Alveola Ltd. (registered office: Gizella u 28/A, HU-1143 Budapest, company registration number: 01-09-567918, registered at Budapest Metropolitan Court as Court of Registration, tax number: 12240911-2-42; ‘Alveola’ ) as data controller, accepts to be bound by the contents of this Privacy Notice and obliges that all its data processing activities performed in connection with the site operated thereby shall comply with the requirements specified in this Notice and in the effective regulation, in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of private persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: ‘GDPR’), as well as with Act CXII of 2011 on Informational Self-determination and the Freedom of Information (Information Act), Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (‘Electronic Commerce Act’), and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (‘Commercial Advertising Act’).Alveola Ltd. (registered office: Gizella u 28/A, HU-1143 Budapest, company registration number: 01-09-567918, registered at Budapest Metropolitan Court as Court of Registration, tax number: 12240911-2-42; ‘Alveola’ ) as data controller, accepts to be bound by the contents of this Privacy Notice and obliges that all its data processing activities performed in connection with the site operated thereby shall comply with the requirements specified in this Notice and in the effective regulation, in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of private persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: ‘GDPR’), as well as with Act CXII of 2011 on Informational Self-determination and the Freedom of Information (Information Act), Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (‘Electronic Commerce Act’), and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (‘Commercial Advertising Act’).
Alveola describes its principles on data processing below, including all expectations that are set for the company as the data controller, and also how it complies with them.
- THE PURPOSE OF DATA PROCESSING
Alveola maintains an online portal under the address: https://original-aloe-vera.com/ (‘Website’) with the purpose of facilitating contact for persons interested in the products and services of Alveola (‘Sales Leads’) and of providing the opportunity for the Sales Leads to enter their contact data and register in the database created for this purpose (‘Database of Sales Leads’) without obligation to contract (‘Customer Contact’), and to provide information for those visitors of the Website who have specifically given consent (‘Subscribers’) and registered in the database specifically set up for this purpose (‘Newsletter Database’), about any news, discounts, and promotions related to the products and services of Alveola and to send newsletters containing Alveola advertisements in electronic form (‘Direct Marketing’).For the purposes of our Privacy Notice, the Subscribers, the Sales Leads and any other visitors of our Website are hereinafter collectively referred to as ‘Data Subjects’, while the databases created for such purposes are hereinafter referred to as ‘Databases of Data Subjects’.
Pursuant to section (1) of article 8 of the GDPR, the registration or subscription of Users under the age of 16, or with limited capacity may only be accepted with the consent or authorization of the legal representative or guardian thereof, otherwise, the registration of the minor User or the person with limited capacity may not be accepted by the data controller, and therefore any submitted registrations will be deleted. In such cases, the data controller shall make reasonable efforts to verify if consent is given by the holder of parental responsibility over the child taking into consideration the available technology.
Alveola controls the data stored in the Databases of the Data Subject exclusively in accordance with this Privacy Notice, and will not forward or disclose them to third parties, except when such disclosure or data transfer is required by law, authority or court order, or is specified in this Privacy Notice.By using the Website or by registering on it, the Data Subjects expressly accept the contents of this Privacy Notice, and voluntarily give their consent to the processing of their personal data as specified in this Privacy Notice.
- THE LEGAL BASIS OF THE DATA PROCESSING
The legal basis of the processing of data entered by the Data Subjects into the Databases of the Data Subjects is the informed and voluntary consent of the Data Subjects.
In case the personal data was collected under the consent of the Data Subject, the data controller – unless required otherwise by law may process the collected data for the purpose of compliance with the applicable legal requirements, or for enforcing the legitimate interests of the data controller or that of third parties, provided that such enforcement of interests is in proportion to the limitation of the right to protect personal data, without the need to obtain a separate consent, and even after the User has withdrawn its consent.
- THE SCOPE OF PERSONAL DATA PROCESSED BY ALVEOLA, DATA TRANSFER AND THE DURATION OF DATA PROCESSING
Alveola declares that since its data processing does not include the processing of personal data specified in article 9 of the GDPR (special category), such personal data will not be processed, and in case such personal data is disclosed, the company will delete them immediately.
3.1. THE DATABASE OF SALES LEADS
Registration into the Database of Sales Leads can be performed via accessing any of our contact methods; after such visit Alveola processes the following information on Sales Leads.
Required data of a Sales Lead:
– e-mail address,
– telephone number.
In addition to the above, Alveola shall process all data provided by the Data Subject during his/her inquiry. The opinion of the Sales Lead on the services of Alveola will in some cases be published on the Website for advertising purposes.
When using the ‘Expert’s Answer’ function, the question of the Sales Lead, as well as his/her personal data provided for this purpose (first name, age) will be published on the Website by Alveola along with the response. In case the Sales Lead chooses not to consent to the disclosure of his/her data, he/she can select the private answer option at the time of submitting the question.
Processing such data is based on the voluntary consent of the Sales Leads in accordance with point a) of section (1) of article 6 of the GDPR, or processing is necessary for the performance of a contract in order to take steps at the request of the Sales Lead prior to entering into a contract, or in case of contacting our service, it is necessary for performing the contract (warranty) in accordance with point b) of section (1) of article 6 of the GDPR. Data provision by the Sales Leads is not required for visiting the Website; therefore, data provision is not a prerequisite of concluding a contract.
3.2. NEWSLETTER DATABASE
You may register into the Newsletter Database available through the Website by submitting your separate consent through the Website, or by filling in other forms to sign up for a newsletter; after a successful application, Alveola will process the following data of the Subscribers:
Required data of the Subscribers:
– e-mail address,
– profession (interests).
The data processing is based on the voluntary consent of the Subscribers in accordance with section (1) of article 6 of the Commercial Advertising Act and point a) of section (1) of article 6 of the GDPR. Data provision by the Subscribers is not required for visiting the Website; therefore, data provision is not a prerequisite of concluding a contract.
3.3. THE DURATION OF DATA PROCESSING
Alveola shall process the data transferred thereto by the Data Subject during any visit to the Website or via any other contact method, for the duration when the purpose of the data processing exists, with the provision that Alveola will automatically delete the Data Subject’s data and the uploaded documents when requested by the Data Subject in accordance with this Privacy Notice’s section on the rights of the Data Subject related to the processing of his/ her data and on the available legal remedies.
3.4. INFORMATION ON VISITORS, USE OF ‘COOKIES’
While visiting the Website, small data files, so-called ‘cookies’ are installed on the IT device of the Data Subject.
The Website uses the following types of cookies by Google Analytics: ‘utma’, ‘utmb’, ‘utmc’, ‘utmt’, ‘utmz’ (for further information on the cookies used by Google Analytics on the Website please visit here.
The above listed cookies are used in order to collect the following statistical data regarding visits to and traffic on the Website, collected for this purpose:
the search engine, keyword or link used by the Data Subject to access the Website (‘utmz’ cookie),
the number of visits when the Data Subject visited the website (‘utmb’ cookie)
the duration while the Data Subject was visiting the Website (‘utma’ cookie),
the date when the Data Subject visited the Website (‘utmc’ cookie).
In addition to the above, some cookies serve as protection against the overload of the website (‘utmt’ cookie), and other cookies used by Google Analytics also record for analytical, statistical and security purposes the IP address used by the Data Subject. Data is stored on the Data Subject’s device.The independent measuring and auditing of Website traffic and other web analytics is supported by the Google Analytics servers as external service provider assisted by the above listed cookies. Detailed information is available on the processing of such measurement data at: www.google-analytics.com by the data controller of these data; further information on the privacy principles of Google is available here.
Data to be transmitted from the Website to the servers of Google Analytics are not suitable for identifying the identity of the User directly, only the IP address of the IT device can be identified in this way.
The installed cookie helps to have advertisements related to the products and services of Alveola displayed for the Data Subject, and later also on other websites within the network of Google Display or on Facebook.
4. THE DATA OF ALVEOLA AS DATA CONTROLLER, PERSONS ENTITLED TO PROCESS DATA
Name: Alveola Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Represented by: Tamás Szóráth, Managing Director
Address: Gizella u. 28/A, HU-1143 Budapest
Company registration number: 01-09-567918
Tax number: 12240911-2-42
With respect to the data provided by the Data Subjects in connection with the Website, those representatives and employees of Alveola are authorized to perform data processing, whose job or work responsibilities are related to fulfilling any purposes of such data processing.
5. THE METHOD OF STORING PERSONAL DATA, DATA PROCESSORS
The servers of the Website are located at the registered office (Faludi u. 3, HU-1138 Budapest) of DotinDot Solutions Kft.Please note that your data are also processed electronically, in online databases. The technical background of the databases is provided by Alveola in cooperation with the following service providers acting as data processors:
- Wanadis Kft. (Privacy Notice), as the service provider of sending newsletters;
- ITelligence Hungary Kft. (Privacy Notice) as a partner in supporting and developing the corporate management system;
- Google Inc. (Privacy Notice ) as the service provider of the product analysis system of Google Analytics; and
- a Facebook Inc. (Privacy Notice), as the service provider of Facebook Custom Audiences advertising platform.
The data processors warrant that data controlling and data processing are performed in full compliance with the provisions of effective data protection regulations, and the data controller takes all necessary measures to ensure data security and data protection, and furthermore, it complies with all the legal requirements on data security relevant for the data processing and data controlling activities performed by the data controller.
6. THE SECURITY OF DATA PROCESSING
Taking into account the state of the art features of science and technology, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the data controller and the data processor shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
The data controller and the data processor implement appropriate technical and organizational measures to ensure that, by default, only such personal data are processed that are necessary for the purposes of the specific data processing. In this respect, the quantity of the collected personal data must be particularly taken into account, as well as the extent of processing, the duration of storage and accessibility. These measures should in particular ensure that, by default, personal data may not be accessible for an indefinite number of persons without the intervention of the natural person.
7. THE DATA PROTECTION OFFICER
Pursuant to section (1) of article 37 of the GDPR, the data controller shall designate a data protection officer, in case the core activities of the data controller consist of such processing operations, which by virtue of their nature, their scope and/or their purposes require regular and systematic monitoring of data subjects on a large scale; or the core activities of the data controller consist of processing on a large scale of special categories of data pursuant to articles 9 and 10.
Alveola informs all Data Subjects that it does not process any data specified in articles 9 and 10 of the GDPR, and that the data controller’s core activity covers operating the User Database and the Newsletter Database. These activities do not require the regular monitoring of data subjects on a large scale.
With respect to all of these reasons, Alveola as data controller does not designate a data protection officer, however, this decision will be reviewed in each calendar year based on the current state of data processing.
8. REPORTING PERSONAL DATA BREACH, INFORMING THE CONCERNED DATA SUBJECT
Alveola shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Alveola shall communicate the personal data breach to the Data Subjects without undue delay.
The communication provided for the data subject by Alveola shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in section (2) of article 34 of the GDPR.
Alveola is not obliged to inform the Data Subject on the personal data breach if any of the following conditions are met:
- the data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access them;
- the data controller took subsequent measures following the personal data breach which ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize;
- providing the information would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
9. RIGHTS AND LEGAL REMEDIES AVAILABLE FOR THE DATA SUBJECTS IN CONNECTION WITH DATA PROCESSING
In accordance with articles 12-22 of the GDPR, Data Subjects are entitled to the right of access and to the right to information; accordingly, Alveola is obliged to inform the Data Subject under its rights provided by the GDPR on the personal data breach and on the information included in articles 13 and 15 of the GDPR; furthermore, the Data Subject has the right to data portability, rectification, erasure, and to protest. Accordingly, the data controller provides information to the Data Subject on the processing of his/her personal data, including the data of the Data Subject, or the data processed by the data controller or by the data processor appointed by the data controller, as well as on the source of the data, the purpose, duration and legal basis of data processing, on the name and address of the data processor and its activity related to data processing, on the circumstances and effects of personal data breach, and on the measures taken to eliminate them (if any), furthermore in case the personal data of the Data Subject are transferred on the legal basis and the recipient of the data transfer; furthermore, the data controller shall correct, delete or block the personal data provided by the Data Subject (the Data Subject may also delete his/her data using the method indicated during registration, or may request such deletion through the customer service of the data controller).
Information on rights
In order to comply with the above, the data controller takes measures to provide each information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular, in case of any information being addressed specifically to a child. The information must be provided in writing or otherwise including electronic means where appropriate. At the request of the Data Subject, verbal information may also be provided, in case the identity of the Data Subject is verified.The data controller shall facilitate for the Data Subjects to exercise their rights. The data controller shall, without undue delay, but in any event within one month following the receipt of the request, inform the Data Subject about the measures determined in respect of the request made according to articles 15-22 of the GDPR.Such deadline may be extended by two months if necessary, taking into account the complexity of the request and the number of requests. The Data Subject will be notified of any extension of the deadline by the data controller within one month after the request is received, indicating the reason for the extension.If no such actions are taken, the data controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility available for the Data Subject to lodge a complaint with a supervisory authority and seek judicial remedy.The data controller shall provide the information specified in article 13 of the GDPR, as well as the above described communication and action free of charge. Where the request of the Data Subject is manifestly unfounded or excessive, in particular because of its repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act upon the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Information and access to personal data
At the time of collecting the personal data, the data controller shall make the information included in sections (1) – (2) of article 13 of the GDPR available for the Data Subject.The Data Subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, he/she has the right to access the personal data, as well as the information included in sections (1) – (2) of article 15 of the GDPR (right of access by the data subject).Upon request, the data controller shall provide the Data Subject with one copy of the processed personal data. The Data Subject may be charged a reasonable administration fee for any additional copies by the data controller. If the Data Subject submitted the request electronically, the requested information shall be made available in widely used electronic format, unless the Data Subject expressly requested otherwise.
Right to data portability
Pursuant to article 20 of the GDPR, the Data Subject is entitled to receive the personal data related to him/her that were provided by him/her to the data controller, in a structured, commonly used and machine-readable format and also has the right to transmit those data to another data controller (right to data portability).
Right to rectification, erasure and protest
The Data Subject may at any time withdraw his/her consent to data processing, without providing any reasons. Pursuant to articles 16-18 of the GDPR, the Data Subject has the right to rectification, erasure (deletion) and restriction of data processing.Accordingly, the Data Subject has the right to request the data controller to erase his/her personal data without undue delay, and the data controller is required to erase the personal data of the Data Subject without undue delay if such personal data are no longer necessary for the purpose they were collected; in accordance with point a) of section (1) of article 6 of the GDPR, the Data Subject withdraws its consent that serves as basis for the data processing and there is no other legal basis for the data processing; the Data Subject protests against the processing of his/her data, and there is no priority legal basis for the data processing; the personal data were processed illegally; or if the personal data must be erased in order to comply with the legal obligation required by EU or by the Hungarian legislation.Furthermore, pursuant to article 21 of the GDPR, the Data Subject has the right to protest against the processing of the personal data provided by him/her. Therefore, the Data Subject has the right to object on grounds relating to his/her particular situation at any time to the processing of his/her personal data.In case the Data Subject protested, the data controller may not continue to process the personal data, except where the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or are needed for the establishment, exercise or defence of legal claims.Where personal data are processed for direct marketing purposes (for example sending newsletters), the Data Subject has the right to object at any time to the processing of the personal data concerning him/her for such purposes.
Right to judicial remedy
The Data Subject may indicate to Alveola his/her requests or comments in connection with the above using the e-mail address: email@example.com, or postal address: Gizella u. 28/A, HU-1143 Budapest.
In the course of exercising his/her rights related to the processing of the personal data of the Data Subject, in case his/her request or communication submitted to the data controller is rejected, or in case such request is not fulfilled, the Data Subject pursuant to the contents of the GDPR and the Information Act may appeal to the National Data Protection and Freedom of Information Authority (NAIH), or to the court.In addition, the Data Subject has the right to an effective judicial remedy where his/her rights have been infringed as a result of the processing of his/her personal data, in order to receive compensation for damage caused by the illegal processing of his/her data, or by infringing the requirements of data security, as well as in order to claim compensation for damages for infringing his/her privacy rights caused by the illegal processing of personal data or by violating data security requirements, in accordance with articles 77-82 of the GDPR.The Data Subject is entitled to all the rights, legal remedies and other options for actions provided in regulations, in the GDPR and in the Information Act.