legal & privacy
DATA PROTECTION STATEMENT AND PRIVACY POLICY
1. The Controller
Name: Sagio Fashion Kft.
Seat: 1068 Budapest, Városligeti fasor 34-36.
Tax number: 32469361-2-42
Trade register number: 01 09 425769
E-mail: info@thesagio.com
Website: https://www.thesagio.com/
2. Data protection statement
This Data Protection Statement and Privacy Policy (hereinafter referred to as: the Privacy Policy) contains information on data protection regarding data processing in connection with Sagio Fashion Kft.’s (hereinafter referred to as: the Controller) website www.thesagio.com of, and also in connection with communication, entering into and fulfilling contracts with clients.
When using our website, or ordering our products you provide us with your personal data. We shall process such data with utmost care and in compliance with the legal regulations, and try to serve your claims and expectations regarding data processing. When processing data, we always exercise due diligence and protect the data from unauthorised access. This is a priority to us.
The most important legal regulations regarding our data processing activities:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR, hereinafter referred to as: the Regulation)
- Act CXII of 2011 on the right to informational self-determination and on the freedom of information (Privacy Act)
- Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity
This Policy aims at providing information to persons using our services or visiting our website on their rights and obligations concerning data transfer, processing, and data protection; on the data we process, the principles, methods, purposes, legal basis and period of processing.
3. Definitions
personal data means any information relating to an identified or identifiable natural person;
data subject: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
transfers of personal data: disclosing personal data to a specified third party. Transfers to EEA Member States or to bodies of the European Union shall be considered as transfers within the territory of Hungary;
data erasure: making the data unrecognisable by deletion of content or by any other means that enables an equivalent result;
third country: Not EEA countries;
NAIH: Hungarian National Authority for Data Protection and Freedom of Information.
4. Principles relating to processing of personal data
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
As Controller, we are responsible for compliance with these principles (‘accountability’).
5. Processed data
5.1 Communication
Data subjects: the natural person contacting the controller in order to communicate
The purposes of the processing: sending reply, communication
Type of data
Legal basis
Retention period
name GDPR point a) of Article 6 (1)
Consent
Until consent is withdrawn
e-mail address
Processing:
If you have provided us with your contacts via e-mail, or using the contact form on our website, we shall use your contact information to communicate with you, make an appointment, or to provide other services.
Providing such data is optional, however, we will not be able to communicate with you unless you provide us with the data. You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.2 Registration
Data subjects: the natural person registering on the controller’s website
The purposes of the processing: operating the Data subject’s account
Type of data
Legal basis
Retention period
name
GDPR point a) of Article 6 (1)
Consent
Until consent is withdrawn
e-mail address
password
Processing:
Purchases on our website are also possible with registration. To create an account, we only ask for personal data that is necessary for maintaining contact and completing the order.
We will send feedback about the registration by e-mail to the specified e-mail address.
Providing such data is optional, however, in the absence of them, the user account cannot be created.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.3 Placing an order
Data subjects: the natural person purchasing a product from the Controller, using Controller’s website.
The purposes of the processing: presenting an offer, entering into a contract, fulfilling the order
Type of data
Legal basis
Retention period
name
GDPR point a) of Article 6 (1) (consent)
Five years after the termination of the contractual relationship.
e-mail address
phone number
address
invoicing data
Processing:
We use and process personal data received with the order, provided by the client, exclusively for the purposes of fulfilling the order, identification, and communication.
Providing the data is optional in such cases; however, it is necessary to acquire personal data suitable for identification and communication in order to enter into contract or agreement.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.4 Shipping
Data subjects: the natural person purchasing a product from the Controller, using Controller’s website.
The purposes of the processing: delivery.
Type of data
Legal basis
Retention period
name
GDPR point a) of Article 6 (1)
(consent)
Five years after the termination of the contractual relationship
phone number
shipping address
Processing:
For shipping the orders, we use the personal data provided. When a third party shipping service provider is responsible for shipping, we disclose the data necessary for shipping to them.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.5 Invoicing process
Data subjects: Customers.
The purposes of the processing: handling of the accounting documents as per the Act on Accounting.
Type of data
Legal basis
Retention period
name
GDPR point c) of Article 6 (1)
(compliance with a legal obligation)
Eight plus one years after the termination of the contractual relationship
address
Processing:
When issued for natural persons, the accounting documents may contain personal data. We retain such documents in accordance with the provisions of the Act on Accounting.
The relevant legal regulations state that it is compulsory to provide the personal data. The invoice is not valid otherwise.
In the event of an audit, the data shall be disclosed to the competent authorities (the National Tax and Customs Administration).
5.6 Subscribing to newsletter
Data subjects: natural persons who subscribe to our newsletter.
The purposes of the processing: sending newsletter
Type of data
Legal basis
Retention period
e-mail address
GDPR point a) of Article 6 (1) (consent)
Until the withdrawal of consent
Processing:
When visiting our website you may subscribe to our newsletter, which we shall later use to inform our subscribers on what’s new, our special offers and other news.
Providing such data is optional, however, we cannot send the newsletter to the Data Subject without such data.
The Data Subject may withdraw consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.7 Social media
When the user decides to like or follow the Controller’s social media site, the Controller may also acquire the following data of the user: profile name, profile’s URL, profile identifier, profile picture, address stated, gender, birthday, introduction. In relation to the personal data provided by the visitors on social media sites, it is the operator of the Social Media site who is considered the Controller, and the operator’s terms on data protection and services shall apply.
5.8 Cookies
Our website (www.thesagio.com) uses cookies to improve your user experience, and to help us understand better how you use our website.
Upon your first visit to our website, we offer you detailed information and configuration options for the cookies we use.
5.8.1 The purpose of cookies
- to collect data on visitors and their devices;
- to remember the visitor’s preferences, such as language;
- to make the website easier to use;
- to provide quality user experience.
In order to tailor the services to the user’s needs, a small data package, called cookie is placed on the visitor’s computer, and the cookie is sent back upon later visits. If the browser sends back a cookie previously saved, the provider processing the cookie may connect the visitor’s current visit to earlier visits, but exclusively in relation to its own contents.
5.8.2 Strictly necessary, session cookies
These cookies ensure that visitors can fully browse edelholz.hu without any problems, use the website’s functions and services. Such cookies last for a session (browsing) and are deleted automatically from the computer or other devices you use to browse as soon as you close your browser.
Purposes: to store the user’s status during browsing the website.
5.8.3 Third-party cookies (statistics and marketing)
These cookies use the data to improve the website and the user experience. These cookies too are set in the browser on the visitor’s computer or other device used for browsing until they expire or the visitor deletes them. Personal data are not transferred to the third party.
5.8.4 Rejecting cookies
You may delete cookies set by edelholz.hu or a third party on your device using your browser. Please refer to your browser’s Help menu for detailed instructions. You may also use your browser to block cookies or request reminders every time your browser receives new cookies. Blocking cookies may technically interfere with your use of the website.
6. Data security
We are ensuring appropriate level of security concerning the personal data processed by implementing technical and organisational measures and developing processes.
We are protecting the data against access by unauthorised persons, modification, transferring, disclosing, deleting or destruction, accidental destruction and damages, and becoming inaccessible due to changes in the technology used.
Only associates of ours who need to access personal data to perform their tasks are allowed to gain access.
In order to ensure data security
- we assess and take into consideration all possible risks when designing and operating our information technology system and try to continuously reduce such risks;
- we monitor upcoming threats and vulnerability (e.g. computer viruses, computer intruders, denial-of-service attacks etc.) in order to be able to react and avoid or prevent them;
- we protect both IT devices and information stored on paper against unauthorised physical access and environmental effects/impacts (e.g. water, fire, electric overvoltage);
- we monitor our information technology system to discover possible problems and events;
- it is our priority to choose providers involved in operation based on their reliability.
7. Data transfer and disclosure
We transfer or disclose the personal data of natural persons using our services or website only to our partners and processors stated below and in section 5, and to authorities upon request.
We always make written agreements containing the details of data processing with the partners and processors involved in our data processing activities.
We work with the following data processors:
- UPS Magyarország Kft. – delivery
- Shopify International Ltd. – hosting service provider
- Sendinblue SAS (Brevo) – newsletter
- Kboss Kft. (számlázz.hu) – invoicing
8. The rights of data subjects
8.1 Right to information
The data subject shall have the right to receive information prior to processing of personal data in a transparent, intelligible, clear and easily accessible form in writing from the Controller. The Controller shall provide the information latest when personal data are obtained.
Where the Controller intends to process the personal data for a purpose other than that for which they were collected, the Controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.
8.2 Right of access
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- a) the purposes of the processing;
- b) the categories of personal data concerned;
- c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- e) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- f) the right to lodge a complaint with a supervisory authority;
- g) where the personal data are not collected from the data subject, any available information as to their source;
- h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
8.3 Right to rectification
The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.4 Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- b) the data subject withdraws consent on which processing is based, and where there is no other legal ground for the processing;
- c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
- d) the personal data have been unlawfully processed;
- e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- f) the personal data have been collected in relation to the offer of information society services.
Where the Controller has made the personal data public and is obliged pursuant to the points above to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that the data subject has requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.
The points stated above shall not apply to the extent that processing is necessary:
- a) for exercising the right of freedom of expression and information;
- b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- c) for reasons of public interest in the area of public health;
- d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- e) for the establishment, exercise or defence of legal claims .
8.5 Right to restriction of processing
The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
- b) the processing is unlawful and the data subject opposes the erasure of personal data and requests the restriction of their use instead;
- c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
- d) the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject.
When processing has been restricted in accordance with the points above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
8.6 Right to notification regarding rectification or erasure of personal data or restriction of processing
The data subject has the right to request from the Controller information about the recipients to whom the personal data have been disclosed. The Controller shall be obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
8.7 Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where:
- a) the processing is based on consent or on a contract; and
- b) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Exercising the data subject’s right to data portability shall not adversely affect the rights and freedoms of others. Should that be the case, the Controller shall comply with the right of the data subject to data portability without disclosing the personal data supported by that fact, while informing the subject in details.
8.8 Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or for the purposes of the legitimate interest pursued by the Controller or by a third party, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
8.9 Automated decision-making, profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply if the decision:
- a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- c) is based on the data subject’s explicit consent.
In the cases referred to in points a) and c), the data Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
8.10 Right to communication of a personal data breach to the data subject
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject.
8.11 The data subject’s right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy.
Supervisory authority of Hungary as Member State:
Nemzeti Adatvédelmi és Információszabadság Hatóság [Hungarian National Authority for Data Protection and Freedom of Information] (postal address: 1363 Budapest, Pf. 9., seat: 1055 Budapest, Falk Miksa utca 9-11., website: www.naih.hu, phone number: 06-1-391-1400, e-mail address: ugyfelszolgalat@naih.hu).
8.12 Right to an effective judicial remedy against a supervisory authority
Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
The data subjects involved may exercise these rights in writing, using our contact information provided below, or, upon prior consultation, in person. We are doing our best to reply to each request as soon as possible, but within 15 workdays the latest.
Contact us to exercise your rights (see contact information in section 1.)
We are not giving out information concerning personal data via the phone, as we cannot identify the caller.
Controller reserves the right to modify this Privacy Policy. Any changes will always be published on the website.