Kisfaludy Programme information

Petrányi Borterasz Kft. as Service Provider (hereinafter referred to as Service Provider) (Registered seat: H-8229 Csopak, Fülemüle utca 2.; tax number: 14136508-1-19), registered by the Hungarian National Authority for Data Protection and Freedom of Information as data controller under No. NAIH-141044/2018, shall carry out data controller activities in accordance with the provisions of Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information (Privacy Act), Regulation (EU) 2016/679 of the European Parliament and of the Council on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), and this document. Unless otherwise specifically provided, the terms and expression employed in this document have the same meaning as the terms and expressions employed in the Privacy Act and in the GDPR.

I. Principles of Data Processing

The Service Provider shall carry out data processing activities for the purposes outlined in this document, in a legal, ethical and transparent manner, with regard to the principles of purposefulness, data minimization, integrity and confidentiality; during all phases of its data processing activities, it shall ensure that any data processed is accurate, complete and up-to-date, and that any data subjects are identifiable only for as long as necessary for data processing purposes. The Service Provider shall only carry out processing of personal data as necessary for specific data processing purposes concerning said personal data’s owner.

II. Legal Basis of Data Processing

The Service Provider shall process data provided in a voluntary manner, in the course of which it always has the consent of the data subject. Clients consent to data processing voluntarily, simultaneously with their registration on the website (www.petranyipince.hu).

The owner of the personal data may withdraw their consent at any time. Withdrawal of consent shall not affect the legality of consent-based data processing carried out before said withdrawal of consent.

If the Service Provider processes data on any other legal basis—apart from consent—, it shall be obligated to specifically notify data subjects involved.

III. Purpose of Data Processing

The Service Provider shall process data provided on the site of the www.petrányipince.hu webshop for the purposes of maintaining a database necessary for the operation of the webshop, and data necessary for the newsletter, in accordance with the provisions of Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising.

IV. Duration of Data Processing, Data Processing

The Service Provider shall process data received for a period of 10 years—unless otherwise specified by the data subject.

Hosting services for the data processing shall be provided by Infosector Kft. (registered seat: H-2013 Pomáz, Kond utca 14.).

V. Scope of Processed Data

The Service Provider shall process data provided by the owner of such personal data, in particular: name, e-mail address, address/registered seat, delivery address, phone number.

When acquiring personal data (simultaneously with the registration), the Service Provider shall provide the following information to the owner of the personal data:

  • Name, contact information of Service Provider, Service Provider’s representative;
  • purpose, legal basis of personal data processing, consequences of not providing the data;
  • recipients and categories of recipients of personal data;
  • intended duration of personal data storage;
  • rights of the owner of the personal data;
  • right to submit a complaint to the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter referred to as: the Authority).

VI. Data Security

The Service Provider has planned and implemented data processing procedures to ensure the protection of the privacy, basic rights and freedoms of the data subjects in accordance with the Privacy Act, GDPR, and other relevant privacy regulations. As part of this process, the Service Provider provides for the security of data stored or otherwise processed, protects it against unauthorized access, modification, transfer, disclosure, deletion, accidental or unauthorized destruction, loss, damage and against the data becoming inaccessible.

In the course of its data processing and associated organizational activities, the Service Provider shall consider the current state and development of science and technology, shall strive to ensure and maintain data security, and to employ the most secure technologies providing data security proportionally to relevant risk levels in order to provide for the protection of the rights and freedoms of private persons.

The Service Provider engages in electronic data processing. Data recorded electronically are stored on computer servers; the goals and objectives outlined with regard to data security are applied to and considered for any and all data processing methods.

VII. Data Transfers

In case of an official data request, the Service Provider shall be obligated to provide data, in accordance with the scope of the request and to the extent necessary to fulfil said request, to courts, prosecutor’s offices, police authorities, regulatory authorities, administrative authorities, and other authorities, bodies prescribed by relevant legislation.

The data controller shall maintain a record of data transfers in order to verify the legality of data transmissions and inform data subjects. This record shall include the date and time of the data transmission, the legal basis and recipient of the data transfer, the scope of personal data transmitted, as well as any other information prescribed by regulations governing data processing.

VIII. Rights of Data Subjects and Enforcement

Data subjects may request information from the Service Provider on the processing of their personal data, or request the correction, deletion of their personal data or the restriction of the processing of their personal data—except where the processing of such personal data is mandatory.

Upon request by the data subject, the Service Provider shall provide information about data owned by the data subject and processed by the Service Provider or a data processor appointed by the Service Provider, about any ongoing data processing, sources of personal data, the purpose of data processing, the planned duration of data storage, the legal basis and duration of data processing, and the name, address and relevant activities of the data processor. Furthermore, in case of any transfer of personal data, information shall be provided about the legal basis and recipient of the data transfer, as well as the rights of the data subject, including the right to submit a complaint to the Authority.

The data controller shall be obligated to provide said information in a clear and understandable form, in writing—upon the data subject’s request—, as soon as possible after the initial submission of the request, but in any case no later than within 30 days; if the owner of the personal data has submitted the request electronically, the information shall be provided in an electronic format (unless otherwise requested by the data subject). Information shall be provided free-of-charge if the party requesting such information has not submitted information requests to the data controller for the given scope of data in the given year. The provisioning of information may only be denied in the cases specified in the Privacy Act and the GDPR. If the provisioning of information is denied, the Service Provider, as data controller, shall be obligated to notify the data subject in writing and provide information on the act or regulation serving as basis for the decision. If the provisioning of information is denied, the Service Provider, as data controller, shall also provide information on the data subject’s right to request judicial remedy and right to contact the Authority.

If any personal data proves to be incorrect or otherwise inaccurate, and accurate personal data is available to the data controller, the data controller shall be obligated to amend such personal data upon request by the owner of the personal data. Personal data must be deleted if

  • data processing proves to be unlawful;
  • the data subject requests the termination of data processing or withdraws its consent to data processing with regard to Paragraph c) of Section 14 of the Privacy Act or point b) of Article 17(1) of the GDPR.
  • the owner of the personal data objects to data processing by the Service Provider, and there are no overriding legitimate grounds for the processing;
  • the data processed is incomplete or inaccurate, and the issue cannot be legally remedied, provided that deletion is not prohibited by law;
  • the processing of data or personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
  • the statutory data retention period has expired;
  • deletion is ordered by a court of the Authority, or it becomes necessary with regard to the Service Provider’s performance of its legal obligations.
  • Instead of deletion, the Service Provider may restrict data processing upon request by the data subject if
  • the owner of the personal data calls into question the accuracy of the personal data, while the accuracy of the data is being reviewed;
  • data processing proves to be unlawful, but the owner of the personal data objects to the deletion of the data;
  • the Service Provider no longer needs the processing of the data, but the owner of the personal data requires the data for a legal plea or the enforcement, protection of their legal rights;
  • the owner of the personal data objects to the processing of personal data based on Article 21(1) of the GDPR (point d) of Article 18(1) of the GDPR).

The personal data subject to restriction may only be processed—with the exception of data storage—by the Service Provider with the consent of the owner of the personal data, or for the purposes of a legal plea, or the enforcement, protection of their legal rights, or other personal rights, or for other purposes prescribed by the European Union or purposes in the public interest of its member states. If the circumstances that serve as the basis for the restriction of data processing cease, the Service Provider shall lift the restriction on data processing; the Service Provider shall inform the owner of the personal data of this event in advance.

The data subject, as well as to those to whom the data was previously transmitted for data processing, must be notified of any correction, restriction, and deletion. Notification may be omitted if it does not violate the legitimate interests of the data subject considering the purpose of data processing. If the data controller does not fulfil a data subject’s request for correction, restriction, or deletion within 30 days after receiving the request, the data controller shall be obligated to provide written justification, both factual and legal, for its refusal. If a request for correction, deletion, or restriction is refused, the data controller shall inform the data subject about its right to seek judicial remedy and submit a complaint to the Authority.

The data subject shall be entitled to request any personal data managed by the Service Provider in a structured, commonly used, and machine-readable format, and to have said data be transmitted to another data controller.
IX. Objection to the Processing of Personal Data

The data subject shall be entitled object to the processing of their personal data if the processing or transmission of personal data is necessary solely for the fulfilment of the data controller’s legal obligations, or for the enforcement of the legitimate interests of the data controller, recipient, or a third party, except in cases of mandatory data processing, or if the processing or transmission of personal data is for the purpose of direct marketing, opinion polling, or scientific research, as well as in certain other cases prescribed by relevant legislation. The Service Provider, acting as data controller, shall examine any objection as soon as possible, but no later than within 15 days from the submission of the request, decide if it is justified, and inform the data subject of its decision in writing. If the data controller establishes that the data subject’s objection is justified, it shall terminate or restrict data processing—including any further data collection and transmission—and notify those to whom the data subject’s personal data had previously been transmitted and who are obliged to take action to enforce the data subject’s right to object. If the data subject does not agree with the decision made by the data controller, or if the data controller fails to meet the above deadline, the data subject shall be entitled to appeal to the court within 30 days after notification of the decision or the last day of the deadline.

X. Requesting Judicial Remedy

Legal action against the data controller may be requested by the data subject in case of any violation of its rights, and by the data importer in the cases outlined under Section IX. Court shall expedite proceedings concerning this matter.
The regional court shall have competence to decide such issues. A lawsuit may be initiated before a court with jurisdiction over the data subject’s domicile or residence—as decided by the subject.
If the court upholds the application, the data controller shall be obliged to provide information, correct, delete data, restrict data processing, withdraw decisions made by automated data processing, consider the data subject’s objection, or release data requested by the data recipient.
If the data controller causes harm to another party by unlawfully processing the data subject’s data or breaching data security requirements, the data controller shall be obligated to pay compensation for such damages. If the data controller’s unlawful processing of the data subject’s data or breach of data security requirements violate the data subject’s personal rights, the data subject shall be entitled to claim damages from the data controller. The data controller shall be liable to the data subject for any harm caused by the data processor and shall also be obliged to pay damages for any violation of personal rights by the data processor. The data controller may be exempt from liability for damages and the obligation to pay compensation for such damages if they can prove that the damage or the violation of the data subject’s personal rights was caused by unavoidable external circumstances beyond the scope of data processing. Compensation for damages need not be paid and claims for damages cannot be made if the harm or violation of personal rights in question resulted from intentional or grossly negligent behaviour on the part of the data subject.

XI. Records of Data Processing Activities

As the data controller, the Service Provider shall maintain a record of data processing including the following information:

  • the name and contact information of the Service Provider and its representative;
  • the purpose of data processing;
  • categories of data subjects and categories of personal data processed;
  • categories of recipients involved in data transmissions;
  • dates of deletion for individual data categories.

XII. Data Security Incident

Data security incident shall mean a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access of personal data transmitted, stored, or otherwise processed.

Upon becoming aware of a data security incident, the Service Provider shall be obligated to notify the Authority within 72 hours, in accordance with data protection regulations, including Article 32(3) of the GDPR, in the manner and form, and with the content prescribed by the Authority. If a data security incident is likely to result in high risk to the rights and freedoms of private persons, the Service Provider shall also be obligated to promptly inform the owners of the personal data.

If a data security incident does not result in risk to the rights and freedoms of private persons, the Service Provider may choose not to notify the Authority.

The Service Provider shall maintain a record of any and all data security incidents. Records shall include the date of the incidents, other relevant details and the effects of the incidents, and any corrective measures taken by the Service Provider to remedy the issue.

XIII. Contact Information

Data controller: Petrányi Borterasz Kft.
Registered seat: H-8229 Csopak, Fülemüle utca 2.
Tax number: 14136508-2-19
Phone: +36 30 515 7953
E-mail: info@petranyipince.hu

Hosting service provider
Name: Infosector Kft.
E-mail: support@infosector.hu
Registered seat: H-2013 Pomáz, Kond utca 14.
Tax number: 14280597-2-13
Company registration number: 13-09-119475

Hungarian National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Tel./fax: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Web: http://naih.hu

Petrányi Pince boros palackok

Subscribe to our newsletter

Subscribe to the Petrányi Winery newsletter and be the first to know about our latest wine list and events.

Subscription

Opening hours

Opening hours of the Petrányi Winery