.
Electronic.
If the costumer enforces supplies warranty for material defects and product warranty claim for a product defect according to the Hungarian Civil Code (hereinafter: warranty claim), then we are required to write a report according to NGM Decree 19/2014 (IV.29.) on the procedural rules of processing warranty claims between consumers and businesses. The details of the associated data processing is described below.
| personal data | purpose of processing | legal basis of processing |
| name | identification of the User and write the report | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and 19/2014 (IV.29) NGM regulation 4. § (1) |
| address | identification of the User and write the report | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and 19/2014 (IV.29) NGM regulation 4. § (1) |
| information on consent to processing | write the report | processing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and 19/2014 (IV.29) NGM regulation 4. § (1) |
We process the personal data we collect from you to comply with legal obligations (Article 6 (1) c) and (2) of GDPR) based on Section 5. § (1) b), and Section 4(1) of NGM Decree 19/2014 (IV.29).
3 years after the completion of the report based on Section 4 (1) and (6) of the NGM Decree.
Electronic.
We advertise games on our Facebook page and on the website. We draw prizes among the Users who comment on the given entry or perform a specific activity. The associated processing activities are described in this section. There may be more detailed information on processing on the individual prize draw pages.
| personal data | purpose of processing | legal basis of processing |
| name | identification of the winner. | the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR] |
| e-mail address | identification of the winner. | the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR] |
| winning | identification of the winner . | the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR] |
You give your consent to the processing of you’re your personal data for one or more specific purposes by participating in the prize draw [Article 6 (1) a) of GDPR]
Until the goal is achieved; until the prize draw is completely closed.
Electronic.
It is important for us that our data processing operations comply with the requirements for fairness, lawfulness and transparency. Accordingly, we briefly present your rights, which are further detailed in Annex 3 of this Privacy Notice.
You may request free information on the details of processing your personal data, and in cases specified by law, you may request your personal data to be corrected, erased, blocked, restrict their processing and object to processing. Please send your requests for information and the request for matters below to our contacts under Section 2.
You can request information on the processing of your personal data, and may access to the processed data and the details of processing.
You have the right to request the rectification of your inaccurate personal data without undue delay. You have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
You have the right to request the erasure of your personal data if they are no longer needed for processing, or if you withdraw your consent, or if you object to processing or if processing is unlawful.
If your personal data become public and you request your data to be erased, at your request we inform all controllers that became or may have become aware of your disclosed personal data.
You have the right to request us to restrict processing if the accuracy of your personal data is contested, or if processing is unlawful, or if you object to processing, or if we no longer need your personal data.
You have the right to receive the personal data concerning you, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data(see: point 3.1. and 3.2. of this Notice). In such case, we may no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. Upon your objection, your personal data may not be processed for this purpose as a main rule.
We investigate your request as soon as possible, but not later than in 30 day – or 15 days in the case of objections – and decide whether it is substantiated, and inform you thereof in writing. If your request is not fulfilled, we inform you of the factual and legal reasons of rejection.
Personal data protection and respecting your informational self-determination right is key for us, therefore, we do our best to answer all requests in a fair and timely manner. In this respect, please contact us with any questions or complaints to let us find the earliest solution before seeking to enforce your right with the authorities or at court.
If your inquiry with us is not resolved, you may
We communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We also inform you about those recipients on the request of yours.
We provide information on action taken on a request under Articles 15 to 22 of GDPR to you without undue delay and in any event within one month of receipt of the request unless you request otherwise. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, we provided the information by electronic means where possible, unless you request it otherwise. We inform you verbally at your request provided that you identify yourself in another manner.
If we do not take action on your request, we inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with NAIH and seeking a judicial remedy (see point 4.7.).
If we have reasonable doubts concerning the identity of the natural person making the request, we may request the provision of additional information necessary to confirm the identity of the data subject. This is necessary to promote the confidentiality of processing specified in Article 5 (1) f) of the GDPR, that is to prevent unauthorised access to personal data.
We provide you information and take the necessary measures regarding the requests under point 4. free of charge.
If your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or we refuse to act on your request.
Our website’s hosting provider (data processor) can have access to the personal data you provide while using the website. The data processor’s data are the following:
In order to deliver the ordered products, we use fulfilment companies as data processors. These service providers enter into contracts with transport companies to deliver the products ordered by the user, so in this respect these additional service providers are considered sub-data processors. We ensure that sub-data processors also comply with legal requirements regarding the handling and protection of personal data in the course of their activities
Our website has several social media profiles (for example: Facebook, Instagram, YouTube) so that if you „like” us on Facebook or „follow” us on YouTube, we may learn all the personal data which is public on your profile. You can find relevant information on data processing of these sites in the privacy notice of the relevant providers.
In connection with invoicing, the data processor gets to know the personal data provided by the Users for this purpose.
We and the employees of the data processors have the right to get to know the personal data of the User to the extent necessary for the performance of the tasks belonging to their job. We take all security, technical and organizational measures that guarantee the security of the data.
We provide access to our IT systems with personal permission. The principle of “necessary and sufficient rights” applies to the allocation of access, ie all employees may use our IT systems and services only to the extent necessary for the performance of their duties, with the appropriate rights and for the required period of time. Access to IT systems and services should only be granted to a person who is not restricted for security or other reasons (eg conflicts of interest) and who has the professional, business and information security knowledge necessary to use it securely.
We and the data processors undertake strict confidentiality rules in a written statement and we are obliged to act in accordance with these confidentiality rules in the course of our activities.
We store the data – with the exception of the data stored by our data processors – on our own devices, in a data center. The IT tools, that stores the data are stored in a separate, separate closed server room, protected by a multi-stage access control system.
We protect our internal network with multi-level firewall protection. In all cases, a hardware firewall (border protection device) is located at the entry points of the applied public networks. The data is stored redundantly – i.e. in several places – in order to protect it from destruction, loss, damage and illegal destruction due to the failure of the IT device.
We protect our internal networks from external attacks with multi-level, active protection against complex malicious code (eg virus protection). We implement the essential external access to the IT systems and databases operated by us via an encrypted data connection (VPN).
We do our best to ensure that our IT tools and software continuously comply with the technology solutions generally accepted in the operation of the market.
During our development, we design systems in which logging can be used to control and track the operations performed, and to detect incidents, such as unauthorized access.
Our server is located on the hosting provider’s separate dedicated server, protected and closed.
Taking into account of the NAIH recommendation about the parts we use https protocol which provides a higher level of data security than the http protocol.
Similarly to other modern websites, in certain cases we place small data files on Users’ devices to ensure the proper operation of our website.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Cookies can be used by web servers to identify and track users as they navigate different pages on a website and identify users returning to a website.
List of the cookies we use on the website
Source | Name | Function | Expiration |
Facebook pixel | Facebook advertising data collection | 180 days | |
Google Analytics | Anonymous analysis of visitor data | More information in the 8.2.1. point. | |
Hotjar | Hotjar | Analyze visitors’ website usage | 365 days, more information https://help.hotjar.com/hc/en-us/articles/115011640427-How-long-does-Hotjar-keep-my-data- |
Facebook Custom Audience is an online analytics and advertising service of Facebook, Inc. (Facebook) through which the Data Controller obtains information about how visitors to the Website use the Website. You can read more about Facebook Custom Audience or Facebook Pixel cookies here: https://www.facebook.com/policies/cookies/.
Facebook Pixel requires cookies to be placed on user devices. We also use Facebook Pixel on the Website, both for advertising and Website analytics. Facebook pixels place cookies on the Website browser for the purpose of generating the right advertising audience, measuring conversions between devices, targeting ads, optimizing the right audience, displaying personalized advertisements, advertisements and reports, reporting on the Website and application traffic data.
This data management activity of Facebook may be regulated and set up by the User in his Facebook and Google accounts, and the collection of data by Facebook cookies on the Website may be authorized by the User. On Facebook, the User can view these cookies in the Facebook Ads Settings by logging into their account, and there they can also set or change their preferences regarding cookies. On the Website, the User may give his consent to cookies in groups according to their type.
Cookies can be deleted (detailed information: www.AllAboutCookies.org) or blocked by most browsers today. In this case, however, when using our website, certain settings will need to be reconfigured each time and certain services may not work.
Detailed information on deleting and blocking cookies can be found at www.AllAboutCookies.org (in English) and on the browser used by the User at the following links:
If we intend to further process the personal data for a purpose other than that for which the personal data were collected, we inform you prior to such further processing requesting your prior express consent and give you the opportunity to prohibit processing.
To comply with Article 30 of GDPR, we maintain a record of processing activities under our responsibility.
Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of data breach, we are obliged to act according to Article 33 and 34 of the GDPR. We log data breaches, indicating the associated facts, their impacts and our measures for remedy.
We have the right to amend this Privacy Notice unilaterally at any time. We encourage you to periodically review this Policy to be informed of how we are protecting your information.
Effective: 08 September 2021
Multinvent Kft.
Controller
For this Privacy Notice, the Controller took into account the applicable regulations in effect and major international recommendations, particularly including:
Upon a request submitted to us you have the right to access to the following information concerning the processing of your personal data:
You may also request a copy of your personal data processed. In this case, personal data are provided in a structured, commonly used and computer readable format (PDF/XML), and in hard copy. Copies are provided free of charge.
You have the right to request us to rectify any of your inaccurate personal data and to complete incomplete data by way of submitting a request to any of our contacts. Where the information required to complete or rectify inaccurate information is not available, we may request you to resubmit supplemental data and verify the accuracy of the data. As long as the data cannot be specified or completed – in the absence of supplemental information – we shall restrict processing the relevant personal data, and temporarily suspend any operations with them, except for storing.
You have the right to request us to erase your personal data by submitting a request to that effect if any of the conditions below prevail:
If we establish based on your request that we are obliged to erase your personal data we process, we discontinue processing and destroy the previously processed personal data. We are also obliged to erase personal data if you withdraw your consent, exercise your right to object or in compliance with a legal obligation.
You have the right to obtain from us the restriction of processing your personal data in the following cases:
We automatically restrict processing personal data if you dispute the accuracy of personal data and when you exercise your right to object. This restriction lasts as long as the accuracy of personal data can be verified or – in the case of objecting to processing – until we can establish if the criteria for continuing processing prevail.
No processing operations may be performed on personal data during the restriction, data may only be stored. Personal data subject to restriction may only be processed in the following cases:
We inform you before lifting restriction.
You have the right to receive your personal data for further use by submitting a request to us. You may also request us to transfer your personal data to another controller.
This right is restricted to personal data you provided and processed to fulfil a contract. No other data are portable. We supply your personal data in a structured, commonly used and machine-readable format (PDF/XML) and in hard copy.
Please note that exercising this right does not automatically delete your personal data from our systems. After exercising your right to data portability, you still have the right to contact and communicate with us.
You have the right to object at any time to processing of your personal data for purposes specified in point 3.1. and 3.2. of this Privacy Notice by way of a request submitted to us. In such case, we no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
© 2022 Multinvent Kft. – VŠETKY PRÁVA VYHRADENÉ
Kontaktovať zákaznícky servis FlatLoop
Dostupnosť zákazníckeho servisu: v pracovné dni 08-16h
