On the processing of personal data on Vanguards Websites.
Vanguards Group Zrt. (the “Company” or “Controller”) is processing the personal data of individuals visiting the vanguards.com and nanushka.com websites (the “Vanguards Websites”) in connection with the provision of the functions and services of the sites and with the marketing activities of the Company on Vanguards Websites.
The aim of this privacy notice (the “Privacy Notice”) is to provide you, as the subject of the data processing with information about processing of your personal data and about your data privacy rights in connection with such processing activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and according to Act CXII of 2011 on Informational Self-determination and Freedom of Information (the “Data Protection Act”).
The Company conducts data processing activities for various purposes, each of them having different characteristics. The general part of this Privacy Notice serves to provide general information of when the Company processes your personal data. The specific information (purpose of the data processing activity, legal ground of processing, scope of processed personal data, retention time, etc.) relating to each data processing activity is included in annex 1 of this Privacy Notice.
Because the contents of this Privacy Notice may change from time to time, the Company will make sure to notify you whenever such changes take place. Before reviewing the information about a data processing activity and exercising your data privacy rights (see Section 2 below), please always access the up-to-date version of this Privacy Notice, which is always available at
1 DETAILS OF THE DATA CONTROLLER AND THE DATA PROTECTION OFFICER
The controller of the personal data is Vanguards Fashion Group Zártkörűen Működő Részvénytársaság (seat: 1051 Budapest, Dorottya utca 1.; registration number: 01-10-140603).
The contact person designated for managing and responding to inquiries and requests by data subjects is: [email protected]
You may contact the Controller directly via the above contact persons to exercise your data privacy rights.
2 DATA PRIVACY RIGHTS
With any comment, question, complaint and any other request in connection with the processing of your personal data, we encourage you to contact the Controller directly. The Company will give a substantive response to your request without delay, but no later than one month after receipt of your request. If the complexity of your request or the number of requests justifies it, the deadline for replying may be extended by another two months, of which you will be notified by the Controller within the original deadline.
You have certain rights in connection with the processing of your personal data (i.e., data privacy rights), basically determined by the legal basis for processing. In annex 1 you can find a general description of data privacy rights you can exercise, and at the end of each table in annex 1 a more detailed description on whether you are entitled to exercise such rights in the context of the data processing activity concerning your personal data. Please note that the GDPR and in some cases the Data Protection Act, as well as other relevant laws might set further conditions and/or limitations in connection with exercising these rights. Therefore, we advise you to closely study this Privacy Notice, the GDPR and the applicable laws before filing a request. If you need any help in connection with the applicable laws, please get in contact with us via the contact methods indicated in section 1 above.
(a) Withdrawal of consent (subsection (3) of Article 7 of the GDPR)
You have the right to withdraw your consent granted for a specific data processing activity any time. Please note that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.
(b) Access (Article 15 of the GDPR)
You have the right to request confirmation from the Controller as to whether or not personal data concerning you are being processed, and where that is the case, access to the personal data and certain information determined in Article 15 of the GDPR.
(c) Rectification (Article 16 of the GDPR)
You have the right to request the Controller to rectify any inaccurate personal data concerning you without any undue delay. Considering the purpose of the processing, you have the right to have the incomplete personal data completed, including by means of providing a supplementary statement.
(d) Right to erasure (“right to be forgotten”) (Article 17 of the GDPR)
You have the right to request the erasure of your personal data if any of the circumstances set out under Article 17(1) of the GDPR apply. If the exceptions in Article 17(3) of the GDPR do not apply and/or the Controller does not have any legal ground to further process your personal data, then it will execute the request for deletion without undue delay.
(e) Restriction of processing (Article 18 of the GDPR)
You have the right to request the restriction of processing where the grounds determined in Article 18 of the GDPR apply.
(f) Data portability (Article 20 of the GDPR)
You have the right to receive your personal data provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller, if the processing is based on consent [point (a) of Article 6(1) or point (a) of Article 9(2)] or is conducted for the performance of a contract to which You are a party [point (b) of Article 6(1)] and the processing is carried out by automated means. In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
(g) Objection (Article 21 of the GDPR)
If the data processing is based on the legitimate interest of the Controller: You have the right to object (on grounds relating to your particular situation) at any time against processing of your personal data based on legitimate interest, including also profiling. The Controller will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing, which override your interests, rights and freedoms or if the data processing is necessary for the establishment, assertion or defense of legal claims.
If the purpose of the data processing is direct marketing: You have the right at any time to object (on grounds relating to Your particular situation) against processing of your personal data if the purpose of the data processing is direct marketing, including also profiling if it is related to direct marketing. The Controller will no longer process the personal data in case you submit such objection against processing of your personal data for direct marketing purposes.
3 LEGAL REMEDIES
If you deem that your personal data are processed unlawfully and/or any of your data privacy rights have been violated you are entitled to seek the following legal remedies:
(a) You have the right to contact the Controller directly via the contact details in section 1 of this Privacy Notice, and address you concerns beforehand.
(b) You have the right to lodge a complaint with the national supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (seat: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf.: 9.; e-mail: [email protected]; telephone number: +36 (1) 391-1400; web: www.naih.hu)
(c) You are entitled to file a claim with your local court having jurisdiction in the case against the Controller or – in relation to processing activities covered by the scope of activities of the processor – the processor, if you deem that your personal data is processed unlawfully and/or any of your data privacy rights have been violated. Subject to your own decision, the claim can be filed before the court of your home address or place of abode. More information on courts’ jurisdiction and contact details is available at the following website: www.birosag.hu.
4 DATA RETENTION TIMES, EXECUTION OF DATA ERASURE
The retention time of the processing of each personal data is included in annex 1.
Upon expiration of the data processing period, and if the Data Controller decides to delete personal data on its own authority or upon request, the personal data will be irrevocably removed from the server of the Vanguards Websites within 30 days.
5 IMPLEMENTED DATA SECURITY MEASURES
This section contains the general data security measures applied by the Controller. If the Controller applies different data security measures in connection with a given data processing activity, those are described at the given data processing activity in Annex 1.
The Controller handles personal data confidentially and takes all security, technical and organizational measures that guarantee the security of the data. The Controller will ensure the protection of the security of data processing with technical, organizational and organizational measures that provide a level of protection appropriate to the risks related to data processing.
With respect to personal data processed on the Company's servers, the following data security measures are applied:
• Protection against viruses.
• Software firewall.
• Central set of rules to prevent unauthorized access.
• Protection and filtering against spam and malware.
• Daily backup of servers to a geographically isolated location.
• Uninterruptible operation of surge protection systems.
• Restrict external access and protection against external attacks with a physical firewall device.
The Controller also ensures that personal data is accessed only by reasonable personnel within the organization and, if personal data is processed on hard copies, the proper storage and protection of such materials.
6 VERSION DETAILS
The Privacy Notice was issued on 10 December 2021. This text is version 1 of the Privacy Notice.
Annex1 regarding the details of data processing activities on the Vanguards website can be found in the pdf file available here.