Privacy Policy Fagnes Fragrant Space Ltd. (Seat: Hungary, 1054 Budapest, 8. Honvéd street, Registration no.: 01-09-303077; Tax no.: 26122117-2-41), the Data Controller. PREAMBLE, LEGALITY OF DATA PROCESSING The Data Controller declares that it processes personal data in accordance with the Fundamental Law of Hungary, Act 112 of 2011 on Informational Self-determination and Freedom of Information and Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”). The Data Controller respects the personal data of its employees, clients, contractual partners, furthermore of the visitors of the https://www.anitatoth.com/. It shall treat and process all data and facts that come to its knowledge as confidential and such data is processed solely on the basis of performance of a contract, legal obligation, its own legal interest with respect to the data subject’s interests and their consent based on prior information. PRINCIPLES OF DATA PROCESSING The processing of personal data is carried out by the Data Controller by following the below principles at all times: Personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject.The principle of purpose limitation shall govern data processing, and the processing of personal data shall be compatible and relevant with its purpose, furthermore it shall be necessary for such purposes.Data processing shall be accurate and, where necessary, kept up to date. The Data Controller shall make every reasonable step to ensure that inaccurate personal data is erased or rectified without delay.Personal data are stored in a limited manner until the purpose of their processing has been met.It ensures appropriate security of personal data against unauthorised or unlawful processing and accidental loss, destruction or damage.Personal data are processed solely for the purpose and in the manner specified in present Privacy Policy, in order to exercise the rights and fulfil the obligations specified herein. The Data Controller declares that it meets these objectives during all stages of data processing.The Data Controller only processes personal data that is essential for the realization of the purpose of data processing; suitable for the achievement of these purposes and only to the extent and time necessary for the realization of the purpose.It uses appropriate technical or organisational measures in order to ensure the appropriate security of personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. INFORMATION PROVIDED TO DATA SUBJECTS By the issuance of present Privacy Policy, the Data Controller makes adequate steps in order to ensure that the information addressed to the data subjects is handed over in a way that is concise, easily accessible and easy to understand in a clean and plain language. The partners aiding the work of the Data Controller(s) and Data Processor(s) are bound by the obligation of confidentiality with regard to the personal data of the data subjects. DEFINITIONS data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Data Controller regarding present Privacy Policy: Data Controller: Name: Fagnes Fragrant Space Ltd. Seat: Hungary, 1054 Budapest, 8. Honvéd street Registration number: 01-09-303077 Tax number: 26122117-2-41 Manager: Ágnes Ferőszögi Website: https://en.fagnes.hu and https://www.fagnes.hu Email address: info@fagnes.hu Mobile: +36 30 641 2797 processing: the execution of the technical tasks relating to data processing, regardless of the used technique and instrument, or the place of processing, where the technical task is performed on personal data. data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Data processor regarding present Privacy Policy: As accountant: PONDERA-AUDIT Gazdasági Tanácsadó Korlátolt Felelősségű Társaság (Seat: 1223 Budapest, Babarózsa köz 3., Reg.No.:01 09 892146, Tax number:14171970-2-43) As hosting provider: WebHostIcon Kereskedelmi és Szolgáltató Betéti Társaság (Seat:1081 Budapest, Légszesz u. 4. 1. em. 5., Reg.No.:01 06 780150, Tax number:22558855-2-42) destruction of data: the total physical destruction of the data medium on which the data are stored; erasure of data: making data unrecognizable in such a way that their recovery is no longer possible; transfer of data: making the data available to certain third parties; According to present Privacy Policy the Data Controller transfers data on the grounds of employment-health reasons: Barion Payment Zrt.: H-EN-I-1064/2013. (Seat: 1117 Budapest, Infopark sétány 1., Reg.No.:01 10 048552, Tax number:25353192-2-43) Csomagpont Logisztika Kft. (Seat: 1067 Budapest, Szondi utca 15. pinceszint, Reg.No.:01 09 340159, Tax number:26704058-2-42) personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; consent: a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,such as by a written statement, including by electronic means, or an oral statement; Information Act: Act CXII of 2011 on Informational Self-determination and Freedom of Information; personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; objection: the declaration of the data subject in which he/she objects to the processing of his/her personal data, and demands the termination or erasure of his/her processed data; THE DATA CONTROLLER PROCESSES YOUR PERSONAL DATA UNDER THE FOLLOWING RIGHTS AND PURPOSES: Data processing based on the performance of a contract [GDPR Article 6 Section 1 paragraph b] As part of the performance of a contract, the Data Controller processes the personal data of natural persons for the following purposes. Personal data of employees: name; birth name; place and date of birth; mother’s maiden name; qualification; address; phone number; e-mail address; name of financial institution and account number; specimen signature Personal data of clients and contractual partners: name/company name; address; shipping address; name of contact person; phone number; e-mail address The purpose of data processing is to enter into the relevant written contracts, fulfil contractual obligations and to provide contact details. The Data Controller stores the provided personal data in a written form at its branch office, electronically in its electronic database and online in the database of its websites. It handles personal data from the conclusion of the contract until the existence of the contractual relationship or the expiry of the contractual relationship. The personal data of employees is not transferred and their personal data of clients are transferred to the shipping company in order to fulfil contractual obligations. In this regard, the Data Controller declares, that the shipping company is an independent data controller the privacy policy of whom may be found on its website https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat. Data processing based on compliance with a legal obligation [GDPR Article 6 Section 1 paragraph c] The following personal data of employees are processed and may be processed by the Data Controller based on the obligations set forth by the Labour Code on persons entitled to social security benefits and private pensions and the coverage of such services, the Act on social security pensions, the Act on personal income tax and the Act on taxation and judicial enforcement. name; birth name; place and date of birth; mother’s maiden name; social security number; tax number; address; personal data on tax reduction; personal data on enforcement; The purpose of data processing of employee’s data is to fulfil the obligation to pay contributions and annuities, to deduct the tax advances and to prepare personal tax returns in accordance with the needs of the employer and to perform any possible mandatory enforcement procedures. The Data Controller stores the provided personal data in a written form at its branch office and electronically in its electronic database and online in the database of its websites from their registration until the expiry of employment claims. The mandatory time for securing such data is indicated in the specific applicable law(s). The Data Controller does not transfer the registered data. It processes the following personal data of clients and contractual partners in accordance with the legal regulations on accounting, value added tax and the procedure of taxation: name/company name; address/seat; tax number The purpose of processing the data of clients and contractual partners is to issue invoices for purchases and performances. The Data Controller stores the provided personal data electronically in its database and online in the database of its websites, furthermore it transfers them to the Data Processor mandated with the preparation of accounting and payroll tasks. It issues invoices of purchases via an online invoicing program. The Data Controller processes the issued invoices with the data content on them until the expiry of the accounting period of the given invoice. Data processing based on consent [GDPR Article 6 Section 1 paragraph a) The personal data of employees applying for work at the Data Controller are processed based on consent after having received prior information: name; birth name; place and date of birth; mother’s maiden name; qualification; address; phone number; e-mail address Data processing is carried out for the purpose of later employment following selection. The provided personal data are stored in a written form at the branch office of the Data Controllers and in the electronic database of the Data Controller. Data processing is performed from the provision of data until the end of the selection process. Following the end of the selection process and until the revocation of consent it handles the data of candidates until filling vacant positions. The Data Controller does not transfer such data. Persons enquiring may send messages to the Data Controller using the contact section of the https://anitatoth.com/ website. In such cases, the personal data of enquirers are processed: name; phone number; e-mail address The provided personal data are stored in the electronic database of the Data Controller. The personal data provided for the purpose of contact is stored until the purpose of contact is fulfilled but not longer than a maximum of 1 year. The Data Controller does not transfer personal data processed for such purposes. On the Data Controller’s website https://en.fagnes.hu the data subjects have the opportunity to subscribe to the Data Controller’s newsletter in addition to their voluntary decision based on prior information. In such cases, the following personal data of subscribers is processed: name; e-mail address Data subjects can find important information about the Data Controller’s products and services concerning them from the Data Controller’s newsletter. The Data Controller gives the data subjects the opportunity to unsubscribe from the newsletter at any time. The Data Controller stores the personal data of the subjects in the electronic database of its website until they unsubscribe, furthermore it does not transfer such data. Data processing based on legitimate interest [GDPR Article 6 Section 1 paragraph f) RIGHTS OF DATA SUBJECTS AND THEIR ASSERTION Information about the Data Controller, the Data Processor, the processed data, the purpose of processing, the rights and the options for asserting of rights of data subjects, are provided for the data subjects in the Privacy Policy issued. a) right of access ~ during the data processing, the data subject is entitled to access all data stored about him/her, and to be informed about the purpose, legal basis, storage and the duration of storage of his/her data. The right to information covers the rectification, erasure and restriction of processing concerning the processed data, and the option to file a complaint to the supervisory authority. Fulfilment of the request of the data subject to exercise his/her rights shall not be denied, unless it may be demonstrated that the data subject shall not be identified. For any further hard-copies requested by the data subject, we may charge a reasonable fee based on administrative costs. b) right to rectification ~ the data subject is entitled to ask from the Data Controller to have any of the data subject’s data that may be incorrect or incomplete, rectified. c) right to erasure (”right to be forgotten”) ~ Erasing of the data by the Data Controller upon the request of the data subject, but this does not mean a general obligation for the Data Controller. The data subject is entitled to have his/her data to be erased (forgotten), where at least one of the following conditions applies: (i). the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed; (ii). the data subject has withdrawn his or her consent to the processing of personal data concerning him or her, and the data processing does not have other legal basis; (iii). the data subject objects to the processing of personal data concerning him/her, and there is no other prioritized reason for the data processing; (iv). the data processing was unlawful; (v). the data needs to be erased under applicable legislative duties of the Data Controller. Following the termination of the legal basis for the data processing, including the case in which the data subject withdraws his/her consent to the processing of personal data, any personal data processed by the data controller shall be erased within a short period of time. d) right to blocking of data ~ Instead of erasure, the Data Controller shall block the personal data upon the data subject’s request, if based on the available evidence it can be assumed that the erasure would infringe the rightful interests of the data subject Personal data blocked this way shall only be processed until the purpose prohibiting the erasure of the data, stands. e) right to restriction of processing ~ if the accuracy, lawfulness, or necessity of processing concerning the personal data is contested by the data subject, or if the data subject objects to the processing of personal data, the data subject is entitled to obtain from the Data Controller restriction of processing, concerning his/her data. f) right to obtain a copy of personal data ~ the data subject is entitled to obtain from the data controller a digital copy (pdf, doc, excel, txt) of the personal data undergoing processing, in order for the data to be provided to another data controller. g) right to object ~ where personal data are processed for the exercise of rights of the controller or any third parties; and where personal data are processed or forwarded for direct marketing or statistical purposes, scientific or historical research, and in the cases and under the conditions provided for by law, the data subject is entitled to object at any time to the processing of personal data concerning him or her. The objection shall be without delay, and no later than 15 days examined,the objection’s merits be decided, andthe objector be informed about the decision. USE OF DATA It shall be considered use of data if the personal data are used as evidence in a court process or in other processes before an authority. The person whose rights or rightful interests are concerned by the storing of data, along with proving his/her right or rightful interest, may request within 3 (three) working days from the storing of his/her data, for the data to not be erased or destroyed by the Data Controller. Upon request from a court or other authority, the personal data shall be immediately sent to the requesting court or authority. If no official request arrives within 30 (thirty) days from the day of the request for the data to not be erased or destroyed, the stored picture and/or sound recording, and other personal data shall be erased or otherwise destroyed. DATA TRANSFER Personal data may only be transferred to third parties with the prior written consent of the data subject. The Data Controller shall inform the data subjects about the data processors and other recipients of data transfer in chapter I. of the Privacy Policy. (see: Chapter I. section 7.) The Data Controller in order to fulfil its contractual obligations, shall keep contact with the recipients of data transfer specified in chapter I. section 7. The Data Controller in order to fulfil its contractual obligations shall transfer the personal data of the Data Subjects (Customers) to the recipients. The Data Controller, at the time of- and after concluding the legal relationship relating to data transfer, expects from its data processor partners that during the processing of personal data they shall act in accordance with the provisions of the Info Act, GDPR and the applicable data protection laws and regulations. The recipients of the data transfer shall undertake the principle of data minimisation. The Data Controller shall ask for a separate, express consent of the data subjects in case it plans to transfer data outside the EEA. Both the information given to the data subject and the consent shall cover the exact name and address or company name and seat of the data processor, the transferred data, the exact geographical location of the storage and processing of data. The Data Controller in order to monitor the lawfulness of the data transfer, and in order to keep the data subjects informed, shall keep a record of the major and high risk data transfers, which shall contain the date of the transfer of the processed personal data, the purpose and recipient of the data transfer, the exact list of the transferred data, and other information about the data processing provided for by law. ACCESSING THE DATA Only those persons shall have a right to access the personal data of the Data Subjects processed by Data Controller, who need it for the assertion of their rights. The name of the data controller, or other persons entitled to access the data, the purpose and date of the access shall be registered in a record. DATA SECURITY The data shall be protected by adequate means especially against unauthorised access, modification, transfer, disclosure, erasure or destruction and accidental destruction or damage, and against inaccessibility resulting from the change of the technology used for access. The Data Controller and the Data Processor shall consider the present state of technology at the time of taking actions regarding data security. The Data Controller has drafted a data breach policy for data breaches, which contains the possibilities of reporting the data breach and the persons responsible for preventing data breaches, and also the relevant deadlines. The Data Controller shall keep record of all data breaches. Upon infringement of their rights, the data subjects may contact the Hungarian National Authority for Data Protection and Freedom of Information (seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; telephone: +36 (1) 391-1400, fax: +36 (1) 394-1410, e-mail: ugyfelszolgalat@naih.hu ) and they are also entitled to enforce their rights before the competent courts. The Data Controller shall be obliged to repair any and all damages caused by unlawful data processing, or by the violation of the obligation regarding data security. In the event that the Data Controller violates the rights relating to personality of the Data Subject, the Data Subject shall be entitled to claim restitution. The Data Controller may use any personal data lawfully processed in order to prevent legal disputes between the parties, and also during any meetings, hearings, and official proceedings as well. DATA PROCESSING REGARDING DATA CONTROLLER’S WEBSITE On the Data Controller’s website, all information and content can be accessed without providing any personal data The website operated by the Data Controller uses so-called cookies: Necessary cookies – which serve the base functions (WordPress); • Functional cookies – which save user preferences (Woocommerce, Cooke banner); The number of views and other web analytic data regarding the website are being calculated and audited by third-party service providers, like Google Analytics; Google TagManager. The cookies used on the website store the data subjects’ unique internet protocol address (IP address) – as a personal data. The website may contain links or icons to other, third-party websites. Such third-party service providers include Facebook and Instagram. These websites may also use cookies, of which further information may be found on their respective websites. The Data Controller shall not investigate third-party websites and hereby excludes its liability for any content found thereon. The Data Controller hereby informs its users (data subjects) that the cookies used on the websites require the preliminary acceptance by the user (data subject) according to section (4) paragraph 155 of Act 100 of 2003 on electronic newsfeed. Therefore upon the first visit of the website, a pop-up window shall appear on the upper part of the monitor regarding the website’s use of cookies, and also a link shall appear which points to present policy. The user (data subject) may accept the use of cookies by clicking the “I accept” button. The purpose of processing the data stored in cookies is the improvement of the user experience and the online services of the website. The cookies used by the website do not store any data which would be able to identify the user (data subject). In the event that You do not approve of the use of certain types of cookies, you have the option to set up your web browser in a way for it to disallow the use of unique identification data, or to notify you whenever a website is attempting to use cookies. In case you wish to know more about these functions or wish to set your cookie preferences, please refer to the instructions or help-desk of your web browser, or you may also freely toggle the cookies of each service providers on the following link (in Hungarian): http://www.youronlinechoices.com/hu/ad-choices. For more information about cookies, see the following link: https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=en Effective from: February 2021.